dcrat | 54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f

Analysis

max time kernel
584s
max time network
586s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-11-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redline-crack-by-rzt.zip
Size

21.7MB
MD5

1118549e87cbad92e6959506172d8c5d
SHA1

a5598c8355d03dc1ed03b0f7842d478d6a9e17fe
SHA256

54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f
SHA512

029527677e3a316a0929a111701c87c5fe6c11ecc361a3c009de75ee06d110245d0f250fca836a1aa0a90f86237e3102bcdf60ed645a9b42ad04bd50793aa09c
SSDEEP

393216:l+4Ui5ywU1ePiV9BS9EUCEN3BULF937+zur/A5ELmLDepjHRKxH4ofr5sN5ltwFK:o4UiouCG3BULez1imLDoHk4SSTTwF6LB

Score

10^/10

dcrat redline sectoprat cheat discovery infostealer rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:1337

127.0.0.1:31731

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1060	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	1060	schtasks.exe	94

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001900000002aac2-95.dat	family_redline
behavioral1/memory/3724-4140-0x00000000201E0000-0x00000000201FA000-memory.dmp	family_redline
behavioral1/files/0x001d00000002aa6f-8332.dat	family_redline
behavioral1/memory/3124-8334-0x00000000004E0000-0x00000000004FE000-memory.dmp	family_redline
behavioral1/memory/5172-8661-0x00000000009F0000-0x0000000000A0E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001900000002aac2-95.dat	family_sectoprat
behavioral1/files/0x001d00000002aa6f-8332.dat	family_sectoprat
behavioral1/memory/3124-8334-0x00000000004E0000-0x00000000004FE000-memory.dmp	family_sectoprat
behavioral1/memory/5172-8661-0x00000000009F0000-0x0000000000A0E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1336-180-0x0000000000050000-0x000000000048C000-memory.dmp	dcrat
behavioral1/memory/4984-420-0x0000000000140000-0x000000000057C000-memory.dmp	dcrat
behavioral1/memory/1336-419-0x0000000000050000-0x000000000048C000-memory.dmp	dcrat
behavioral1/memory/4984-2199-0x0000000000140000-0x000000000057C000-memory.dmp	dcrat
behavioral1/memory/4204-8902-0x0000000000140000-0x000000000057C000-memory.dmp	dcrat
behavioral1/memory/4204-8904-0x0000000000140000-0x000000000057C000-memory.dmp	dcrat

Executes dropped EXE 21 IoCs

Processes:

Kurome.Host.exeKurome.Builder.exeKurome.Loader.exepanel.exemssurrogateProvider_protected.exePanel.execsrss.exePanel.exePanel.exePanel.exebuild.exebuild.exeKurome.Builder.exebuild.exebuild.exeKurome.Builder.exebuild.exeKurome.Builder.exebuild.exebuild.execsrss.exe

pid	Process
4700	Kurome.Host.exe
556	Kurome.Builder.exe
4900	Kurome.Loader.exe
1464	panel.exe
1336	mssurrogateProvider_protected.exe
4888	Panel.exe
4984	csrss.exe
3724	Panel.exe
3088	Panel.exe
3860	Panel.exe
3124	build.exe
128	build.exe
4648	Kurome.Builder.exe
2992	build.exe
2712	build.exe
2560	Kurome.Builder.exe
5292	build.exe
4940	Kurome.Builder.exe
5172	build.exe
2492	build.exe
4204	csrss.exe

Loads dropped DLL 62 IoCs

Processes:

Kurome.Host.exeKurome.Builder.exemssurrogateProvider_protected.execsrss.exebuild.exebuild.exeKurome.Builder.exebuild.exebuild.exeKurome.Builder.exebuild.exeKurome.Builder.exebuild.exebuild.execsrss.exe

pid	Process
4700	Kurome.Host.exe
4700	Kurome.Host.exe
556	Kurome.Builder.exe
556	Kurome.Builder.exe
1336	mssurrogateProvider_protected.exe
1336	mssurrogateProvider_protected.exe
1336	mssurrogateProvider_protected.exe
1336	mssurrogateProvider_protected.exe
4984	csrss.exe
4984	csrss.exe
4984	csrss.exe
4984	csrss.exe
3124	build.exe
3124	build.exe
3124	build.exe
3124	build.exe
128	build.exe
128	build.exe
128	build.exe
128	build.exe
4648	Kurome.Builder.exe
4648	Kurome.Builder.exe
4648	Kurome.Builder.exe
4648	Kurome.Builder.exe
4648	Kurome.Builder.exe
4648	Kurome.Builder.exe
2992	build.exe
2992	build.exe
2992	build.exe
2992	build.exe
2712	build.exe
2712	build.exe
2712	build.exe
2712	build.exe
2560	Kurome.Builder.exe
2560	Kurome.Builder.exe
2560	Kurome.Builder.exe
2560	Kurome.Builder.exe
2560	Kurome.Builder.exe
2560	Kurome.Builder.exe
5292	build.exe
5292	build.exe
5292	build.exe
5292	build.exe
4940	Kurome.Builder.exe
4940	Kurome.Builder.exe
4940	Kurome.Builder.exe
4940	Kurome.Builder.exe
4940	Kurome.Builder.exe
4940	Kurome.Builder.exe
5172	build.exe
5172	build.exe
5172	build.exe
5172	build.exe
2492	build.exe
2492	build.exe
2492	build.exe
2492	build.exe
4204	csrss.exe
4204	csrss.exe
4204	csrss.exe
4204	csrss.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

mssurrogateProvider_protected.execsrss.exePanel.exePanel.exePanel.exe

pid	Process
1336	mssurrogateProvider_protected.exe
4984	csrss.exe
4984	csrss.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3724	Panel.exe
3088	Panel.exe

Drops file in Program Files directory 4 IoCs

Processes:

mssurrogateProvider_protected.exe

description	ioc	Process
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\csrss.exe	mssurrogateProvider_protected.exe
File created	C:\Program Files (x86)\Google\886983d96e3d3e	mssurrogateProvider_protected.exe

Drops file in Windows directory 2 IoCs

Processes:

Kurome.Loader.exechrome.exe

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Kurome.Loader.exepanel.exebuild.exeKurome.Builder.exebuild.exeKurome.Host.exeKurome.Builder.exemssurrogateProvider_protected.exebuild.exeKurome.Builder.execsrss.exeKurome.Builder.exebuild.exebuild.exebuild.execsrss.exebuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssurrogateProvider_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 64 IoCs

Processes:

Panel.exemssurrogateProvider_protected.exepanel.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mssurrogateProvider_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "9"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e003100000000006159d6aa100054656d7000003a0009000400efbe4759005f6159d6aa2e0000004c570200000001000000000000000000000000000000eb462001540065006d007000000014000000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 500031000000000047592d64100041646d696e003c0009000400efbe4759005f61598daa2e0000002c570200000001000000000000000000000000000000ef8e1b01410064006d0069006e00000014000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000004759005f12004170704461746100400009000400efbe4759005f61598daa2e000000375702000000010000000000000000000000000000000fe15d004100700070004400610074006100000016000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Panel.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3456	schtasks.exe
1692	schtasks.exe
1560	schtasks.exe
440	schtasks.exe
3872	schtasks.exe
4928	schtasks.exe
4616	schtasks.exe
3488	schtasks.exe
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mssurrogateProvider_protected.exePanel.execsrss.exePanel.exe

pid	Process
1336	mssurrogateProvider_protected.exe
4888	Panel.exe
4984	csrss.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe
4888	Panel.exe
3724	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Panel.exeTaskmgr.exe

pid	Process
3860	Panel.exe
5724	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeKurome.Host.exeKurome.Builder.exeKurome.Loader.exemssurrogateProvider_protected.exePanel.execsrss.exePanel.exe

description	pid	Process
Token: SeRestorePrivilege	2056	7zFM.exe
Token: 35	2056	7zFM.exe
Token: SeSecurityPrivilege	2056	7zFM.exe
Token: SeDebugPrivilege	4700	Kurome.Host.exe
Token: SeDebugPrivilege	556	Kurome.Builder.exe
Token: SeDebugPrivilege	4900	Kurome.Loader.exe
Token: SeDebugPrivilege	1336	mssurrogateProvider_protected.exe
Token: SeDebugPrivilege	4888	Panel.exe
Token: SeDebugPrivilege	4984	csrss.exe
Token: SeDebugPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe
Token: 33	3724	Panel.exe
Token: SeIncBasePriorityPrivilege	3724	Panel.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exeTaskmgr.exe

pid	Process
2056	7zFM.exe
2056	7zFM.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taskmgr.exe

pid	Process
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe
5724	Taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

mssurrogateProvider_protected.execsrss.exePanel.execsrss.exe

pid	Process
1336	mssurrogateProvider_protected.exe
4984	csrss.exe
3860	Panel.exe
3860	Panel.exe
3860	Panel.exe
3860	Panel.exe
3860	Panel.exe
4204	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

panel.exemssurrogateProvider_protected.exePanel.exePanel.exePanel.exechrome.exe

description	pid	Process	procid_target
PID 1464 wrote to memory of 1336	1464	panel.exe	92
PID 1464 wrote to memory of 1336	1464	panel.exe	92
PID 1464 wrote to memory of 1336	1464	panel.exe	92
PID 1464 wrote to memory of 4888	1464	panel.exe	93
PID 1464 wrote to memory of 4888	1464	panel.exe	93
PID 1336 wrote to memory of 4984	1336	mssurrogateProvider_protected.exe	104
PID 1336 wrote to memory of 4984	1336	mssurrogateProvider_protected.exe	104
PID 1336 wrote to memory of 4984	1336	mssurrogateProvider_protected.exe	104
PID 4888 wrote to memory of 3724	4888	Panel.exe	105
PID 4888 wrote to memory of 3724	4888	Panel.exe	105
PID 3724 wrote to memory of 3088	3724	Panel.exe	108
PID 3724 wrote to memory of 3088	3724	Panel.exe	108
PID 3088 wrote to memory of 3860	3088	Panel.exe	109
PID 3088 wrote to memory of 3860	3088	Panel.exe	109
PID 5112 wrote to memory of 4484	5112	chrome.exe	137
PID 5112 wrote to memory of 4484	5112	chrome.exe	137
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 5456	5112	chrome.exe	138
PID 5112 wrote to memory of 3976	5112	chrome.exe	139
PID 5112 wrote to memory of 3976	5112	chrome.exe	139
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140
PID 5112 wrote to memory of 2760	5112	chrome.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:840

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4684

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files (x86)\Google\csrss.exe
    "C:\Program Files (x86)\Google\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4984
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuHxEGx5Ev0OYR1Vp3A2QXgAAAAACAAAAAAAQZgAAAAEAACAAAACIdFbq1vdTqIAMdQBoIi+VKDWr80NARBqfBhIJZsTq9gAAAAAOgAAAAAIAACAAAABjbJt7aa/VFzFbTiACcNjCwAZXeP4AfHkZOOkP9ppPtBAAAABAwjRx3XjvTHzD7t7BJxx1QAAAAE3Lb63Oavd3b4TqfM/vRfN9DHuF9QhziQZ9RYSjtFFZHOSUogBBpdGoCN0CqzZx4LaCiWXDpHntDmHUJQ1Nfug=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuHxEGx5Ev0OYR1Vp3A2QXgAAAAACAAAAAAAQZgAAAAEAACAAAAD59P5258WTiNp4sMaUSYDIdk1yjS2Z4d35SeyrFNqODgAAAAAOgAAAAAIAACAAAAAepQ2Sd4EvUrq37BOMmai71eWkMPoltxbT3frKc7KSQhAAAABreFoYgZ36TVyqITtWVMkhQAAAAD1oVez36kTrSAxWLfMjZgqkbAHjvqNCJlUSsXMh5t2Hvh2x4VGRhooTvxBNCuJd/YG7gRrMwApFUpFhmp74ArE="
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Users\Admin\AppData\Local\Temp\Panel.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuHxEGx5Ev0OYR1Vp3A2QXgAAAAACAAAAAAAQZgAAAAEAACAAAACIdFbq1vdTqIAMdQBoIi+VKDWr80NARBqfBhIJZsTq9gAAAAAOgAAAAAIAACAAAABjbJt7aa/VFzFbTiACcNjCwAZXeP4AfHkZOOkP9ppPtBAAAABAwjRx3XjvTHzD7t7BJxx1QAAAAE3Lb63Oavd3b4TqfM/vRfN9DHuF9QhziQZ9RYSjtFFZHOSUogBBpdGoCN0CqzZx4LaCiWXDpHntDmHUJQ1Nfug=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAuHxEGx5Ev0OYR1Vp3A2QXgAAAAACAAAAAAAQZgAAAAEAACAAAAD59P5258WTiNp4sMaUSYDIdk1yjS2Z4d35SeyrFNqODgAAAAAOgAAAAAIAACAAAAAepQ2Sd4EvUrq37BOMmai71eWkMPoltxbT3frKc7KSQhAAAABreFoYgZ36TVyqITtWVMkhQAAAAD1oVez36kTrSAxWLfMjZgqkbAHjvqNCJlUSsXMh5t2Hvh2x4VGRhooTvxBNCuJd/YG7gRrMwApFUpFhmp74ArE=" "--monitor"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\FAQ.txt
1⤵
PID:3704

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-crack-by-rzt\ReadMe.txt
1⤵
PID:2140

C:\Users\Admin\Desktop\build.exe
"C:\Users\Admin\Desktop\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3124

C:\Users\Admin\Desktop\build.exe
"C:\Users\Admin\Desktop\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:128

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4648

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2992

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2560

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5292

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4940

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5724

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5172

C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\GB[1996F3479105558F613CB87EDB6E18A4] [2024-11-01T21_26_46.0169245]\UserInformation.txt
1⤵
PID:6108

C:\Program Files (x86)\Google\csrss.exe
"C:\Program Files (x86)\Google\csrss.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4d7fcc40,0x7ffa4d7fcc4c,0x7ffa4d7fcc58
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4376,i,6814739652153785919,2761265271755388724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:3396

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
392ae723631ca7c3f0e6b9b1d73a7d8f

SHA1
1d04abcd4955fc7fa370b6c5ee4e6fdc5eb920e1

SHA256
cd334faf27788b1d22e76501c84c8836ed55386317fc909c7bc1b64b34442d61

SHA512
0c9fabe4987283d0a238f23d98bfeaa0f45a82509310cb574142cd9070d2c80a746766a52ac4a6b3b9288d8bd59720d4a0acba9ab5c590d5cc2153d9c6cea907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5a910edc-af4b-4d69-94ee-725c9a23ab83.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d2e3f06084345e1f8d4cbb488fa80069

SHA1
fb0768a55428cda917d1449c8045a03325044bb3

SHA256
b8f936a9379b5ec0384309ac4e74940e719a0c45cd34dfc89a7c021dfc74eafb

SHA512
727e4f44d3654efe52931640ceda435f265dc9091dbdb989b7765a9431251933ee604cbf7479be30653d4a2fd267dc2fad76947ca5bce12abb9a3321ba0398b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ca45d265d4170b3fe7f2090fa847311

SHA1
01df6ee5a07af322493fd76372c4311aed84e9a6

SHA256
0009e95b9cbfadd1c58ffe6f1cb68d0618bf9dd9d8d4b56d073cbbda7e770bed

SHA512
299c1a1b08faa9b20b2f7021ac3cd0a6d6fc4f30ce71ef3ccd4f43d15bfd85e196beb0df546fe03699881b84b7717950e8a22ea80d7b324392a16cb92de243a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c2d9256df52bafb9bb4a6578e8e0044

SHA1
dff19f1cf49b2db2c3ca5b4d541950d84d4aa423

SHA256
e8659a08eb1b75e671834e3eb3f3f4d3de603687bb8625a41ea34986593e4583

SHA512
ac3194ea36288b894e4476a7c7c74368d2dea8a6db85281e2e7da821d9ba48cc7b8f10d17215bdbbe83e03f58a17f38e019be326178410b5cdcb90613406f3b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6288e19b4ad394c900638c41d0fa4a6

SHA1
e9fc754a0f5537a656bef8502b685b136803281a

SHA256
dc44a509f0ff6e22dce5ff145d309caef2966917850d48f7ac55569c1dae8988

SHA512
d29235b9c00a21d9a3f65783936e620aa3bc78cab4caf95f2999ea6aa6907bd0026ddcca31b2b395c57ebd1b7eec6ada8818fb082495877fd11eef373a9e54fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
d27fe7a89795ad63758cee86a85871c0

SHA1
c2d9f22ec91b5e3a3f9b3e91c531aab2663d48ba

SHA256
f9e3210d34f040e3a1ad228a6ab31267c89c993a39b9d82b1eefa0445a697ef6

SHA512
5af40c6d9647e19a5c028562af4e0cda4085755da9dcec89c75d88167e532495c85bcc273a20422941dc99ddc3a10ed5a1dc787e412d55cf2943b2c72e19d449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
dcf4c0d0d7c5568caf03a63f506e753c

SHA1
80f8f96846a6dcf7ac844582677940271b928755

SHA256
0f6669676689a5868da423b7c25450b03d51995ceb2015dd188477d21925d74c

SHA512
b7f0cdf6fb25a62d7b8510541753dcb241620eb522a68aad3ea45895d9c6c163e24bc3c007bf51b783581b7b29b74371d03cabc67af1ff9bd6f640ecfb48e9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
1KB

MD5
fa2242a848c015e90751992478acf1b0

SHA1
9b54d26e4c0630490ab230b9d15119d036c3398f

SHA256
0b71c524f4b9a3964104689ba24c413a0811e83d1071a2bb066b66c91053f147

SHA512
69d1962db48657f3c8b24e79a7846aa0e4fcfc2b27c3675915a7906913c897dff0e91bd06634615d6c5b62c4afae41827d7fa1944f84d11f8a731bab1cf7629b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kurome.Builder.exe.log

Filesize
1KB

MD5
dbbe8c484909b919340d7313bd994ae9

SHA1
1183ce1f0d152dba87105d00f888353466f2cd50

SHA256
2f651319ffe35d3b46360918df7fe5427231fa7e19c3ff75fe54a8ca2bfafa84

SHA512
3a9e59f3138e2b17d6a1886081c6ba9c650d0c5d36e4b25477ae288ab265cc5f67a193558887bbf37817772f704853eb9ddb6555bf283af093cfd05b7d363ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
346086ede8fbeb44b1a9e1444e59dcb1

SHA1
55f474b18256d4d548307f462021ddf527c7b99c

SHA256
18edfd8a26c67e1512749ebc6c28da15f1297738b7462615a8a9ef25477cfa07

SHA512
cfd75aa1fde8ace0ad449bd8971d65356ab4261a888cff8a0c99286202d905549a18f28d7d02c97d4fa0a33739e0bff6208928999a89fe88ea6f86fe023c6ee2

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_ytoebgxjgkj3gjhngbhnmj3jxmiefwvd\0.0.0.0\user.config

Filesize
1KB

MD5
49d87cb1cb0b2e659129e320a6ccb525

SHA1
c6ab61960211bc624984fab309c1c3fc8939477e

SHA256
f89b9eef021271a5339fb32d11f3965958f1c80d793ef3e88e9f56091e139fc1

SHA512
7cabf73dd6498df0a06f06987a33d61a406e1fec6fbede7791e209c8dc760cf6b0ef67e5cb12309ea426551fd9ee6b3d3e86f2c348b0099d107e73dda9adba7f

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_ytoebgxjgkj3gjhngbhnmj3jxmiefwvd\0.0.0.0\user.config

Filesize
2KB

MD5
d35ff673d800139be08ca693b7258011

SHA1
d4f7cc63ba5b6c931c9a405f7ff9678f8191c04d

SHA256
d0bebdd1e9c474fcb6948e15e22dc634da489e57401770b85933bc8c9abd15a0

SHA512
fcb862f6888c7b2cd6782bb2c65aa6b56e857c5e31fce59796c72569f071261379b8fda8862ff83af4b0cb5729c96abdcc3943a08a3a026bd54e9d1693410281

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_ytoebgxjgkj3gjhngbhnmj3jxmiefwvd\0.0.0.0\user.config

Filesize
2KB

MD5
0831c61495e5e521cf28350b64128bb1

SHA1
49b29ca205d911d9e54e0274801c0f02ca6df905

SHA256
e02842c6651862e01c654e814fe9e02db2487f81f6f08942d545d66b4d42e1c1

SHA512
ede6b0d19ff0768723a9214e0509df36eb2eda9d8ca70dea2aca56a01a2d7ec7f415f41dd5153bd4bacbd14e0cfa02fa0488a04d0dfcb90f3a804c03948ba13b

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_ytoebgxjgkj3gjhngbhnmj3jxmiefwvd\0.0.0.0\user.config

Filesize
9KB

MD5
701f915779e9242cf5a0f72673d35b79

SHA1
0c9ecbb251eafb35b9ced95f960634834db1f032

SHA256
925577bde7aa7688cf5b13cfa96ae10d7441fd6eefa5bf857121c7943b77a2ca

SHA512
07949e86a7977e970c19a4af08f5121e7163ebef54141336a231fcdb59e916aaf0f5685346efc9fd43aed8d9557e4ff9528e9d755f4f0ff75c2e75438a9668c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
C:\Users\Admin\AppData\Local\Temp\serviceSettings.json

Filesize
74B

MD5
a0ef190d1ff273dcd337831f3c64bcbe

SHA1
357455f938663bdaa9d8c33f87b17eba4cbcecb9

SHA256
f796624293b2fe3db8f4734b1fc88dc61ade5f21d524d62e6d8cd0981de25031

SHA512
3ea18e455a70104ac68b82fc16b61f43d20c46cc827b32911d09a0157fded9bacc2b2bdf5b45431b7b5e640994d7637b12e380189cef743fdc34fd6d039bac9f

Download Submit
C:\Users\Admin\Desktop\New folder\GB[1996F3479105558F613CB87EDB6E18A4] [2024-11-01T21_26_46.0169245]\FileGrabber\Users\Admin\Documents\AddBlock.docx

Filesize
16KB

MD5
c4c9a3d309b8a2141fa78dba0955ea1a

SHA1
6c2cc057c135cf1041946dda03fd486945e41db9

SHA256
48ad67699d26274d89517195d0606d832ac928e583fc7d64e3433279b2bc77d3

SHA512
1f38ecec41cc04a9419d399ab8bb4d2615c2bbe71af4e459ced3a6a821b7a1f7697b86be841bf5a505de6c97068c35850643af47c69b877148e92e6afd946364

Download Submit
C:\Users\Admin\Desktop\New folder\GB[1996F3479105558F613CB87EDB6E18A4] [2024-11-01T21_26_46.0169245]\FileGrabber\Users\Admin\Documents\ComparePing.docx

Filesize
17KB

MD5
4f722e234d2cd469510142146e40574e

SHA1
3a56fb588bb6c775c432fc69c75bd0b322cfc9ff

SHA256
1c95bd0031e5f66fcf1765fb75b3efb09cba160f7fe1fae635cca830af0716c9

SHA512
ffe4200ba9165aec4e32b1be669933d372aa584678f42270f83dae391916c8a48238c76dc26eb48d017ebefdbd2d0b0fda4bf84150603f24b4a31d411a09c875

Download Submit
C:\Users\Admin\Desktop\New folder\GB[1996F3479105558F613CB87EDB6E18A4] [2024-11-01T21_26_46.0169245]\FileGrabber\Users\Admin\Documents\ReadJoin.docx

Filesize
13KB

MD5
53b40bf93adda06f18baa3d56b64f293

SHA1
fbef184a8899b9d6c33ef288d1d14d2d6690a05f

SHA256
6cefc8f3c61a87ddc9526b68adaa8e652a3df0a47217765fc541bf1665d67cb9

SHA512
e23f417a4795cbefa23ae180fef2f910540b8ae32c69ad96bb7d0385dc2a22844d8ecf52e34dd65a8f926ec6c9e5dfb78168f1f28342e722bfeac9ea04d2d242

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Builder\stub.dll

Filesize
96KB

MD5
625ed01fd1f2dc43b3c2492956fddc68

SHA1
48461ef33711d0080d7c520f79a0ec540bda6254

SHA256
6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

SHA512
1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.Host.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Kurome.Loader\Kurome.Loader.exe.config

Filesize
186B

MD5
9070d769fd43fb9def7e9954fba4c033

SHA1
de4699cdf9ad03aef060470c856f44d3faa7ea7f

SHA256
cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b

SHA512
170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\FAQ.txt

Filesize
19KB

MD5
53fc20e1e68a5619f7ff2df8e99d42c4

SHA1
7a8ddc81d16aaab533411810acfad1546c30dc2f

SHA256
fc7ceb47aa8796614f098406452ea67cb58929ded1d4c6bd944d4d34921bba0b

SHA512
c1ad4f2dfd50528d613e9fe3f55da0bbb5c8442b459d9c3c989b75014c827306f72f2eb6ecbcd92ff11546e12087c09685b12a7dc258c5ea85c15ba5cc002d8c

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe

Filesize
16.4MB

MD5
1246b7d115005ce9fcc96848c5595d72

SHA1
fa3777c7fe670cea2a4e8267945c3137091c64b5

SHA256
f01393937f06be201400703d1dbfb35397c4a5162f16278ba9d9bb63ddcbcc78

SHA512
5bf90904cf74a8c3775498578d856dd9f4837077928cd7ce24e4a6ccec00827bcfb28c2079498ba682a4f53204d7ad2bb8de2489005c429dc968e75e26d29101

Download Submit
C:\Users\Admin\Desktop\Redline-crack-by-rzt\ReadMe.txt

Filesize
401B

MD5
0e9ea2262b11db9e8c1656c949da4495

SHA1
f332749e10817048cea5e1584edf5e88f47024eb

SHA256
ad8361226621c8261d69e1202e7f9831a00f3bb6549d77219d5deb0e8a6cbde6

SHA512
00aae0c559823ff27ca8af431d24d4fe8a3f4683b0d776a80fb14a96d82030cedf6ec1ddf2efd7fc229e2c2b3ab3ac0b15326dc1912cdd07932ec7ff8f80975c

Download Submit
C:\Users\Admin\Desktop\build.exe

Filesize
95KB

MD5
ca8b99c9d67aee4b846581461ec6bb2b

SHA1
7c0fd208b99bc69aaf003693aeafbe73cde4658f

SHA256
d53b5ccdc46e2575b7c917ae6414b93028b9fe4df2deda7107a7a470080a9f3a

SHA512
027f3e669560a0668706665101bfb7ca258943f80cc660085428516015fb7a106266b34334afabfd95bf43c348d53d2fe6f9cbf7a6a737314d19524e4bc36a83

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/556-86-0x0000000005EB0000-0x0000000006456000-memory.dmp

Filesize
5.6MB

Download
memory/556-87-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/556-85-0x0000000000CA0000-0x0000000000CC8000-memory.dmp

Filesize
160KB

Download
memory/556-88-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/556-92-0x0000000005DE0000-0x0000000005E3E000-memory.dmp

Filesize
376KB

Download
memory/1336-175-0x0000000000050000-0x000000000048C000-memory.dmp

Filesize
4.2MB

Download
memory/1336-187-0x0000000006700000-0x0000000006A62000-memory.dmp

Filesize
3.4MB

Download
memory/1336-180-0x0000000000050000-0x000000000048C000-memory.dmp

Filesize
4.2MB

Download
memory/1336-210-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/1336-357-0x0000000006EE0000-0x0000000006FE0000-memory.dmp

Filesize
1024KB

Download
memory/1336-228-0x0000000006D70000-0x0000000006DD6000-memory.dmp

Filesize
408KB

Download
memory/1336-225-0x0000000005EB0000-0x000000000602C000-memory.dmp

Filesize
1.5MB

Download
memory/1336-211-0x0000000006A70000-0x0000000006CF6000-memory.dmp

Filesize
2.5MB

Download
memory/1336-419-0x0000000000050000-0x000000000048C000-memory.dmp

Filesize
4.2MB

Download
memory/1464-107-0x0000000000400000-0x0000000001470000-memory.dmp

Filesize
16.4MB

Download
memory/3124-8334-0x00000000004E0000-0x00000000004FE000-memory.dmp

Filesize
120KB

Download
memory/3724-4294-0x0000000021E30000-0x0000000021E48000-memory.dmp

Filesize
96KB

Download
memory/3724-4238-0x0000000024940000-0x000000002498A000-memory.dmp

Filesize
296KB

Download
memory/3724-4279-0x0000000026150000-0x00000000264BC000-memory.dmp

Filesize
3.4MB

Download
memory/3724-4278-0x0000000021E00000-0x0000000021E22000-memory.dmp

Filesize
136KB

Download
memory/3724-4258-0x0000000021FF0000-0x0000000022020000-memory.dmp

Filesize
192KB

Download
memory/3724-4257-0x0000000024B00000-0x0000000024C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3724-4256-0x0000000021E90000-0x0000000021EDF000-memory.dmp

Filesize
316KB

Download
memory/3724-4255-0x0000000021CC0000-0x0000000021D5C000-memory.dmp

Filesize
624KB

Download
memory/3724-4239-0x00000000248F0000-0x0000000024940000-memory.dmp

Filesize
320KB

Download
memory/3724-4221-0x00000000210D0000-0x0000000021144000-memory.dmp

Filesize
464KB

Download
memory/3724-4158-0x00000000209B0000-0x00000000209C2000-memory.dmp

Filesize
72KB

Download
memory/3724-4187-0x0000000020B00000-0x0000000020BB0000-memory.dmp

Filesize
704KB

Download
memory/3724-4172-0x0000000020A10000-0x0000000020A4A000-memory.dmp

Filesize
232KB

Download
memory/3724-4144-0x0000000020970000-0x0000000020982000-memory.dmp

Filesize
72KB

Download
memory/3724-4142-0x0000000020820000-0x0000000020920000-memory.dmp

Filesize
1024KB

Download
memory/3724-4143-0x0000000020930000-0x000000002096C000-memory.dmp

Filesize
240KB

Download
memory/3724-4141-0x0000000020200000-0x0000000020818000-memory.dmp

Filesize
6.1MB

Download
memory/3724-4140-0x00000000201E0000-0x00000000201FA000-memory.dmp

Filesize
104KB

Download
memory/3724-4125-0x000000001FC90000-0x000000001FCF6000-memory.dmp

Filesize
408KB

Download
memory/3724-4126-0x000000001FD00000-0x000000001FF86000-memory.dmp

Filesize
2.5MB

Download
memory/3860-8280-0x0000000024B90000-0x0000000024BDF000-memory.dmp

Filesize
316KB

Download
memory/3860-8688-0x000000001E050000-0x000000001E05A000-memory.dmp

Filesize
40KB

Download
memory/4204-8901-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4204-8904-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4204-8902-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4700-75-0x0000000004F30000-0x0000000004F6C000-memory.dmp

Filesize
240KB

Download
memory/4700-74-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/4700-78-0x00000000747B0000-0x0000000074F61000-memory.dmp

Filesize
7.7MB

Download
memory/4700-79-0x0000000005300000-0x000000000540A000-memory.dmp

Filesize
1.0MB

Download
memory/4700-76-0x0000000004FD0000-0x000000000501C000-memory.dmp

Filesize
304KB

Download
memory/4700-81-0x00000000051F0000-0x0000000005240000-memory.dmp

Filesize
320KB

Download
memory/4700-80-0x0000000005080000-0x00000000050A8000-memory.dmp

Filesize
160KB

Download
memory/4700-77-0x0000000005120000-0x00000000051EE000-memory.dmp

Filesize
824KB

Download
memory/4700-93-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/4700-73-0x00000000747B0000-0x0000000074F61000-memory.dmp

Filesize
7.7MB

Download
memory/4700-72-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/4700-71-0x0000000004DF0000-0x0000000004E16000-memory.dmp

Filesize
152KB

Download
memory/4700-67-0x00000000747B0000-0x0000000074F61000-memory.dmp

Filesize
7.7MB

Download
memory/4700-94-0x00000000747B0000-0x0000000074F61000-memory.dmp

Filesize
7.7MB

Download
memory/4700-66-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/4700-65-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/4888-199-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4888-284-0x000000001F410000-0x000000001F42C000-memory.dmp

Filesize
112KB

Download
memory/4888-206-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4888-189-0x000000001ACD0000-0x000000001AE70000-memory.dmp

Filesize
1.6MB

Download
memory/4888-190-0x000000001ACD0000-0x000000001AE70000-memory.dmp

Filesize
1.6MB

Download
memory/4888-181-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

Filesize
10.8MB

Download
memory/4888-262-0x000000001E9C0000-0x000000001EF66000-memory.dmp

Filesize
5.6MB

Download
memory/4888-247-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4888-224-0x000000001DE80000-0x000000001DFC2000-memory.dmp

Filesize
1.3MB

Download
memory/4888-217-0x000000001DAB0000-0x000000001DBF2000-memory.dmp

Filesize
1.3MB

Download
memory/4888-245-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4888-243-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4888-295-0x000000001F430000-0x000000001F5AC000-memory.dmp

Filesize
1.5MB

Download
memory/4888-242-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/4888-263-0x000000001F170000-0x000000001F202000-memory.dmp

Filesize
584KB

Download
memory/4888-261-0x000000001E650000-0x000000001E9B2000-memory.dmp

Filesize
3.4MB

Download
memory/4888-213-0x000000001DAB0000-0x000000001DBF2000-memory.dmp

Filesize
1.3MB

Download
memory/4888-188-0x000000001ACD0000-0x000000001AE70000-memory.dmp

Filesize
1.6MB

Download
memory/4888-200-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4888-202-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4888-204-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4888-255-0x000000001DBE0000-0x000000001DBEA000-memory.dmp

Filesize
40KB

Download
memory/4888-212-0x000000001DAB0000-0x000000001DBF2000-memory.dmp

Filesize
1.3MB

Download
memory/4900-101-0x00000000004B0000-0x00000000006E6000-memory.dmp

Filesize
2.2MB

Download
memory/4900-102-0x0000000006440000-0x0000000006A50000-memory.dmp

Filesize
6.1MB

Download
memory/4984-2199-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4984-420-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/4984-416-0x0000000000140000-0x000000000057C000-memory.dmp

Filesize
4.2MB

Download
memory/5172-8678-0x0000000007A80000-0x0000000007A9E000-memory.dmp

Filesize
120KB

Download
memory/5172-8677-0x0000000007920000-0x0000000007996000-memory.dmp

Filesize
472KB

Download
memory/5172-8676-0x0000000007BA0000-0x00000000080CC000-memory.dmp

Filesize
5.2MB

Download
memory/5172-8675-0x00000000074A0000-0x0000000007662000-memory.dmp

Filesize
1.8MB

Download
memory/5172-8662-0x0000000006E20000-0x0000000006E50000-memory.dmp

Filesize
192KB

Download
memory/5172-8661-0x00000000009F0000-0x0000000000A0E000-memory.dmp

Filesize
120KB

Download