redline | ddc4ee5b164774a9bcbc42636ae1b555c0e652943f89809adfe17643739c09d9

Resubmissions

07-01-2025 01:39

250107-b213raxqbx 10

06-01-2025 23:51

250106-3wa3xstmfx 10

06-01-2025 23:43

250106-3qm6asvrbr 10

Analysis

max time kernel
322s
max time network
320s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skibidibi.zip
Size

15.0MB
MD5

e3c095bad1b222b74dfab35fce9b58fc
SHA1

dafa30f20bfabe025c446186c3051e713559b635
SHA256

ddc4ee5b164774a9bcbc42636ae1b555c0e652943f89809adfe17643739c09d9
SHA512

509ef669bacb93d494e0df57ca3e5ec3d371815a58ed5c68d445bc2feba57588f6ad0a30efd4cc0894c1c63f4761a422897825021280d2ddbcd40428f5cecfbb
SSDEEP

393216:oWXzo7MYwJONnGHVWx55TbJDnJ6YrNDseN3zGASyC3FzeV8Qic1k:nDokMqWD5TdbJ6YrNrzd1ABeVqc1k

Score

10^/10

redline sectoprat skibidi discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

skibidi

127.0.0.1:4022

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/9992-3946-0x0000000020330000-0x000000002034A000-memory.dmp	family_redline
behavioral1/files/0x001900000002ab63-12292.dat	family_redline
behavioral1/files/0x000500000002571a-12302.dat	family_redline
behavioral1/memory/6444-12304-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab63-12292.dat	family_sectoprat
behavioral1/files/0x000500000002571a-12302.dat	family_sectoprat
behavioral1/memory/6444-12304-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 10 IoCs

pid	Process
3304	Panel.exe
9992	Panel.exe
5064	Kurome.Loader.exe
9432	Kurome.Host.exe
8520	Panel.exe
10588	Panel.exe
9940	Panel.exe
5188	Panel.exe
9884	Kurome.Builder.exe
6444	build.exe

Loads dropped DLL 16 IoCs

pid	Process
9432	Kurome.Host.exe
9432	Kurome.Host.exe
9432	Kurome.Host.exe
9432	Kurome.Host.exe
9432	Kurome.Host.exe
9432	Kurome.Host.exe
9884	Kurome.Builder.exe
9884	Kurome.Builder.exe
9884	Kurome.Builder.exe
9884	Kurome.Builder.exe
9884	Kurome.Builder.exe
9884	Kurome.Builder.exe
6444	build.exe
6444	build.exe
6444	build.exe
6444	build.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
9992	Panel.exe
8520	Panel.exe
8520	Panel.exe
8520	Panel.exe
8520	Panel.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 50003100000000001a539865100050616e656c003c0009000400efbe1a539865265a77be2e0000006cab02000000190000000000000000000000000000005177ed00500061006e0065006c00000014000000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000000d38ef0b5625db016095c4f09560db01ee8e8f999660db0114000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 6e003100000000001a532f6710005245444c494e7e310000560009000400efbe1a53c364265a77be2e00000004ab020000001b00000000000000000000000000000024e1e1005200650064006c0069006e0065005f00320030005f0032005f0063007200610063006b00000018000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\NodeSlot = "9"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000005759f6711100557365727300640009000400efbec5522d60265a76be2e0000006c0500000000010000000000000000003a00000000004a924b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "11"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	Panel.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
7344	NOTEPAD.EXE
11260	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe
3304	Panel.exe
9992	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
440	OpenWith.exe
5188	Panel.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2784	7zFM.exe
Token: 35	2784	7zFM.exe
Token: SeSecurityPrivilege	2784	7zFM.exe
Token: SeDebugPrivilege	3304	Panel.exe
Token: SeDebugPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: SeDebugPrivilege	5064	Kurome.Loader.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe
Token: 33	9992	Panel.exe
Token: SeIncBasePriorityPrivilege	9992	Panel.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2784	7zFM.exe
2784	7zFM.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3304	Panel.exe
9992	Panel.exe
8520	Panel.exe
10588	Panel.exe
9940	Panel.exe
5188	Panel.exe
7940	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
440	OpenWith.exe
5188	Panel.exe
5188	Panel.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 9992	3304	Panel.exe	82
PID 3304 wrote to memory of 9992	3304	Panel.exe	82
PID 8520 wrote to memory of 10588	8520	Panel.exe	89
PID 8520 wrote to memory of 10588	8520	Panel.exe	89
PID 10588 wrote to memory of 9940	10588	Panel.exe	91
PID 10588 wrote to memory of 9940	10588	Panel.exe	91
PID 9940 wrote to memory of 5188	9940	Panel.exe	92
PID 9940 wrote to memory of 5188	9940	Panel.exe	92

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\skibidibi.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4068

C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "--monitor"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:9992

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline_20_2_crack\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:7344

C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:9432

C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8520
- C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "--monitor"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:10588
- - C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
    "C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAKnH/9FTClEqtJFvygn5bAQAAAAACAAAAAAAQZgAAAAEAACAAAAAm90vKSe/HAWbuYR8S6pw0GGHBeDnxHe7frlWkqICXDAAAAAAOgAAAAAIAACAAAABN3PobhQEqy58KNzqV7LRt2FfVLcQgq7QqwcsmkwXiUxAAAAAsVdGgCKi6ggygL0OUluohQAAAAC/xtsRO/N0chILtknwkAPZCSFBH2JJ24MExISywQGR2UE4JB5hnz+JhF9txzQxdEMqoUtzXS1y/aO4I4mGem4w=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAKnH/9FTClEqtJFvygn5bAQAAAAACAAAAAAAQZgAAAAEAACAAAAC4d/cGA4QJAi51g607hbaV0rJ4RAvf2Er/q23CbZ3o2gAAAAAOgAAAAAIAACAAAAAErgdViv79DHThMxBGVKAfdqEZ7S788+ppyJWxSqeb5RAAAAAomOfSpjVvZ5o0/tCwWCohQAAAADtQi8Hz3a7mi+99VIRm8CmTWk2C74NtEv4gSUfcn5AMPujTHIuDbGiShAE+/IL+z1q71JrkjA/SNcCfm2J4OpI="
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:9940
  - - C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe
      "C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAKnH/9FTClEqtJFvygn5bAQAAAAACAAAAAAAQZgAAAAEAACAAAAAm90vKSe/HAWbuYR8S6pw0GGHBeDnxHe7frlWkqICXDAAAAAAOgAAAAAIAACAAAABN3PobhQEqy58KNzqV7LRt2FfVLcQgq7QqwcsmkwXiUxAAAAAsVdGgCKi6ggygL0OUluohQAAAAC/xtsRO/N0chILtknwkAPZCSFBH2JJ24MExISywQGR2UE4JB5hnz+JhF9txzQxdEMqoUtzXS1y/aO4I4mGem4w=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAKnH/9FTClEqtJFvygn5bAQAAAAACAAAAAAAQZgAAAAEAACAAAAC4d/cGA4QJAi51g607hbaV0rJ4RAvf2Er/q23CbZ3o2gAAAAAOgAAAAAIAACAAAAAErgdViv79DHThMxBGVKAfdqEZ7S788+ppyJWxSqeb5RAAAAAomOfSpjVvZ5o0/tCwWCohQAAAADtQi8Hz3a7mi+99VIRm8CmTWk2C74NtEv4gSUfcn5AMPujTHIuDbGiShAE+/IL+z1q71JrkjA/SNcCfm2J4OpI=" "--monitor"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:5188

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline_20_2_crack\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:11260

C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:9884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:440

C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6444

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\GB[4F36E9C7BE75820DC4C392E3622166B7] [2025-01-06T23_56_03.1181799]\UserInformation.txt
1⤵
PID:8744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
2KB

MD5
e9f476354f6a45d635206c796fbe9dd7

SHA1
7783516cfa275aeef3df115727d0bbaec706c0d2

SHA256
d2a40b3af9a311be080785bbb7fb2a8ebe12f1d549e4f74c00605d585e24a917

SHA512
5851b26f8dbeaf12aad7f74e4542f2a96c813235d30d7dc4897406c406fad0970cf935358af0f95fbaefb82352eb8bb27df8f9f305ac02668e7b0b52b97c3a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
3e285d1eaaac45682d24c0c004836a5a

SHA1
962c6c40fd302f289752a90e001c65a1d6a96476

SHA256
255cb567fdf07557398b2b2aa78ec31c2e454fe209914ee374f7075e5da4af69

SHA512
044f882a1a34409ced062996eb7860b6c075244aceb9466c97efff717d7c386d00de6c40a4a4ad175f66dc624b0b353ca3a4f112182eb17c9756ca9e2c093ade

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_52q3040yoqcyxegg3grrgbtjyt5fry51\0.0.0.0\cdfxjizk.newcfg

Filesize
2KB

MD5
1f756e8cd97e6789bbe5441558f6ead9

SHA1
1d12e173a6bdb73c8c3637f4f554fd8482762719

SHA256
cfd95e5293aa402a879af8cbfb55373ef91d1462faece57237d5f637d6536444

SHA512
b531a13a3efc134e6ffdc9579ad69f2000ae6587e9960e35ea9dbcc10a03ab5c9f8ddb53563630b34b1ea8449406c8bb3a024afe3db52423489d8de7de2b00e6

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_52q3040yoqcyxegg3grrgbtjyt5fry51\0.0.0.0\user.config

Filesize
1KB

MD5
1d5329c59fe486eedb4d8414ee3aee00

SHA1
ce4f7b25d1333e8691ab13690ca40ddaf8be3858

SHA256
d545f3a3ebe1a60fac7699a2fbd653811a4e44d9b7da325cb20e43b338e521c2

SHA512
12a0b8e7d64265df8051ebd60da14848f4075e4088af5d7db4c9cdd59c8d8b239a77283e28c9c0cb9ae63b8cd941214dc38f3ae31a95266e07f2d569b2d81aba

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_52q3040yoqcyxegg3grrgbtjyt5fry51\0.0.0.0\user.config

Filesize
2KB

MD5
1461b6d9404b4f2990f8e8c66c640745

SHA1
f929650bb60a504146486a5117f66e2481d3a9f0

SHA256
9c14588266c6cf6124364d4f5ec9d5e1e9f2393b72b868f78b7d954ce130443d

SHA512
85cbc33c3bb49e2228d31b7d15b660c5896a2d43a4fb2dc5787c7c73039df15d1e44e8ac6283b4cf0e5d8260a2d1c6b10a737acdb349d8feef8219710afe88bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA1D.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA42.tmp

Filesize
114KB

MD5
e1bdc949ed4c93a97fa61c08b886f2cd

SHA1
05db7b0192094768b6f436a0c6e725a3377dded3

SHA256
463bff1de5e1a9ec2afe031a34ddf242df7f8b9a5803a285a842f4ad6320e1b9

SHA512
899b7b08b799405b82b16d542217039fa43203a08de91a9f1594c1c61f87135fb9cd11de08a15a9b69d7b5410853ddcf1797da004de736363085210660fac14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA5E.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA64.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA7A.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA95.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\Desktop\New folder\GB[4F36E9C7BE75820DC4C392E3622166B7] [2025-01-06T23_56_03.1181799]\UserInformation.txt

Filesize
1KB

MD5
815d0e7d39cd3da087f38273531e3870

SHA1
b511ba32fb86123a96c81cefc3e22872d71e1165

SHA256
8daa4141bfa00ffd1163de12091071153e3c419e85278a2188b865d03f772ea1

SHA512
8c20bd37af819e9bdd951484b7c168b0461e56130a97dd3fb40568c18a4e104f16ae8487fb654fb2fa191845089d5b1b1af755d626bda29239a1937726cb3752

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\build.exe

Filesize
95KB

MD5
a23c6a99eb5e6d313a6a50df41ca5968

SHA1
3d752d3438a807076d206d7340f0f7cacd20e835

SHA256
c7581d7113a665a5b2963ad54e47323c87f7079a7b261649a174c13870a161e4

SHA512
758d7feadf08d832f8210cf8c6e8e46c94c3ba13137aa73927428c5a5790676445690be17be951d97f0bfa5da19f1fec97292c275bcf7d629c8c9cbdb0a46123

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Builder\stub.dll

Filesize
96KB

MD5
625ed01fd1f2dc43b3c2492956fddc68

SHA1
48461ef33711d0080d7c520f79a0ec540bda6254

SHA256
6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

SHA512
1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Host\Kurome.Host.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe.config

Filesize
186B

MD5
9070d769fd43fb9def7e9954fba4c033

SHA1
de4699cdf9ad03aef060470c856f44d3faa7ea7f

SHA256
cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b

SHA512
170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Data\1.dat

Filesize
2.2MB

MD5
f9f6320f8374a7fa5f24a152345f14f2

SHA1
9de79ac7eca3a781318fb6e9740c7462c3e3a0cc

SHA256
523ec6032ab1bc8690c6bc9d09e5dbbbfec44ab1c98321b382bb83a106ad1043

SHA512
2adf85ebda1ca9ed5156fa0fa144b2a65a1c3b4df09fbaded2ff64ceaa8f3ee9f5182defd4da21f372580a2198b8b9c14fe18eb7cc614fde878ed239773d31ca

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\Panel.exe.config

Filesize
26KB

MD5
494890d393a5a8c54771186a87b0265e

SHA1
162fa5909c1c3f84d34bda5d3370a957fe58c9c8

SHA256
f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

SHA512
40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\chromeBrowsers.txt

Filesize
2KB

MD5
5c06977f634c911382ca6f6107a8489a

SHA1
645062b6f09924255cd1c2c98265bacfee3f2371

SHA256
92308e2b67aa3c6989d5d744ac51faafb40886e6863adb933a3cf2e9beba0737

SHA512
19c9e324314725038a39b0e596e537b5937954f7358c56cddc25c51fdd9ef10346d77ce5c7a0703db854c9aa232dcef1bdcd16411937d526a080dd87a3793e28

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\geckoBrowsers.txt

Filesize
395B

MD5
84d16e157a64d476231d1ff7d53c562d

SHA1
ad863e9956be1b32a82062e076e1c7fc0092a479

SHA256
c2f35b643afa2d013602a448a5c14a73942f9faa281564040ac5c044602e0e1e

SHA512
4fe76a0e2e00640de9107091625c4c3392ff8f35d2bee9dbad77d04df5ba614eb8555c40d4028f80258369abae05020ea2d03acd43e24330c0bc08a6c83d2a46

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\Panel\RedLine_20_2\Panel\serviceSettings.json

Filesize
73B

MD5
743955f1424ce9a2ac9a47d49a85130d

SHA1
0baf62b984058f53698e1d4209ad2f697e557e94

SHA256
3021270c886dd192d2d35404a366bba9a26cd46f23b141f130173cbe2f0d584a

SHA512
abc349572c28a473ab2141a78ede7a4c1206a9ee7044782ac44b7de8e4e77348666659c4c5990dc0d30553826b0f8d07372616e16d750a296df2e2d9311fa8fc

Download Submit
C:\Users\Admin\Desktop\Redline_20_2_crack\ReadMe.txt

Filesize
401B

MD5
0e9ea2262b11db9e8c1656c949da4495

SHA1
f332749e10817048cea5e1584edf5e88f47024eb

SHA256
ad8361226621c8261d69e1202e7f9831a00f3bb6549d77219d5deb0e8a6cbde6

SHA512
00aae0c559823ff27ca8af431d24d4fe8a3f4683b0d776a80fb14a96d82030cedf6ec1ddf2efd7fc229e2c2b3ab3ac0b15326dc1912cdd07932ec7ff8f80975c

Download Submit
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/3304-119-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-84-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/3304-2103-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-2006-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-2002-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-1724-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-287-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-172-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-171-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-170-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-4042-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-4043-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-4046-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-75-0x00007FFF7EC73000-0x00007FFF7EC75000-memory.dmp

Filesize
8KB

Download
memory/3304-76-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/3304-78-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/3304-81-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/3304-2027-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-4186-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-62-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/3304-87-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/3304-91-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/3304-120-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/3304-121-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/3304-123-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/3304-125-0x000000001DBD0000-0x000000001DBDA000-memory.dmp

Filesize
40KB

Download
memory/3304-159-0x000000001FB00000-0x000000001FB1C000-memory.dmp

Filesize
112KB

Download
memory/3304-133-0x000000001DBE0000-0x000000001DBEA000-memory.dmp

Filesize
40KB

Download
memory/3304-105-0x000000001DEA0000-0x000000001DFE2000-memory.dmp

Filesize
1.3MB

Download
memory/3304-64-0x000000001AE50000-0x000000001AFF0000-memory.dmp

Filesize
1.6MB

Download
memory/3304-65-0x000000001AE50000-0x000000001AFF0000-memory.dmp

Filesize
1.6MB

Download
memory/3304-66-0x000000001AE50000-0x000000001AFF0000-memory.dmp

Filesize
1.6MB

Download
memory/3304-95-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/3304-97-0x000000001DAD0000-0x000000001DC12000-memory.dmp

Filesize
1.3MB

Download
memory/5064-4093-0x0000000007680000-0x0000000007C90000-memory.dmp

Filesize
6.1MB

Download
memory/5064-4092-0x00000000003E0000-0x0000000000616000-memory.dmp

Filesize
2.2MB

Download
memory/5188-12158-0x0000000024C50000-0x0000000024C9F000-memory.dmp

Filesize
316KB

Download
memory/5188-12499-0x000000001F980000-0x000000001F98A000-memory.dmp

Filesize
40KB

Download
memory/5188-12159-0x0000000025EF0000-0x000000002625C000-memory.dmp

Filesize
3.4MB

Download
memory/6444-12319-0x0000000006F60000-0x0000000006FC6000-memory.dmp

Filesize
408KB

Download
memory/6444-12323-0x0000000007440000-0x000000000745E000-memory.dmp

Filesize
120KB

Download
memory/6444-12318-0x0000000007490000-0x00000000079BC000-memory.dmp

Filesize
5.2MB

Download
memory/6444-12317-0x0000000006D90000-0x0000000006F52000-memory.dmp

Filesize
1.8MB

Download
memory/6444-12304-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/6444-12322-0x0000000007230000-0x00000000072A6000-memory.dmp

Filesize
472KB

Download
memory/8520-4255-0x000000001E660000-0x000000001E9C2000-memory.dmp

Filesize
3.4MB

Download
memory/8520-4257-0x000000001F180000-0x000000001F212000-memory.dmp

Filesize
584KB

Download
memory/8520-4288-0x000000001F420000-0x000000001F59C000-memory.dmp

Filesize
1.5MB

Download
memory/8520-4256-0x000000001E9D0000-0x000000001EF76000-memory.dmp

Filesize
5.6MB

Download
memory/9432-4143-0x0000000006680000-0x000000000678A000-memory.dmp

Filesize
1.0MB

Download
memory/9432-4147-0x0000000005C80000-0x0000000005CB0000-memory.dmp

Filesize
192KB

Download
memory/9432-4138-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/9432-4144-0x0000000005B60000-0x0000000005B88000-memory.dmp

Filesize
160KB

Download
memory/9432-4130-0x0000000005550000-0x00000000058B2000-memory.dmp

Filesize
3.4MB

Download
memory/9432-4131-0x00000000058C0000-0x0000000005A3C000-memory.dmp

Filesize
1.5MB

Download
memory/9432-4124-0x0000000000870000-0x0000000000894000-memory.dmp

Filesize
144KB

Download
memory/9432-4135-0x0000000005210000-0x0000000005236000-memory.dmp

Filesize
152KB

Download
memory/9432-4142-0x0000000005F60000-0x000000000602E000-memory.dmp

Filesize
824KB

Download
memory/9432-4146-0x0000000006890000-0x0000000006990000-memory.dmp

Filesize
1024KB

Download
memory/9432-4141-0x00000000054B0000-0x00000000054FC000-memory.dmp

Filesize
304KB

Download
memory/9432-4140-0x0000000005CD0000-0x0000000005F56000-memory.dmp

Filesize
2.5MB

Download
memory/9432-4136-0x0000000006060000-0x0000000006678000-memory.dmp

Filesize
6.1MB

Download
memory/9432-4137-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/9432-4145-0x0000000005BE0000-0x0000000005C30000-memory.dmp

Filesize
320KB

Download
memory/9432-4139-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/9884-12221-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/9884-12226-0x0000000006200000-0x000000000625E000-memory.dmp

Filesize
376KB

Download
memory/9884-12222-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/9884-12220-0x0000000006290000-0x0000000006836000-memory.dmp

Filesize
5.6MB

Download
memory/9884-12215-0x0000000000B10000-0x0000000000B38000-memory.dmp

Filesize
160KB

Download
memory/9992-3989-0x00000000206C0000-0x0000000020770000-memory.dmp

Filesize
704KB

Download
memory/9992-3960-0x0000000020570000-0x0000000020582000-memory.dmp

Filesize
72KB

Download
memory/9992-4048-0x0000000022290000-0x00000000222CC000-memory.dmp

Filesize
240KB

Download
memory/9992-3974-0x00000000205D0000-0x000000002060A000-memory.dmp

Filesize
232KB

Download
memory/9992-4023-0x0000000020860000-0x00000000208D4000-memory.dmp

Filesize
464KB

Download
memory/9992-4037-0x00000000221B0000-0x00000000221FA000-memory.dmp

Filesize
296KB

Download
memory/9992-4038-0x0000000022160000-0x00000000221B0000-memory.dmp

Filesize
320KB

Download
memory/9992-4047-0x0000000022270000-0x0000000022282000-memory.dmp

Filesize
72KB

Download
memory/9992-3946-0x0000000020330000-0x000000002034A000-memory.dmp

Filesize
104KB

Download
memory/10588-8058-0x00000000201E0000-0x00000000207F8000-memory.dmp

Filesize
6.1MB

Download
memory/10588-8044-0x000000001FD10000-0x000000001FF96000-memory.dmp

Filesize
2.5MB

Download
memory/10588-8059-0x0000000020800000-0x0000000020900000-memory.dmp

Filesize
1024KB

Download
memory/10588-8154-0x0000000021F30000-0x0000000021FCC000-memory.dmp

Filesize
624KB

Download
memory/10588-8157-0x0000000021CC0000-0x0000000021D0F000-memory.dmp

Filesize
316KB

Download
memory/10588-8043-0x000000001FCA0000-0x000000001FD06000-memory.dmp

Filesize
408KB

Download
memory/10588-8158-0x0000000024CB0000-0x0000000024DBA000-memory.dmp

Filesize
1.0MB

Download
memory/10588-8159-0x0000000024B70000-0x0000000024BA0000-memory.dmp

Filesize
192KB

Download
memory/10588-8160-0x0000000024950000-0x0000000024972000-memory.dmp

Filesize
136KB

Download
memory/10588-8161-0x0000000025A60000-0x0000000025DCC000-memory.dmp

Filesize
3.4MB

Download
memory/10588-8176-0x0000000025F40000-0x0000000025F58000-memory.dmp

Filesize
96KB

Download