redline | 34c5044ae9b4eaea508f2444a2bdc861b5baef9839950e7f0ac8f478119b7923

Resubmissions

22-01-2025 19:28

250122-x6w59a1nh1 10

14-01-2025 19:55

250114-ym6e9axpdz 10

05-08-2024 17:35

240805-v5z5eaxakf 10

Analysis

max time kernel
248s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crunchyroll Checker by xRisky.exe
Size

2.2MB
MD5

c1569f6f8a566286be9c1462a45439f0
SHA1

495666664562a811021e044228917b25a8a9c0b6
SHA256

34c5044ae9b4eaea508f2444a2bdc861b5baef9839950e7f0ac8f478119b7923
SHA512

0fb49a006c99c59bb5b55df40a108bdff3cbe01830af5ce051c61fff1a631ea8fdb8153aa7bb0739415fe97fbf67830c3c3228f901e8b2c9f0c39f2cda1e135f
SSDEEP

49152:gRArNHv39/gvqDZEsLXN4c1ILuo2iue915Y:4uNHvt/lEe0uo21e9

Score

10^/10

redline sectoprat ultimatecrackpack agilenet discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

51.83.170.23:16128

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1008-227-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1008-227-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 58 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crunchyroll Checker by xRisky.exe

Executes dropped EXE 3 IoCs

pid	Process
2128	Ultimate-Crack-Pack.exe
4916	Crunchyroll Checker by xRisky.exe
5212	msconfig.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
4916	Crunchyroll Checker by xRisky.exe
4916	Crunchyroll Checker by xRisky.exe
4916	Crunchyroll Checker by xRisky.exe
4916	Crunchyroll Checker by xRisky.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4916-218-0x0000000005270000-0x00000000053C8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration\\msconfig.exe.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration\\msconfig.exe.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5720	powershell.exe
2508	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 1008	2128	Ultimate-Crack-Pack.exe	154
PID 5212 set thread context of 4352	5212	msconfig.exe.exe	212

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msconfig.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crunchyroll Checker by xRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Crunchyroll Checker by xRisky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Crunchyroll Checker by xRisky.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Crunchyroll Checker by xRisky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	Crunchyroll Checker by xRisky.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Crunchyroll Checker by xRisky.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "5"	Crunchyroll Checker by xRisky.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Crunchyroll Checker by xRisky.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Crunchyroll Checker by xRisky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Crunchyroll Checker by xRisky.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Crunchyroll Checker by xRisky.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Crunchyroll Checker by xRisky.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Crunchyroll Checker by xRisky.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2664	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
2508	powershell.exe
2508	powershell.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
2544	msedge.exe
2544	msedge.exe
3616	msedge.exe
3616	msedge.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
4296	identity_helper.exe
4296	identity_helper.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5256	msedge.exe
4916	Crunchyroll Checker by xRisky.exe
3868	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	taskmgr.exe
Token: SeSystemProfilePrivilege	3868	taskmgr.exe
Token: SeCreateGlobalPrivilege	3868	taskmgr.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: SeDebugPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1008	RegAsm.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: 33	4916	Crunchyroll Checker by xRisky.exe
Token: SeIncBasePriorityPrivilege	4916	Crunchyroll Checker by xRisky.exe
Token: SeDebugPrivilege	5212	msconfig.exe.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	4352	RegAsm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3868	taskmgr.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
4916	Crunchyroll Checker by xRisky.exe
4916	Crunchyroll Checker by xRisky.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2128	1128	Crunchyroll Checker by xRisky.exe	84
PID 1128 wrote to memory of 2128	1128	Crunchyroll Checker by xRisky.exe	84
PID 1128 wrote to memory of 2128	1128	Crunchyroll Checker by xRisky.exe	84
PID 1128 wrote to memory of 5064	1128	Crunchyroll Checker by xRisky.exe	85
PID 1128 wrote to memory of 5064	1128	Crunchyroll Checker by xRisky.exe	85
PID 5064 wrote to memory of 2792	5064	Crunchyroll Checker by xRisky.exe	86
PID 5064 wrote to memory of 2792	5064	Crunchyroll Checker by xRisky.exe	86
PID 2792 wrote to memory of 2816	2792	Crunchyroll Checker by xRisky.exe	87
PID 2792 wrote to memory of 2816	2792	Crunchyroll Checker by xRisky.exe	87
PID 2816 wrote to memory of 4072	2816	Crunchyroll Checker by xRisky.exe	88
PID 2816 wrote to memory of 4072	2816	Crunchyroll Checker by xRisky.exe	88
PID 4072 wrote to memory of 2564	4072	Crunchyroll Checker by xRisky.exe	89
PID 4072 wrote to memory of 2564	4072	Crunchyroll Checker by xRisky.exe	89
PID 2564 wrote to memory of 516	2564	Crunchyroll Checker by xRisky.exe	90
PID 2564 wrote to memory of 516	2564	Crunchyroll Checker by xRisky.exe	90
PID 516 wrote to memory of 3452	516	Crunchyroll Checker by xRisky.exe	91
PID 516 wrote to memory of 3452	516	Crunchyroll Checker by xRisky.exe	91
PID 3452 wrote to memory of 1424	3452	Crunchyroll Checker by xRisky.exe	93
PID 3452 wrote to memory of 1424	3452	Crunchyroll Checker by xRisky.exe	93
PID 1424 wrote to memory of 4212	1424	Crunchyroll Checker by xRisky.exe	94
PID 1424 wrote to memory of 4212	1424	Crunchyroll Checker by xRisky.exe	94
PID 4212 wrote to memory of 5012	4212	Crunchyroll Checker by xRisky.exe	95
PID 4212 wrote to memory of 5012	4212	Crunchyroll Checker by xRisky.exe	95
PID 5012 wrote to memory of 488	5012	Crunchyroll Checker by xRisky.exe	96
PID 5012 wrote to memory of 488	5012	Crunchyroll Checker by xRisky.exe	96
PID 488 wrote to memory of 4452	488	Crunchyroll Checker by xRisky.exe	97
PID 488 wrote to memory of 4452	488	Crunchyroll Checker by xRisky.exe	97
PID 4452 wrote to memory of 5020	4452	Crunchyroll Checker by xRisky.exe	98
PID 4452 wrote to memory of 5020	4452	Crunchyroll Checker by xRisky.exe	98
PID 5020 wrote to memory of 4664	5020	Crunchyroll Checker by xRisky.exe	99
PID 5020 wrote to memory of 4664	5020	Crunchyroll Checker by xRisky.exe	99
PID 4664 wrote to memory of 428	4664	Crunchyroll Checker by xRisky.exe	100
PID 4664 wrote to memory of 428	4664	Crunchyroll Checker by xRisky.exe	100
PID 428 wrote to memory of 1188	428	Crunchyroll Checker by xRisky.exe	101
PID 428 wrote to memory of 1188	428	Crunchyroll Checker by xRisky.exe	101
PID 1188 wrote to memory of 1376	1188	Crunchyroll Checker by xRisky.exe	102
PID 1188 wrote to memory of 1376	1188	Crunchyroll Checker by xRisky.exe	102
PID 1376 wrote to memory of 700	1376	Crunchyroll Checker by xRisky.exe	103
PID 1376 wrote to memory of 700	1376	Crunchyroll Checker by xRisky.exe	103
PID 700 wrote to memory of 4308	700	Crunchyroll Checker by xRisky.exe	105
PID 700 wrote to memory of 4308	700	Crunchyroll Checker by xRisky.exe	105
PID 4308 wrote to memory of 2068	4308	Crunchyroll Checker by xRisky.exe	106
PID 4308 wrote to memory of 2068	4308	Crunchyroll Checker by xRisky.exe	106
PID 2068 wrote to memory of 1620	2068	Crunchyroll Checker by xRisky.exe	107
PID 2068 wrote to memory of 1620	2068	Crunchyroll Checker by xRisky.exe	107
PID 1620 wrote to memory of 3124	1620	Crunchyroll Checker by xRisky.exe	108
PID 1620 wrote to memory of 3124	1620	Crunchyroll Checker by xRisky.exe	108
PID 3124 wrote to memory of 404	3124	Crunchyroll Checker by xRisky.exe	109
PID 3124 wrote to memory of 404	3124	Crunchyroll Checker by xRisky.exe	109
PID 404 wrote to memory of 744	404	Crunchyroll Checker by xRisky.exe	110
PID 404 wrote to memory of 744	404	Crunchyroll Checker by xRisky.exe	110
PID 744 wrote to memory of 1408	744	Crunchyroll Checker by xRisky.exe	111
PID 744 wrote to memory of 1408	744	Crunchyroll Checker by xRisky.exe	111
PID 1408 wrote to memory of 2124	1408	Crunchyroll Checker by xRisky.exe	112
PID 1408 wrote to memory of 2124	1408	Crunchyroll Checker by xRisky.exe	112
PID 2124 wrote to memory of 3672	2124	Crunchyroll Checker by xRisky.exe	113
PID 2124 wrote to memory of 3672	2124	Crunchyroll Checker by xRisky.exe	113
PID 3672 wrote to memory of 3024	3672	Crunchyroll Checker by xRisky.exe	114
PID 3672 wrote to memory of 3024	3672	Crunchyroll Checker by xRisky.exe	114
PID 3024 wrote to memory of 4348	3024	Crunchyroll Checker by xRisky.exe	115
PID 3024 wrote to memory of 4348	3024	Crunchyroll Checker by xRisky.exe	115
PID 4348 wrote to memory of 388	4348	Crunchyroll Checker by xRisky.exe	116
PID 4348 wrote to memory of 388	4348	Crunchyroll Checker by xRisky.exe	116
PID 388 wrote to memory of 2420	388	Crunchyroll Checker by xRisky.exe	117

C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
"C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
  "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
    "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
      "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        14⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        15⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        16⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        17⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        18⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        19⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        20⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        21⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        22⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        23⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        24⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        25⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        26⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        27⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        28⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        29⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        30⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        31⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        32⤵
        Checks computer location settings
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        33⤵
        Checks computer location settings
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        34⤵
        Checks computer location settings
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        35⤵
        Checks computer location settings
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        36⤵
        Checks computer location settings
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        37⤵
        Checks computer location settings
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        38⤵
        Checks computer location settings
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        39⤵
        Checks computer location settings
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        40⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        41⤵
        Checks computer location settings
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        42⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        43⤵
        Checks computer location settings
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        44⤵
        Checks computer location settings
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        45⤵
        Checks computer location settings
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        46⤵
        Checks computer location settings
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        47⤵
        Checks computer location settings
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        48⤵
        Checks computer location settings
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        49⤵
        Checks computer location settings
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        50⤵
        Checks computer location settings
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        51⤵
        Checks computer location settings
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        52⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        53⤵
        Checks computer location settings
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        54⤵
        Checks computer location settings
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        55⤵
        Checks computer location settings
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        56⤵
        Checks computer location settings
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        57⤵
        Checks computer location settings
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        58⤵
        Checks computer location settings
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe"
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4916

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5bd546f8,0x7ffb5bd54708,0x7ffb5bd54718
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7862488200039018239,17103883276790201142,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5816 /prefetch:2
  2⤵
  PID:5684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\f.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2664

C:\Users\Admin\Desktop\msconfig.exe.exe
"C:\Users\Admin\Desktop\msconfig.exe.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5bd546f8,0x7ffb5bd54708,0x7ffb5bd54718
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11650154682039317754,5750594369662997898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:5448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Crunchyroll Checker by xRisky.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a1f722e9f4c2dbf474ae07e72112947c

SHA1
99a1a9eaab3d3bab5a800dc1e5ef141aaa48e847

SHA256
eaf4006a4d21d0787b2c4fc4f41af05e55851ccc91356f19c930a00387a27e0d

SHA512
477e63eaca418b9c67bac0c4c22b8ac321530727b84a7d8488487cfc65e12191d170f4053b51a7d4c7c1341386cec603416747bc0319f5439ad81b1723e0d3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae8b244ad448e26c6f273f215a8aba1a

SHA1
d6f5fc9b5b867b7dcfccc82c88ae85400e657cb0

SHA256
15748669b0554666a19b8b3eaa7dc83dd6272626884315eb23e3df706fb2c78c

SHA512
5c2c65fa1efbe4fb20be98ae4f1edecd7968deb5ec8922ef235c63f1bce34c61c0a29aee659c5ddc8daa1ad5de579d7d6da8b6a7b969039ffdeceb5e4eaea3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
3269fd86fdc9206de87bd60fa240f8b4

SHA1
54f6de7969ac2011c7911255e42487edb0ebf29a

SHA256
09fbe7ee8302bc64166dac1458f3e10609ea29696a83b5babf0e158cd99e8a98

SHA512
eeb5a69dedde1595aa22827b1220479bf893f703a5ff3b69343521224ced7fda8c4ccc319f43dcf17decf55443ea10f467df9bce36bc6bae7624c6b881a3032d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
6e40542a9a6ab8184d3874a3f9d51254

SHA1
b9b29df85e1734721e2ff038d0abacd229926e09

SHA256
d072c5f57b43bf9cee7ea72a547b64722b63996e2df600612e880be24584a85f

SHA512
d183e6843cb6e34dfb947e21ee66d25e1d288cabc23be1894656a47b720eebbda0442908e00232217a2e84858dfdf9902426696b5847a9ae71ffdc64830f62dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
76e71798af7729a31ee0534d205ac857

SHA1
cfe09d5c1c92d0ba05750a6de61516cda19c0359

SHA256
0dfb81e219211c31fce7f9db677d06fa7794abe95f914a042e23d723041d950e

SHA512
08df5bfa294f6f63aad3dcce6d335f8c257136f4a34fd8c8a1816d961451e510a8b8da70e698993c49fbdf6996a1583f20ba055db3953d3c43b6260a4aa99aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8e38494a7f723f6d0477d65e1c5093fe

SHA1
7086573df3d09ab7bfe995e8b81ba634c2fe33ac

SHA256
8cee04bb404f3ac99fe746dea9f2a25207be3d6331801d6e076ef3711163a5b4

SHA512
e60caa5f83de617529b0a97f0679845f2c960d94b6b4c8a63aac6dcedeed4495c06cde1cd1bc3d00a99c0882c7708d97dbcb99a589487c7b88bcb1789d345e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
21ab696f884bb604561b47aac2b90a5c

SHA1
181f35101e0b8ca12ba72396c98e34985214e4dd

SHA256
4eb05ae0e4417d5d8cff18c940e0ad4b5dccefc9c9a1580bd2a7987268ad9162

SHA512
3bd2623dd4fbfb4af44769345d8adf836d04bd0d110efccb79e900dd203089582066c18602b9395825ae7a0d490be9b1d8dde300d59fb9c27496650fc04f2f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
93ecb216e665928a208dd08b07b844bb

SHA1
5def7c6155d76316eb48f9f0c0c44f3c9fd873ef

SHA256
ecff32cc19852ab6df0016bcf3b79ad15b610e8d62e8669df7383f1ab065e62f

SHA512
43c88c5fdb7cc18d5c86d88668008577a6e5661b74cd7bc6ebdf4406f1c26a7f3b7dcb4b19f282438cccb86d71968cb444133d8325f4896ddc0e1fad791f4505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2676a041ded30f86b51adff033493bfc

SHA1
9f534c4ce1524a669242a006d417a293129a4330

SHA256
46f3c9f57d7c59e05c810f2e5bf74276208a4e4082dfceca7599629a329f1eb9

SHA512
6c7ec53e8ff45993cb682c9663d3264926ca32df5405799e09da784472dbd1a5cf853fa48504032c5b35eafdae25a82233f8d1618883bd40feb08ee8dd465366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0578793438017852f71b6d2d40d832ed

SHA1
92ccfa189c209f62917bab2a2ee9074ba0bf5818

SHA256
8cbd5f5c3bfd125633e118122c7cb6137c3aea97c8709cebd9a1619c62131bf2

SHA512
e9a0bb48d0dfc978b7bab43a0dcc20fe85b3a4211560a4495e6296aa3275fa99d2da47d425263cf450ece45cb8a672cb0c7aaa50803de350e6dea24a260a360a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fe4a5d6493187031a06d80969fe8e19c

SHA1
27c084df97e9046ee2d4ea0e6c019efd02ff0ede

SHA256
11d7df994e9b37c10cdc47c1f3efea1d7d11497f93c6b747481999ea4ee3bae8

SHA512
1d4a9f0b2f191ead24a3fa1fc36556a514350f719ebf890eb5f4cafb7a19189c87eebce233c415d24911e9af9ef5b6eb064c09b8f82c3b874bdf37670caf281e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c33ff6550a3539b71a4ed1ffcded476

SHA1
086a0a6767c99bc29cd57853484cdc6a6c4e76bb

SHA256
7f7f9adfa8bda22a96151f9cd04b25052ca824eeed21e78c56ef923c9edc0d06

SHA512
fa89a3fe81de2724a1cd9fa8643a74917f229c17f7d411a5f276d8476258d08ead69f1fb85975a503be7e89e45a128679d2031d4d2f7df321797646302ca9757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9a6fc6176b313178faf9666902f0cf11

SHA1
ad96a0eb0f24ba96422066c2bbebfa3a74dbaa49

SHA256
c70c2bf8b29dd87e4132de90a7e982fbd06fa2b63058287471a6d1a9f5653488

SHA512
068b271511b726d6217ec48c28554eda591af28b33ffffabd91fd82fe3cfbd335387ad03b9cabdd3caff1668a447359e54654efbafea8bb42d466b80e68d5cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b539899e583ddac51027a1f75db4eee2

SHA1
eb0f602b1e16bb20ff3f060ff779f9dc54ea69d5

SHA256
367569ea5b005aae961c3f2e2e03eec8d5c699c3f0192ae0269bbbb17fe9e8de

SHA512
92952da935313cf68eacaf6215b30809c07f597895f67f32f7e96f7b53d5df18a75acddcc86d8868aa0207cc013cd7bf637c74ea2d9d7a76cecf6427e74b604c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e5d6e1c9a03281756062313de02e177

SHA1
aa5816067292df46bf7bdff34ae6a2322ef6fdef

SHA256
e321fe7a22a4c131c13a3d5a32278a8145a6cae7a41cc85b59f60265a3ee9b8b

SHA512
f1a2d5eadcdf1f13a4be12e1384f6a7f5e62be9c8f5efd36cbab726a633cbedd7c3be3629226e4d1ef45427de9d29c6a08d31c98d740c7563b17fb64afc3cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
38f07b20b679513c1d7068c1631f557e

SHA1
8d1fdd13f9c3475a0dfe6b9ba376aecc56a6c4be

SHA256
70d34ddc9176c2a62cf0887e0df77912b49b5b77d8e46b717068bddb1bd59ef7

SHA512
1ade8a7d801d94be3f8ff1d73d1b4019f1ec1f13b92dd66b36eb6fb927990cd29e0244276b8275275ea80926a719cada5f62bb628a0adc78c812e19b9a2ca894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
91bb653d50ea16579d6337dab8f2a143

SHA1
515a15c334eb7fd6f9f770e567f052f3af33804b

SHA256
dbc95f12283db7478fd41403db0c4e1a33787f9151b885404d96510e935925ed

SHA512
1460612fb8f74dd9277fd358c49e897981febde728cd7b674aaa26a839576e6c967a69dcd189cf4865ad46c8e1d523d4528032a6f88a90a5402a40ad65587e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba5022068126f13e2e4d9c841620c4c7

SHA1
6b212ddade77ab5817eaf43e1025cc88d18cd52d

SHA256
5490a0fb87f5959fb87438fe45b12fc1addfaa764db29785a0be2ea46a3f5569

SHA512
01d9d50d34734b96cf154e606ec83c5efd7b76c7e8f30250dfd0a43b6939cdc2de81ba7b120e22611e1791f326f2cbab6d19dbf3b1d5d229d086e9661760794c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c74264ecf06b96585744636fae19b7a4

SHA1
b35b828dd25783e6b92e9a3cdedf58eab25fc6f1

SHA256
3e9393db5ee7cde7f89d7f0c01f9a3cf1e1cb2f93c1516a34f7ff73c4d99e6de

SHA512
f3f414291a17fcb435391549c367f4733c37a914750c10bf199c43df32dcac864ded2008edeccf51aeb80c844cdeb2cea71b2067e6baa5ace7f037039f9bf508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
363b99de55c93eea871c2c4ced919e67

SHA1
b9ee1adb7aa1f6d55202b00a3a7085e7c466df54

SHA256
24af8d6f07d21045f6231d5452a1448c618423406abd01954c2da70d91111316

SHA512
fb16c007f3234a1576e8bc83b800098607b04abfd9d5e24d0574282a1a6a2564277a2609857720b4c767082633348e4f121bc18a28ea6f5aa4e862c7ce2e1e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fc8b.TMP

Filesize
37B

MD5
661760f65468e15dd28c1fd21fb55e6d

SHA1
207638003735c9b113b1f47bb043cdcdbf4b0b5f

SHA256
0a5f22651f8fe6179e924a10a444b7c394c56e1ed6015d3fc336198252984c0e

SHA512
6454c5f69a2d7d7f0df4f066f539561c365bb6b14c466f282a99bf1116b72d757bef0bf03a0e0c68a7538a02a993fc070c52133ca2162c8496017053194f441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cfb215d425459f464cd9442d05cab724

SHA1
b44033083c8e628d695356fc285beb1b41290788

SHA256
e88ad8b6d65a9e9c6b96f5484b385e793c20a785e052e3b756467b4de80175bd

SHA512
38cb77ef16c51c51d4da214e88ed69790eab7d15ee756f5ea8854fc37bd943b0803d7788131b6f59b04bb041ed1813528160a9fde2020ffd2c779e167679bac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bf9ba11e8fff79529208bac01b00c811

SHA1
3121c7eb44874c1d3eadc6b2737f28ef15fb376a

SHA256
3ca39b5a6593da8e419c63c817a3473a7c7a5aaa84ccd54457646e5d1189a2e4

SHA512
7f0e3ea438f3c2ac72e54a33793b633c3914ace3b37fcd4def4ec4df1edc48bd314fe5505500d543b02e6650395295279d45350e23885bd07d0a504b14d3628a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab307eaff7da7b0cc50a4f461b760345

SHA1
ce54905efc41b91ff6abf2dae2bd001c7da443c1

SHA256
265041c411e4cc1ce08938fa772f9274de24981f28fdc5a2e60081e861c1fc10

SHA512
f759da5ac624749e1e9cb82ac497347aa08c2ab279e6dcd35c892e3b5821a6882fe35b2172cdc44bb4e92b0ab6b54071f2fa38354e8401cea93545b50a742216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crunchyroll Checker by xRisky.exe

Filesize
1.6MB

MD5
08b38d8dfed76440354393c3a83a06e2

SHA1
28fb407cf185284a3c7e3616e15caa7c03d37ae3

SHA256
fd8b6add3cf06c7941cd85cd8741d7e639fced8b4ec2fcb96d58e7bbab334185

SHA512
4f7417b3b047f21e9ffe620bf9891a8ea6f46780515ff6d7e558b5bd7f0716797e056afbe44ac68c754fb8551d02d995474b39275d7841ce6cc664c9222120ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll

Filesize
115KB

MD5
42cf916df4ea1d300201ec9559b7bef3

SHA1
f58abe0ad5f3e033a9dbebcebd02692c5d35936d

SHA256
939c8980bcb9bd9a2279714f6086714229e7af194ec4e32677c5a4ed96db5edd

SHA512
2d03d21b369b9784329573e8219553f4c6b3cae66515ebe7409154c7457e3cfb95f8dfac5bae57820ade2a5219dd7d10ce34d72ec8971b2fbb7024a5a23cc1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dll

Filesize
305KB

MD5
0d30a398cec0ff006b6ea2b52d11e744

SHA1
4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45

SHA256
8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654

SHA512
8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe

Filesize
115KB

MD5
dc6f230a993249cbe632aea3edbbd63e

SHA1
ee67ed14eb647918d0d7ffd11ba7b665eeb19c27

SHA256
a6c001e47fd68b6c97fa484c5c98f918eed5d231bd8f1a4e4ad65af20788118b

SHA512
7e9b46e5d8e8fa609c839d570cf6cf80c7464de553f094e02b6f86e96dc81ce65a1f5f071acd6fadec9d1f4690f48972d4425a7dc2bb0bab7d0588eae81fa5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc3dkuwk.y13.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1008-244-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/1008-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1008-249-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/1008-247-0x0000000004DA0000-0x0000000004DEC000-memory.dmp

Filesize
304KB

Download
memory/1008-246-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/1008-245-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/1128-1-0x00000000003A0000-0x00000000005DA000-memory.dmp

Filesize
2.2MB

Download
memory/1128-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/2128-224-0x0000000004E40000-0x0000000004E62000-memory.dmp

Filesize
136KB

Download
memory/2128-28-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/2128-20-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2128-225-0x0000000004E90000-0x0000000004EAE000-memory.dmp

Filesize
120KB

Download
memory/2128-23-0x0000000000190000-0x00000000001B4000-memory.dmp

Filesize
144KB

Download
memory/2128-31-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/2128-32-0x0000000004DC0000-0x0000000004E36000-memory.dmp

Filesize
472KB

Download
memory/2128-26-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/2508-233-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/2508-229-0x0000000005050000-0x0000000005086000-memory.dmp

Filesize
216KB

Download
memory/2508-251-0x0000000006B50000-0x0000000006B6A000-memory.dmp

Filesize
104KB

Download
memory/2508-250-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/2508-248-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/2508-243-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/2508-231-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/2508-232-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/2508-230-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/2508-252-0x0000000006BE0000-0x0000000006C02000-memory.dmp

Filesize
136KB

Download
memory/3868-109-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-108-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-107-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-117-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-121-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-120-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-115-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-116-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-118-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/3868-119-0x000001A344CD0000-0x000001A344CD1000-memory.dmp

Filesize
4KB

Download
memory/4916-218-0x0000000005270000-0x00000000053C8000-memory.dmp

Filesize
1.3MB

Download
memory/4916-219-0x0000000004E80000-0x0000000004F1C000-memory.dmp

Filesize
624KB

Download
memory/4916-220-0x0000000005230000-0x0000000005254000-memory.dmp

Filesize
144KB

Download
memory/4916-221-0x0000000005DE0000-0x0000000005E34000-memory.dmp

Filesize
336KB

Download
memory/4916-222-0x0000000006110000-0x0000000006166000-memory.dmp

Filesize
344KB

Download
memory/4916-223-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/5064-27-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/5064-19-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/5720-699-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download