dcrat | hxxps://github[.]com/RZM-CRACK-TEAM/RedLine-CRACK

Analysis

max time kernel
191s
max time network
186s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/11/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/RZM-CRACK-TEAM/RedLine-CRACK

Score

10^/10

dcrat redline discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5540	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3412	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5760	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5252	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5768	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6980	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5256	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5532	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6912	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6704	6080	schtasks.exe	157
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	6080	schtasks.exe	157

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1564-4413-0x000000001F2B0000-0x000000001F2CA000-memory.dmp	family_redline

Redline family
redline

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/5156-507-0x0000000000A00000-0x0000000000E3C000-memory.dmp	dcrat
behavioral1/memory/5156-622-0x0000000000A00000-0x0000000000E3C000-memory.dmp	dcrat
behavioral1/memory/6056-623-0x0000000000D30000-0x000000000116C000-memory.dmp	dcrat
behavioral1/memory/6056-624-0x0000000000D30000-0x000000000116C000-memory.dmp	dcrat
behavioral1/memory/6056-4502-0x0000000000D30000-0x000000000116C000-memory.dmp	dcrat
behavioral1/memory/6924-4671-0x0000000000320000-0x000000000075C000-memory.dmp	dcrat
behavioral1/memory/6924-6737-0x0000000000320000-0x000000000075C000-memory.dmp	dcrat
behavioral1/memory/3132-8687-0x0000000000320000-0x000000000075C000-memory.dmp	dcrat
behavioral1/memory/3132-8688-0x0000000000320000-0x000000000075C000-memory.dmp	dcrat
behavioral1/memory/3132-8703-0x0000000000320000-0x000000000075C000-memory.dmp	dcrat
behavioral1/memory/5868-8705-0x0000000000300000-0x000000000073C000-memory.dmp	dcrat
behavioral1/memory/5868-8706-0x0000000000300000-0x000000000073C000-memory.dmp	dcrat
behavioral1/memory/5868-8723-0x0000000000300000-0x000000000073C000-memory.dmp	dcrat
behavioral1/memory/5868-8725-0x0000000000300000-0x000000000073C000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	mssurrogateProvider_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	mssurrogateProvider_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	mssurrogateProvider_protected.exe

Executes dropped EXE 9 IoCs

pid	Process
5156	mssurrogateProvider_protected.exe
5272	Panel.exe
6056	msedge.exe
1564	Panel.exe
6924	mssurrogateProvider_protected.exe
6328	Panel.exe
5864	Panel.exe
3132	mssurrogateProvider_protected.exe
5868	msedge.exe

Loads dropped DLL 20 IoCs

pid	Process
6936	Kurome.Host.exe
6936	Kurome.Host.exe
6936	Kurome.Host.exe
6936	Kurome.Host.exe
6924	mssurrogateProvider_protected.exe
6924	mssurrogateProvider_protected.exe
6924	mssurrogateProvider_protected.exe
6924	mssurrogateProvider_protected.exe
1496	Kurome.Builder.exe
1496	Kurome.Builder.exe
1496	Kurome.Builder.exe
1496	Kurome.Builder.exe
3132	mssurrogateProvider_protected.exe
3132	mssurrogateProvider_protected.exe
3132	mssurrogateProvider_protected.exe
3132	mssurrogateProvider_protected.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
74	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5156	mssurrogateProvider_protected.exe
6056	msedge.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
6056	msedge.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe
1564	Panel.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Google\e1ef82546f0b02	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\35dc316c-c087-4dc7-b356-6c9d5c12fbb9.tmp	setup.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\56085415360792	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	mssurrogateProvider_protected.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241101145257.pma	setup.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\VideoLAN\VLC\MoUsoCoreWorker.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\VideoLAN\VLC\1f93f77a7f4778	mssurrogateProvider_protected.exe
File created	C:\Program Files\Google\SppExtComObj.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\29c1c3cc0f7685	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\WindowsPowerShell\55b276f4edf653	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\unsecapp.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Windows Mail\msedge.exe	mssurrogateProvider_protected.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\INF\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\5940a34987c991	mssurrogateProvider_protected.exe
File created	C:\Windows\PrintDialog\pris\sppsvc.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\ShellExperiences\dwm.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\ShellExperiences\6cb0b6c459d5d3	mssurrogateProvider_protected.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe
File created	C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\ee2ad38f3d4382	mssurrogateProvider_protected.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\dllhost.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\PrintDialog\pris\0a1fd5f707cd16	mssurrogateProvider_protected.exe
File created	C:\Windows\Vss\msedge.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\Vss\61a52ddc9dd915	mssurrogateProvider_protected.exe
File created	C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\Registry.exe	mssurrogateProvider_protected.exe
File created	C:\Windows\INF\msedge.exe	mssurrogateProvider_protected.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	panel.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	mssurrogateProvider_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mssurrogateProvider_protected.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5468	schtasks.exe
3140	schtasks.exe
5760	schtasks.exe
5256	schtasks.exe
4832	schtasks.exe
3612	schtasks.exe
5812	schtasks.exe
2792	schtasks.exe
4456	schtasks.exe
1684	schtasks.exe
1440	schtasks.exe
5252	schtasks.exe
5144	schtasks.exe
7008	schtasks.exe
5548	schtasks.exe
6912	schtasks.exe
6704	schtasks.exe
3328	schtasks.exe
1600	schtasks.exe
5856	schtasks.exe
5796	schtasks.exe
4904	schtasks.exe
3500	schtasks.exe
1032	schtasks.exe
5128	schtasks.exe
1708	schtasks.exe
5876	schtasks.exe
2796	schtasks.exe
5824	schtasks.exe
5712	schtasks.exe
4192	schtasks.exe
5264	schtasks.exe
1216	schtasks.exe
6624	schtasks.exe
784	schtasks.exe
5592	schtasks.exe
5840	schtasks.exe
5752	schtasks.exe
6100	schtasks.exe
5532	schtasks.exe
1920	schtasks.exe
4712	schtasks.exe
5680	schtasks.exe
6108	schtasks.exe
5496	schtasks.exe
3048	schtasks.exe
5708	schtasks.exe
5584	schtasks.exe
568	schtasks.exe
6680	schtasks.exe
5840	schtasks.exe
5584	schtasks.exe
2764	schtasks.exe
5540	schtasks.exe
2220	schtasks.exe
3284	schtasks.exe
5900	schtasks.exe
6120	schtasks.exe
5612	schtasks.exe
5736	schtasks.exe
2280	schtasks.exe
5596	schtasks.exe
4780	schtasks.exe
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4648	msedge.exe
4648	msedge.exe
4956	identity_helper.exe
4956	identity_helper.exe
4760	msedge.exe
4760	msedge.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
5156	mssurrogateProvider_protected.exe
6056	msedge.exe
6056	msedge.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
5272	Panel.exe
1564	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe
1564	Panel.exe
5272	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5156	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	5272	Panel.exe
Token: SeDebugPrivilege	6056	msedge.exe
Token: SeDebugPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: SeDebugPrivilege	1644	Kurome.Loader.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: 33	1564	Panel.exe
Token: SeIncBasePriorityPrivilege	1564	Panel.exe
Token: SeDebugPrivilege	6936	Kurome.Host.exe
Token: SeDebugPrivilege	6924	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	6328	Panel.exe
Token: SeDebugPrivilege	5864	Panel.exe
Token: SeDebugPrivilege	1496	Kurome.Builder.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: SeDebugPrivilege	3132	mssurrogateProvider_protected.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: SeDebugPrivilege	5868	msedge.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe
Token: 33	5864	Panel.exe
Token: SeIncBasePriorityPrivilege	5864	Panel.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5156	mssurrogateProvider_protected.exe
6056	msedge.exe
6924	mssurrogateProvider_protected.exe
3132	mssurrogateProvider_protected.exe
5868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2920	4648	msedge.exe	81
PID 4648 wrote to memory of 2920	4648	msedge.exe	81
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 2144	4648	msedge.exe	82
PID 4648 wrote to memory of 4708	4648	msedge.exe	83
PID 4648 wrote to memory of 4708	4648	msedge.exe	83
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84
PID 4648 wrote to memory of 3084	4648	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/RZM-CRACK-TEAM/RedLine-CRACK
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe50cb46f8,0x7ffe50cb4708,0x7ffe50cb4718
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b3b35460,0x7ff6b3b35470,0x7ff6b3b35480
    3⤵
    PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3180483509110778520,15710772448689056917,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3440 /prefetch:2
  2⤵
  PID:6452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5220

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5948
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5156
- - C:\Windows\Vss\msedge.exe
    "C:\Windows\Vss\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6056
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\OEM\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\OEM\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\OEM\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\OEM\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\OEM\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\OEM\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Vss\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\geckoBrowsers.txt
1⤵
PID:4568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\chromeBrowsers.txt
1⤵
PID:4904

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6936

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6048
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OXMWeAul5R.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5260
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3132
    - - C:\Program Files (x86)\Windows Mail\msedge.exe
        
        "C:\Program Files (x86)\Windows Mail\msedge.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5868
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6328
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Panel.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Panel.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Panel.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 10 /tr "'C:\Recovery\OEM\mssurrogateProvider_protected.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protected" /sc ONLOGON /tr "'C:\Recovery\OEM\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mssurrogateProvider_protectedm" /sc MINUTE /mo 10 /tr "'C:\Recovery\OEM\mssurrogateProvider_protected.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\INF\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Users\Default\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Default\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.HostK" /sc MINUTE /mo 10 /tr "'C:\Recovery\OEM\Kurome.Host.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.Host" /sc ONLOGON /tr "'C:\Recovery\OEM\Kurome.Host.exe'" /rl HIGHEST /f
1⤵
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Kurome.HostK" /sc MINUTE /mo 10 /tr "'C:\Recovery\OEM\Kurome.Host.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
PID:6292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\dllhost.exe'" /f
1⤵
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\lsass.exe'" /rl HIGHEST /f
1⤵
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
1⤵
PID:6852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
PID:6804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\msedge.exe'" /f
1⤵
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
PID:6168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:6992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /rl HIGHEST /f
1⤵
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
2KB

MD5
2684b000ef694efa9d00f9bf35819d7d

SHA1
c10f337d6af9868ced12c5957ce8429defe57e93

SHA256
6beb9f3e0a94b467712961c19283bbfd8f0137a6d018a0d4e19eb5948735c5b5

SHA512
9364a8cd3eb8c5d75a1834a249dc57706bcbf90686c43d8ab8d52219d38714eb70b70b57bd6f6ffbde33608afca8e694a6d3250870829bb3a3dd7a52a874b541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msedge.exe.log

Filesize
942B

MD5
4bed896a88d93b2533b55307e08eb2d9

SHA1
0a2b216ee9da708db90f10c3d74fbabd8e50902b

SHA256
4e6ebd28caf8da6c0f6cba01417b8a4b22f4c9cf3834b1c094cba9d266499a1d

SHA512
b2789d1aea94b196cfe1de3c26af58f0d99caedf4cf4e5ab738974cbe3eb85108e0c4a80f61c98bb8df3b7cbf83f09f64b1d4917602f222b0b1881e5ca255a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mssurrogateProvider_protected.exe.log

Filesize
1KB

MD5
6a7420f0f80894e838301547db7afe10

SHA1
236e7583cbc4fdb7ca85c71e8f73dbaf80ec9c93

SHA256
0b7966f1c400a564e9644425c64506c36368eb3e7f42ce5d9a09613a403385e7

SHA512
3403db0b0b1579f6c95df21f421464d97f56c7b0e2b8aa7a704f46a4860a98ad466291998a48b707ed59fcf55c789826ca5f48d46f23259ac732127da229515b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccff51f965f8f4176e4ad112c34c86a7

SHA1
eab249ca0f58ed7a8afbca30bdae123136463cd8

SHA256
3eb00cf1bd645d308d0385a95a30737679be58dcc5433bc66216aac762d9da33

SHA512
8c68f146152045c2a78c9e52198b8180b261edf61a8c28364728eafb1cba1df0fa29906e5ede69b3c1e0b67cfcbeb7fde65b8d2edbc397c9a4b99ecfe8dea2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c29339188732b78d10f11d3fb23063cb

SHA1
2db38f26fbc92417888251d9e31be37c9380136f

SHA256
0a61fa9e17b9ae7812cdeda5e890b22b14e53fa14a90db334f721252a9c874c2

SHA512
77f1f5f78e73f4fc01151e7e2a553dc4ed9bf35dd3a9565501f698be373640f153c6d7fc83450b9d2f29aeaa72387dd627d56f287a46635c2da07c60bc3d6e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b05a2eb553ae31e89a42abea9f7a59ff

SHA1
41855cc535075a99e05f0296aa064a47d3fcc93a

SHA256
0f023564a024cdd858a5bff8496d13fded58d1243e3de4f19cf90c697a290283

SHA512
8c4899ee759c27c840e780faea5e44bb343479aec42582a218483cfb6bbccf8508f52b4bb8e544d4ce524819dddf27e844768d8555ce2a1507e9853d162981dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ea35bbdb26d85c0a79002fcfbf32066f

SHA1
5e5a4bd818bea7ebc66183eccb33bfc2bd14bd82

SHA256
68741594a8bb877f2d100278a5d686f72382436e7b4672e18662e928e5cf310c

SHA512
98a35d8de6cb94a738bf5885e52307e088f922138c153ac3298e98cb43be425db697ed7adf9beb0ef823c88862516d60fadee67f699b9de99ddf595c6534e6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
587B

MD5
411699e443951b38367fd522cfe4b9eb

SHA1
ecdbb21543f95699417ff8af645788e2fe54ef81

SHA256
141bd3617e43da171060e059467e8dd13574a4f50ba110432152d85942b02150

SHA512
664e0b173252dfbe9d4b7717567c0f449efd8d9d26954d083906ab5cd48d9a18a5f5090e9a583f2106b06a8c3aea465c9db8ec9069d1089283480ff46dd68999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58aff2.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34dea084c821a0cc87c5a4cc95865cae

SHA1
8e2d3ebb0591865e2932936d752e50839d21ab27

SHA256
e4fddd4dce38c2421f797af599a18bfa724d8d74fc5581325045c81f416a0960

SHA512
3dbe1f09a674161d81fe0e2fb9e967b4eac64625b38e10f5c79710901b9b9b7d06223485566056bf9062e58436b6d5b17c45dd6afc0b6b535302fd93527626fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b10e7923b7ba77f378c9b86ea8c71cc

SHA1
cc442c4c0c841303db766ae02fad1077bc7a80ff

SHA256
6e59e9c10ea591422b1a9e9bfb8514b473638825b9854531bbf719d3fae05fe0

SHA512
1ff70240d5e6ab0f60e9803a84cb225ce0a63192ee7b1a9edf2e660e76c9a87f7507cee4325bc768481065a7cf465ae9ca7317b4ba05f0c0a7e551f8f6ff03cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3566594ae2a1d514302c85298ab6570f

SHA1
32a2528d23c5fa4b227c6c9a6f41fc91c7a04cb7

SHA256
8acd22fd0fa869aa73e7d9c4814059bc2baac6e0e2db713f5a5459779deffb50

SHA512
d79eff40b2ad8a6653639f8fdf4a927e1a4dad11a0be08f8de25fbd4d87162ceea36dbc947db56c771bda13bce58e1cf8a915c173f847d3d19569921d34b5ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cefacd6df8beddd996531c18cdc02ad4

SHA1
623f98261ec79daf1988bc9e4d40b7ebf750a98c

SHA256
f594ca9fd03e05b4a3601f9b04a9e5a4d6ede0a2a1ca3e0c13dcba7567d49ce7

SHA512
600f6d1b5b7b80609aadca89cd2c8b9f4c1c060d9361d2e7e39b51eeaee5b05b2149fb4fb20fb2b3e5cb156e2ebee33cd6b3d812a209c63e8526abb4a0efd52c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
86aa28ffd286b08415aa197216684874

SHA1
d99924976c73e3220108817ad6bc1d8b1795ca2d

SHA256
a6dc4bc6ade3039e57b538f2620b91602199f1908b23c4a2beb3fd3aa721579d

SHA512
a51fbd1af778d32f2f95a9a863a59f42a7eb804dbb8ce85459297959eea21fbfe9625d74c3f91ad65016031d4b3e26eeb748c1c59e09ac68778fc670d408d0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
26978f38b0bce48572b90b762b7d937c

SHA1
8b8b88012fab1d37fca79575a5db81674b424867

SHA256
b38f05e2e63a1f87026aed06f5b85354570c6f91d28947466f0555276bab6afa

SHA512
501e0de5f46bfaac901cde5c39a321edc411426fd91c83427f36710fa56d20b5f6ab8f2219d963f7ab495c2df7def879652381db3876b7e2a7080921cce78379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
42f725b22843269e68994d605c4e1f13

SHA1
9f50a76559ecfa725b40383f3b815e1e4cc83ca6

SHA256
06d4d5cf2b4cdaa32311e05f58f0a1e3c64056e6a3423812fd9de3f870faabd6

SHA512
75ca7e1d2a75a9e68e528faad5638aca53330c692909c0865b4c30f3f733587b04ab2516fc1bcb81e9ba202c9e9c148fb6e40a94b156b9df92aa09d72172d6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e1a42a72da84bd90dbf31e79e333c7b

SHA1
29ade513a4c4f01411aa481d8f3e9dae2c79720a

SHA256
0d86af536e9274e5eb7b89d2df85455e3284265f0a67c418f92dd7eac370850b

SHA512
7af53913f372983af60e33a7c0da1a154920eca87e6692a0a4b0fbb6d840ddf1a191e58f5c683214a01f030f581ef1f3b506483832c547fc91aa3eaf76366f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f339.TMP

Filesize
1KB

MD5
ba73ddfa59772aa7aad3e0cdbd30c413

SHA1
4e286429520c603260986811f41fb42df050f649

SHA256
bf5a6241b4017d88780db0a585e40f09ec4515296fdaf2de95bfe4ed303c8aab

SHA512
efd13ac6a6b452881fb5638273c92fef63b097b3edc1a8c6ffa58832667ae993dd10f87871242240132d266937aff1b5fe6b0ded01ad7c5a2751ccc72f1ee971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6e37f46a6dcfeda07d7b692227e65677

SHA1
412e66bfbe2760f49d18a07b84835f1b5ae4e62b

SHA256
f2e3e8d7199873bc1642ed77bc99caa0e8c97ee89e78d59d0640f29b0e9ec804

SHA512
667a19838eb1dbbd33467eb89d4a64622b51d2c8c4b427f3babea53c23697dfdc01c4be52d008a3d2b22f0d754fe7d133d0acb2e60b959961cba1c39307f641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18d9c097300386f8a1a480ea675735d3

SHA1
aa664694e34d3ccac4ca9ac9a80a6dc777844be8

SHA256
bb7081bb5720a7c40535ffda153499092b34ad672df76f4349fc481fdf74a3f9

SHA512
85a8d5a8adc45a2441758014996b42d8cdaad9b305844ab126575f6ca70168a5f8f71433ffd2ed94be920365e94bf421d154d3b30418f6795f7066f60542401f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXMWeAul5R.bat

Filesize
232B

MD5
f4d2b70167f2b75e316e350427bd404a

SHA1
0e585f1f75f5119e47d272c8459ee12f2a775a65

SHA256
67d14cef7fb0959b8921e80e93d0fb0f2faaeda2254bd9b9b1e6b9407f66b4c6

SHA512
d74cb005c8b04f40d9461e53704df503806f8ffabb50349d478ef39ba1b18e323012caade0bede39c579a455256a38761608e1fea8e21f23837c78a38147db38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c5073e40edd81b6c6b1092b891b3ccdc

SHA1
f6757bcce8b2876870fcdeb13b85ecba6a6368e7

SHA256
f70243a1998feb824939700a75b4bcedca1771db2112c9fa4e8e883fa961cf32

SHA512
8364e9bd8cb53f96cd0896a5a4bc7230a1887465a7b20b932fe1696929095b56d8c9699efd28a8fc0e8b5c2288e6419b1d82e9bc39c21bdf119a2dda56f1c278

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
536440d51369361cfb0ce69f1bd42dc3

SHA1
6f0cd9962c5d958c6f27278555f2d8ef9e2e08dc

SHA256
3d61d6b25d7da0a3094f8ec53c42ab6522eca777216042af30bb2939cf22ecb8

SHA512
7b7457fc05b9a85ce06491e9f3e141b3b164324e4c347d19e00ad614ea52760ea78d3eccfa0287ae82c86f265b7eb2d6c5fa4fbf1a730c4c6382e71329d0a9f4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 250488.crdownload

Filesize
21.7MB

MD5
1118549e87cbad92e6959506172d8c5d

SHA1
a5598c8355d03dc1ed03b0f7842d478d6a9e17fe

SHA256
54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f

SHA512
029527677e3a316a0929a111701c87c5fe6c11ecc361a3c009de75ee06d110245d0f250fca836a1aa0a90f86237e3102bcdf60ed645a9b42ad04bd50793aa09c

Download Submit
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/1496-8665-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/1496-8584-0x0000000000FF0000-0x0000000001018000-memory.dmp

Filesize
160KB

Download
memory/1496-8651-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/1496-8666-0x0000000007C30000-0x0000000007C8E000-memory.dmp

Filesize
376KB

Download
memory/1564-4535-0x0000000024030000-0x000000002406C000-memory.dmp

Filesize
240KB

Download
memory/1564-4517-0x000000001F710000-0x000000001F760000-memory.dmp

Filesize
320KB

Download
memory/1564-4413-0x000000001F2B0000-0x000000001F2CA000-memory.dmp

Filesize
104KB

Download
memory/1564-4436-0x000000001F300000-0x000000001F312000-memory.dmp

Filesize
72KB

Download
memory/1564-4465-0x000000001F450000-0x000000001F500000-memory.dmp

Filesize
704KB

Download
memory/1564-4450-0x000000001F360000-0x000000001F39A000-memory.dmp

Filesize
232KB

Download
memory/1564-4499-0x000000001F500000-0x000000001F574000-memory.dmp

Filesize
464KB

Download
memory/1564-4516-0x0000000021340000-0x000000002138A000-memory.dmp

Filesize
296KB

Download
memory/1564-4534-0x0000000021490000-0x00000000214A2000-memory.dmp

Filesize
72KB

Download
memory/1644-4525-0x0000000007E30000-0x0000000008440000-memory.dmp

Filesize
6.1MB

Download
memory/1644-4524-0x0000000000BA0000-0x0000000000DD6000-memory.dmp

Filesize
2.2MB

Download
memory/3132-8703-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/3132-8686-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/3132-8688-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/3132-8687-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/5156-507-0x0000000000A00000-0x0000000000E3C000-memory.dmp

Filesize
4.2MB

Download
memory/5156-622-0x0000000000A00000-0x0000000000E3C000-memory.dmp

Filesize
4.2MB

Download
memory/5156-501-0x0000000000A00000-0x0000000000E3C000-memory.dmp

Filesize
4.2MB

Download
memory/5156-521-0x0000000007270000-0x00000000072D6000-memory.dmp

Filesize
408KB

Download
memory/5156-519-0x0000000007430000-0x00000000079D6000-memory.dmp

Filesize
5.6MB

Download
memory/5272-509-0x000000001ACA0000-0x000000001AE40000-memory.dmp

Filesize
1.6MB

Download
memory/5272-552-0x000000001DE20000-0x000000001DF62000-memory.dmp

Filesize
1.3MB

Download
memory/5272-540-0x000000001DA50000-0x000000001DB92000-memory.dmp

Filesize
1.3MB

Download
memory/5272-539-0x000000001DA50000-0x000000001DB92000-memory.dmp

Filesize
1.3MB

Download
memory/5272-610-0x000000001EB90000-0x000000001EBAC000-memory.dmp

Filesize
112KB

Download
memory/5272-579-0x000000001DB70000-0x000000001DB7A000-memory.dmp

Filesize
40KB

Download
memory/5272-544-0x000000001DA50000-0x000000001DB92000-memory.dmp

Filesize
1.3MB

Download
memory/5272-524-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5272-525-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5272-527-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5272-566-0x000000001DB60000-0x000000001DB6A000-memory.dmp

Filesize
40KB

Download
memory/5272-567-0x000000001DB60000-0x000000001DB6A000-memory.dmp

Filesize
40KB

Download
memory/5272-569-0x000000001DB60000-0x000000001DB6A000-memory.dmp

Filesize
40KB

Download
memory/5272-571-0x000000001DB60000-0x000000001DB6A000-memory.dmp

Filesize
40KB

Download
memory/5272-529-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5272-531-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5272-508-0x000000001ACA0000-0x000000001AE40000-memory.dmp

Filesize
1.6MB

Download
memory/5272-510-0x000000001ACA0000-0x000000001AE40000-memory.dmp

Filesize
1.6MB

Download
memory/5272-506-0x00007FFE3BFF0000-0x00007FFE3CAB2000-memory.dmp

Filesize
10.8MB

Download
memory/5864-8589-0x0000000020590000-0x0000000020BA8000-memory.dmp

Filesize
6.1MB

Download
memory/5864-8568-0x000000001FDE0000-0x000000001FE46000-memory.dmp

Filesize
408KB

Download
memory/5864-8590-0x0000000020120000-0x0000000020220000-memory.dmp

Filesize
1024KB

Download
memory/5864-8570-0x000000001FE50000-0x00000000200D6000-memory.dmp

Filesize
2.5MB

Download
memory/5864-8712-0x0000000022850000-0x000000002289F000-memory.dmp

Filesize
316KB

Download
memory/5864-8711-0x0000000022780000-0x000000002281C000-memory.dmp

Filesize
624KB

Download
memory/5864-8713-0x00000000228A0000-0x00000000229AA000-memory.dmp

Filesize
1.0MB

Download
memory/5864-8714-0x0000000025020000-0x0000000025050000-memory.dmp

Filesize
192KB

Download
memory/5868-8725-0x0000000000300000-0x000000000073C000-memory.dmp

Filesize
4.2MB

Download
memory/5868-8723-0x0000000000300000-0x000000000073C000-memory.dmp

Filesize
4.2MB

Download
memory/5868-8701-0x0000000000300000-0x000000000073C000-memory.dmp

Filesize
4.2MB

Download
memory/5868-8705-0x0000000000300000-0x000000000073C000-memory.dmp

Filesize
4.2MB

Download
memory/5868-8706-0x0000000000300000-0x000000000073C000-memory.dmp

Filesize
4.2MB

Download
memory/5948-427-0x0000000000400000-0x0000000001470000-memory.dmp

Filesize
16.4MB

Download
memory/6056-600-0x0000000000D30000-0x000000000116C000-memory.dmp

Filesize
4.2MB

Download
memory/6056-623-0x0000000000D30000-0x000000000116C000-memory.dmp

Filesize
4.2MB

Download
memory/6056-4502-0x0000000000D30000-0x000000000116C000-memory.dmp

Filesize
4.2MB

Download
memory/6056-4122-0x0000000000D30000-0x000000000116C000-memory.dmp

Filesize
4.2MB

Download
memory/6056-624-0x0000000000D30000-0x000000000116C000-memory.dmp

Filesize
4.2MB

Download
memory/6328-4744-0x000000001E900000-0x000000001EEA6000-memory.dmp

Filesize
5.6MB

Download
memory/6328-4746-0x000000001F0B0000-0x000000001F142000-memory.dmp

Filesize
584KB

Download
memory/6328-4787-0x000000001F570000-0x000000001F6EC000-memory.dmp

Filesize
1.5MB

Download
memory/6328-4743-0x000000001E590000-0x000000001E8F2000-memory.dmp

Filesize
3.4MB

Download
memory/6924-4660-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/6924-6737-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/6924-4671-0x0000000000320000-0x000000000075C000-memory.dmp

Filesize
4.2MB

Download
memory/6936-4587-0x0000000005BB0000-0x0000000005BE0000-memory.dmp

Filesize
192KB

Download
memory/6936-4586-0x0000000005F10000-0x0000000006010000-memory.dmp

Filesize
1024KB

Download
memory/6936-4585-0x0000000005B10000-0x0000000005B60000-memory.dmp

Filesize
320KB

Download
memory/6936-4584-0x0000000005830000-0x0000000005858000-memory.dmp

Filesize
160KB

Download
memory/6936-4583-0x0000000006630000-0x000000000673A000-memory.dmp

Filesize
1.0MB

Download
memory/6936-4582-0x00000000059F0000-0x0000000005ABE000-memory.dmp

Filesize
824KB

Download
memory/6936-4581-0x0000000005310000-0x000000000535C000-memory.dmp

Filesize
304KB

Download
memory/6936-4580-0x0000000005C80000-0x0000000005F06000-memory.dmp

Filesize
2.5MB

Download
memory/6936-4579-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/6936-4578-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/6936-4577-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/6936-4576-0x0000000006010000-0x0000000006628000-memory.dmp

Filesize
6.1MB

Download
memory/6936-4575-0x0000000005060000-0x0000000005086000-memory.dmp

Filesize
152KB

Download
memory/6936-4574-0x0000000005870000-0x00000000059EC000-memory.dmp

Filesize
1.5MB

Download
memory/6936-4568-0x00000000007B0000-0x00000000007D4000-memory.dmp

Filesize
144KB

Download
memory/6936-4573-0x0000000005380000-0x00000000056E2000-memory.dmp

Filesize
3.4MB

Download