redline | c9ae7d325d8f08613bb8dff54d14591f4fbdd4f289509092b4fbb16c6b855d71

Resubmissions

07-02-2025 18:21

250207-wzas1a1rbs 10

07-02-2025 18:14

250207-wvew6asrbr 10

14-02-2024 18:20

240214-wyrecshf8w 10

Analysis

max time kernel
318s
max time network
315s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-02-2025 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redline.zip
Size

15.0MB
MD5

0f686985e788860aa57fd6c0394b31ac
SHA1

16a28142b90396bdec88b542856afc6a1d61de63
SHA256

c9ae7d325d8f08613bb8dff54d14591f4fbdd4f289509092b4fbb16c6b855d71
SHA512

42547b6a691c89ed58b8aa0bbd4e11b1c4411bd5291c10a8f575d5c2b8418fb2ed59f14a9838db3864468d751b396abbae0bf0389e407dc7c6e0013c47dfa036
SSDEEP

393216:Qo/GNMywpahzUACC3ubztEDnaYSH0DrmLMlvWqYiABvXpyVIqtR5R:Qo/GUCUAJ3uVmaiDr1Wln1ZyV/R5R

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

127.0.0.1:4483

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/6004-4119-0x000000001F1B0000-0x000000001F1CA000-memory.dmp	family_redline
behavioral1/files/0x0007000000027f3f-12459.dat	family_redline
behavioral1/files/0x0019000000027754-12474.dat	family_redline
behavioral1/memory/1872-12476-0x0000000000BE0000-0x0000000000BFE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000027f3f-12459.dat	family_sectoprat
behavioral1/files/0x0019000000027754-12474.dat	family_sectoprat
behavioral1/memory/1872-12476-0x0000000000BE0000-0x0000000000BFE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000\Control Panel\International\Geo\Nation	Panel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000\Control Panel\International\Geo\Nation	Panel.exe

Executes dropped EXE 11 IoCs

pid	Process
5560	Panel.exe
6004	Panel.exe
1812	Kurome.Loader.exe
3320	Kurome.Host.exe
5728	Kurome.Loader.exe
1092	Panel.exe
2372	Panel.exe
5096	Panel.exe
5924	Panel.exe
556	Kurome.Builder.exe
1872	build.exe

Loads dropped DLL 20 IoCs

pid	Process
3320	Kurome.Host.exe
3320	Kurome.Host.exe
3320	Kurome.Host.exe
3320	Kurome.Host.exe
3320	Kurome.Host.exe
3320	Kurome.Host.exe
5728	Kurome.Loader.exe
5728	Kurome.Loader.exe
5728	Kurome.Loader.exe
5728	Kurome.Loader.exe
556	Kurome.Builder.exe
556	Kurome.Builder.exe
556	Kurome.Builder.exe
556	Kurome.Builder.exe
556	Kurome.Builder.exe
556	Kurome.Builder.exe
1872	build.exe
1872	build.exe
1872	build.exe
1872	build.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
6004	Panel.exe
1092	Panel.exe
1092	Panel.exe
1092	Panel.exe
1092	Panel.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	Kurome.Loader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurome.Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0 = 5000310000000000475a5892100050616e656c003c0009000400efbe4e585891475a5b922e000000507f0200000007000000000000000000000000000000f3df1401500061006e0065006c00000014000000	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 90003100000000004e58559110005245444c494e7e312e52552d0000740009000400efbe4e585591475ae3912e000000585c0100000003000000000000000000000000000000a20a73005200650064006c0069006e0065002d0042006f0074006e00650074002d005f00650064002d002d006400720063007200790070007400650072002e00720075002d0000001c000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0 = 62003100000000002553280d10005245444c494e7e3100004a0009000400efbe4e585891475ae3912e0000004c7f0200000007000000000000000000000000000000000000005200650064004c0069006e0065005f00320030005f003200000018000000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000001fcf831b6579db018c7ee3358c79db018c7ee3358c79db0114000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0 = 5000310000000000d5562c73100050616e656c003c0009000400efbe4e585891475ae3912e0000004a7f020000000700000000000000000000000000000090e68f00500061006e0065006c00000014000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "13"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0\MRUListEx = ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 9800310000000000475a0d9210005245444c494e7e312e52555f00007c0009000400efbe4e585591475a0d922e0000006b5c01000000030000000000000000000000000000000a2f1f005200650064006c0069006e006500200042006f0074006e0065007400200043007200610063006b006500640020005b006400720063007200790070007400650072002e00720075005d0000001c000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\MRUListEx = 00000000ffffffff	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000475ae39111004465736b746f7000680009000400efbe475a656c475ae3912e000000ff0501000000020000000000000000003e00000000007472f3004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff	Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1756055536-2479543328-1280407653-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0	Panel.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4936	msedge.exe
4936	msedge.exe
4388	msedge.exe
4388	msedge.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
5560	Panel.exe
6004	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe
6004	Panel.exe
5560	Panel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5084	7zFM.exe
5924	Panel.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5084	7zFM.exe
Token: 35	5084	7zFM.exe
Token: SeSecurityPrivilege	5084	7zFM.exe
Token: SeDebugPrivilege	5560	Panel.exe
Token: SeDebugPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: SeDebugPrivilege	1812	Kurome.Loader.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: SeDebugPrivilege	3320	Kurome.Host.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: 33	6004	Panel.exe
Token: SeIncBasePriorityPrivilege	6004	Panel.exe
Token: SeDebugPrivilege	5728	Kurome.Loader.exe
Token: SeDebugPrivilege	1092	Panel.exe
Token: SeDebugPrivilege	2372	Panel.exe
Token: 33	2372	Panel.exe
Token: SeIncBasePriorityPrivilege	2372	Panel.exe
Token: 33	2372	Panel.exe
Token: SeIncBasePriorityPrivilege	2372	Panel.exe
Token: 33	2372	Panel.exe
Token: SeIncBasePriorityPrivilege	2372	Panel.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
5084	7zFM.exe
5084	7zFM.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4532	NOTEPAD.EXE
6004	Panel.exe
5924	Panel.exe
5924	Panel.exe
1468	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5560	Panel.exe
6004	Panel.exe
1092	Panel.exe
2372	Panel.exe
5096	Panel.exe
5924	Panel.exe
5924	Panel.exe
5924	Panel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4608	4388	msedge.exe	95
PID 4388 wrote to memory of 4608	4388	msedge.exe	95
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 2840	4388	msedge.exe	96
PID 4388 wrote to memory of 4936	4388	msedge.exe	97
PID 4388 wrote to memory of 4936	4388	msedge.exe	97
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98
PID 4388 wrote to memory of 4552	4388	msedge.exe	98

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Redline.zip
1⤵
PID:1172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2228

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Redline.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drcrypter.ru/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff828ce46f8,0x7ff828ce4708,0x7ff828ce4718
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4136 /prefetch:2
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1552 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,3135613783911672857,9639936419943423616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5560
- C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe" "--monitor"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6004

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Host\Kurome.Host.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Host\Kurome.Host.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\ReadMe.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:4532

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Loader\Kurome.Loader.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Loader\Kurome.Loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1092
- C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe
  "C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe" "--monitor"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2372
- - C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe
    "C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAApoV4aSefAEasWoiN8k2aIwAAAAACAAAAAAAQZgAAAAEAACAAAACSRtkna6aSfBxJMP+W23cAN/DNo/+KzHNlpc/BW6YbUgAAAAAOgAAAAAIAACAAAAD5gZ0PE/QBPbsfpC2pcbVeZLx8OQM4tXMu3hlgNe0XYxAAAABDKJrv+K5D6VkzZ80cABErQAAAACiwr11bfUK/FGtGlcAPVD0CeKlvt/S72Oh/Jtsg4o4NHqimYcNDAOd02zh1+LhtTvHmHNsWIgyEM9fhD3xEAdI=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAApoV4aSefAEasWoiN8k2aIwAAAAACAAAAAAAQZgAAAAEAACAAAABNtrPbM9rQ8guhMgxBB5D2YwAYcVT8Gu7jrXi970sV6gAAAAAOgAAAAAIAACAAAABvCaIql0pcMM7fbVQsmPxNDO7ziyzP2ZUknHWS+cN/mxAAAADFUkrD5WgXe9VcvaUBn0UAQAAAAFIUbhWKVJDiJvjUYs1VQ0sX8GTDRYSIzC2IY66mrD01LAVK2SMGnI9NApQ8UVy5Zrb6TWnGwgUE2wNe+vZ2uHs="
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5096
  - - C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe
      "C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe" "auth" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAApoV4aSefAEasWoiN8k2aIwAAAAACAAAAAAAQZgAAAAEAACAAAACSRtkna6aSfBxJMP+W23cAN/DNo/+KzHNlpc/BW6YbUgAAAAAOgAAAAAIAACAAAAD5gZ0PE/QBPbsfpC2pcbVeZLx8OQM4tXMu3hlgNe0XYxAAAABDKJrv+K5D6VkzZ80cABErQAAAACiwr11bfUK/FGtGlcAPVD0CeKlvt/S72Oh/Jtsg4o4NHqimYcNDAOd02zh1+LhtTvHmHNsWIgyEM9fhD3xEAdI=" "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAApoV4aSefAEasWoiN8k2aIwAAAAACAAAAAAAQZgAAAAEAACAAAABNtrPbM9rQ8guhMgxBB5D2YwAYcVT8Gu7jrXi970sV6gAAAAAOgAAAAAIAACAAAABvCaIql0pcMM7fbVQsmPxNDO7ziyzP2ZUknHWS+cN/mxAAAADFUkrD5WgXe9VcvaUBn0UAQAAAAFIUbhWKVJDiJvjUYs1VQ0sX8GTDRYSIzC2IY66mrD01LAVK2SMGnI9NApQ8UVy5Zrb6TWnGwgUE2wNe+vZ2uHs=" "--monitor"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:5924

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\Kurome.Builder.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\Kurome.Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:556

C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\build.exe
"C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\build.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\GB[28FFAEC19A43D5223C9C62766A5C61B8] [2025-02-07T18_18_46.1542086]\Cookies\Microsoft_[Edge]_Default.txt
1⤵
PID:5612

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\GB[28FFAEC19A43D5223C9C62766A5C61B8] [2025-02-07T18_18_46.1542086]\UserInformation.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Panel.exe.log

Filesize
2KB

MD5
2684b000ef694efa9d00f9bf35819d7d

SHA1
c10f337d6af9868ced12c5957ce8429defe57e93

SHA256
6beb9f3e0a94b467712961c19283bbfd8f0137a6d018a0d4e19eb5948735c5b5

SHA512
9364a8cd3eb8c5d75a1834a249dc57706bcbf90686c43d8ab8d52219d38714eb70b70b57bd6f6ffbde33608afca8e694a6d3250870829bb3a3dd7a52a874b541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kurome.Loader.exe.log

Filesize
425B

MD5
8c7889bde41724ce3db7c67e730677f6

SHA1
485891cc9120cb2203a2483754dbd5e6ea24f28e

SHA256
83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad

SHA512
b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
103f75e5d5658dea6baf8e6d5ceb9b4c

SHA1
ece265b090e737553813c53498d0e79a9f14b034

SHA256
fa2f32827285e26e21ad422ee9e3fa495dca17da771b402ab0d1656ba4317ae8

SHA512
441d07ff154113bc0006eb6b222b3119d872c2c97a4ecf8f503b37c36888a4b5928c911baccdebdd8043b191eebaa953e0a4e563245bfae4c139908bed7a2b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
948b89cbf05b4bc94b3d5a85293d7055

SHA1
94daff6d05d7a28c571dca3785c26b06124613c4

SHA256
b23aad57e4da48310f1e68d4c7fc6faae839ac04c7d1e4475e84ae9d6f8c0909

SHA512
7bea386869bb095c316ba62033c162702a9fe60ac726c076e3073bc1ff7b7b6861769bdf0028f8aefd1e0374783f68888bc1b07294251e0b52f519ecf23a8c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b605a8834ad94125fcede8397a71b51c

SHA1
1eff26350723f1ba9675dcbb0f23c23fe387c4e8

SHA256
3f7ee28424dd4a8422b79a4b5010078b2f59065c3c1a9e67fc80752d31a505bb

SHA512
10b33362ea622efe17fed00bb2218e40baea766982a3ce7ecc5ae69daf21452fe97b563c10371267b707a0ed628a8952ee706068afc678f8db70a808cf8d8206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
15af4caa0f6bf470baec41f82b53cc13

SHA1
4a15f6d0b946bb3ed27c96d7604408b9b69f8893

SHA256
41c93acd06a299922c87b0a6e4ba26d4d46783d9b9c6d0210b1479c85e4d0195

SHA512
04c34b5f22d057f45e4ebf0c780d3b066e44e408ff52042c8c5589863a9896fcc9290211fbeacf17d5fc8df474bbb5368b33eff90972cf800d078142fae275e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0a659acdb721088bf04497848d8143bf

SHA1
97728d371d7cb15c217d58211e6be5d01a5571f2

SHA256
4f78307bce0684d51880945ba13f450e5228f6069bdbbd2c5ac4f1f5b94c6b6d

SHA512
eeac7e82d2d6820dffec7fbd1e713a88194c902f3b77672707d2bdc5f0b6ab323b8828558d1e9a9915be3b3b714046d20369bb09d7e89f2ced1dd9ee9215e552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56f3776106a038a693f1266601f897f8

SHA1
3dfbdd0ca15a593fd5434d6fe0c281335f0ba700

SHA256
84dcd9a7ace49483ecf6e456c51a930500336656ae7a1fe26d5a3c6af7e39336

SHA512
f106927a592f7f1cf3a83e27057ae29e2630c9c567691d010009c817a95e01a6345bdf8c393f008b8b5f518b34190f4f56deea77baeb696aebb8d27a00184728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f93cf65b4ed6a2b6ebf670293a260084

SHA1
5d876ae026e00226754f8572e23aacceea93f3d1

SHA256
bca10469d7bbf0308bb70270fececec4c35f8b12047a0b9599b1a821ca1e9d3b

SHA512
6b47ed5a14168f38f22361441bf8137fcf4cea9a18e795723ddc5f3011ace0d7c1482b3cc5454682a2b80968ef9db1a0d2a8115581b121c224f75ad5170e6248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f94231930f7e4433760bbbde20509c1e

SHA1
0d1e6a539291bb11054a4987e935068fa6a80bcc

SHA256
74ed27b5d3244975248b6871b117532baa661ff383f82a96722e2fe38845c3cf

SHA512
92eacf15ab4100edac0557d968f5a7991a4b1b7f2639f770e010205ff8d928bf46669232711189f0eac1d868288281bf1db25e124c332690d9aedbe2103ed7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\26175621e499ba12634e61f0a4722801ceeee880\202b0d50-79c2-4fcf-bc83-aa0b25c5ad04\index-dir\the-real-index

Filesize
72B

MD5
ae0026720cb6f9546afd24a21c0a8efe

SHA1
dbdec35ee3f87215b47c0d6d0132a783b7ee3e48

SHA256
6e9bf67776c597c44d1c487c2dc50a9d5414eed1cd4162d3f1d7a66ef2b297ab

SHA512
01b27b0611b7335f6b01683e48d26dc226655eac9e5e3a8015f4836e9f761ffef1529c51a7826fafb116e126ae4182c4a3b206ac79296d3dfb08f1f40443a6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\26175621e499ba12634e61f0a4722801ceeee880\202b0d50-79c2-4fcf-bc83-aa0b25c5ad04\index-dir\the-real-index~RFe585bd7.TMP

Filesize
48B

MD5
a9d55fbae2c3a123b5b4f8018ac0f13f

SHA1
6879e16d36e3d7aad2fe06908878b1845c3953f4

SHA256
28683f3335b31c446ea144dc9bf2bdb4b0a73fc3afb9c7d501a7cde1d50a0b12

SHA512
d2a4b377c3bbf91cce443326f769188ec759d626a6a76cf9f7298ae283a83f4c63b1c23f58d6455b8bd0d9dba68e69971a6197829aa0b28cc2a05e23dc1855ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\26175621e499ba12634e61f0a4722801ceeee880\index.txt

Filesize
88B

MD5
c7467893bb6afdd99f27798e21eb1633

SHA1
7859df63957bb094dec21656b2f796e32e13f456

SHA256
feaef790f58d9a0b4961037529065c1839870e83fcfd0ced377ea2cc7be9b329

SHA512
23478fcd520e982ba2151ffb2ce8bcec5fadf52cfc1c53e575653d37510cb865ac65eb2d0fea3061a70a27ea9b6c3b43697bfa05ef7e49f7efbf33498866a7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\26175621e499ba12634e61f0a4722801ceeee880\index.txt

Filesize
82B

MD5
28fbbf2cff2efbeedddce1948b2aaf29

SHA1
019c3609cefbf58caba1029c028fae14c50098a0

SHA256
1a90b7928caad17228500e9fae589b4aa68771cd95cad8eb52e33bbb5d7f7468

SHA512
4a7f5435af65a7016efa61ea0269e48493b0e3dd81ac2d6620e33a0404cdb29ebda57ad8526ff23147e986d049d9ce7543a604b469e38e2a719d963f0a8bf355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d39c4b57d2b2cdadf9c603bdd26a3886

SHA1
ddff84ebe696234fa31689135a0c7eff38e82a2f

SHA256
cef239e49dba4b30d1f9b6a599096c8dc49b2a1c19ff81da815e793ad4d490f1

SHA512
e5c8966b04bb3823ce6c5e8957f324407a22be09a3033e308ba0002fb923f1e394dc0d72323ee69d8ea4303bc0d467851b9dab81e22638dfc76699669117a2a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585a50.TMP

Filesize
48B

MD5
4f9db719a3da1126c5d351c6c7bc936c

SHA1
a57c45896d671493d3698e061a2a0131ce3b8059

SHA256
9cef53ecfebf3575a708035578706227ea3ea09fd4a77126254ee348ee47265c

SHA512
0307b5bfa48c292f07d5f4435fc898ac114960beb4018659b578ff272e9163e948fcfdfa8fdb00255e490de0af1e5b326f5a98dfcdd606122aebcd9cbfa8e836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
37fadc00a585f166d24c3b75a3e2ef2e

SHA1
5a0421981b2eb44a91150a0fc1e1d59e8b5e8fad

SHA256
d3a9c925a8e0eb8367ead8716dd8d5f4dc5133c88cf332c1371748d8c2c68e94

SHA512
32d24e3aad9a6529c2b17631dcf1436806ba2a2f6adb0256dafc183cd4caeb93800c34a172e1304ecdff2d6e5d478b3390b7268d16f5341aab8cbfc1e947f193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c19af07716e3291176c2af221683818

SHA1
a32d5d037230b607fbe89f73b20d966d3d76acb4

SHA256
7d37fa8f341e0afb6fbc17176d590799fd7c95c2e38a303e6c3323949fb4a83e

SHA512
4cbfeef6c4cc4559f5b5cd8a5e7f6fc655c861848cf8d19172cd720e10ff960028bb85920fed17b4d994fe3ff550efb13d45969e344d4b34d56a2f93b839397c

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_dh3lfrryipd0c2ke0m3jqwjrshexcgtj\0.0.0.0\dxv5pf0u.newcfg

Filesize
2KB

MD5
61d7f4d30f17c3ed0fc5651dc6ab515e

SHA1
ef6e6fb45a67bb89875bbe9e929240dffe7a887a

SHA256
3181c45a2b04432cf5068a1f9cfe89313468153f0ec6e9a95c886ea8241073b3

SHA512
87dd8ff8281db728c1a2dbed2c9b0372f3b33d8e13d25216a964838ea59f4d3f047c03d57e6ca45cf56164545aface8a7e464b6348899fe3f74a78acafa1848c

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_dh3lfrryipd0c2ke0m3jqwjrshexcgtj\0.0.0.0\user.config

Filesize
1KB

MD5
1d5329c59fe486eedb4d8414ee3aee00

SHA1
ce4f7b25d1333e8691ab13690ca40ddaf8be3858

SHA256
d545f3a3ebe1a60fac7699a2fbd653811a4e44d9b7da325cb20e43b338e521c2

SHA512
12a0b8e7d64265df8051ebd60da14848f4075e4088af5d7db4c9cdd59c8d8b239a77283e28c9c0cb9ae63b8cd941214dc38f3ae31a95266e07f2d569b2d81aba

Download Submit
C:\Users\Admin\AppData\Local\RedLine\@shadow_Path_dh3lfrryipd0c2ke0m3jqwjrshexcgtj\0.0.0.0\user.config

Filesize
2KB

MD5
1461b6d9404b4f2990f8e8c66c640745

SHA1
f929650bb60a504146486a5117f66e2481d3a9f0

SHA256
9c14588266c6cf6124364d4f5ec9d5e1e9f2393b72b868f78b7d954ce130443d

SHA512
85cbc33c3bb49e2228d31b7d15b660c5896a2d43a4fb2dc5787c7c73039df15d1e44e8ac6283b4cf0e5d8260a2d1c6b10a737acdb349d8feef8219710afe88bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECD3412E7\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Host\Drcrypter Forums.url

Filesize
177B

MD5
e81dc42ebc1188a370b40f571385e84e

SHA1
d416a5e3656d9e416836d549f6bb05f2a2520736

SHA256
bddb7ba8d41206c00df0a92735d4dd89b38e3e4358f4d5a5fc6ea94eb2a2da7e

SHA512
c66723b469aa66deca17a761540fb675b824627beb6c67be0c54ae96017e4364ec1c944cc7bb0c64a40ad9a2077e108eeef82242c8798705abb45882fd3f8b82

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\Kurome.Builder.exe

Filesize
137KB

MD5
cf38a4bde3fe5456dcaf2b28d3bfb709

SHA1
711518af5fa13f921f3273935510627280730543

SHA256
c47b78e566425fc4165a83b2661313e41ee8d66241f7bea7723304a6a751595e

SHA512
3302b270ee028868ff877fa291c51e6c8b12478e7d873ddb9009bb68b55bd3a08a2756619b4415a76a5b4167abd7c7c3b9cc9f44c32a29225ff0fc2f94a1a4cc

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\build.exe

Filesize
95KB

MD5
2f7437082c6e4244eb16e2f9c450905a

SHA1
cf818d29cd0010daf612beec6e765c1ed7e6750d

SHA256
5edfb5f547dada1f80638d11703a1a83ae6421842170fa0e901d24be245a7628

SHA512
9001773e20da17e815c0ada24776c97a0003942bae1a56e063da7767c7a5975cf13a0b7a1203a84310f8e48031fad410999a99d6f10e7ba87db06258fc7156b6

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Builder\stub.dll

Filesize
96KB

MD5
625ed01fd1f2dc43b3c2492956fddc68

SHA1
48461ef33711d0080d7c520f79a0ec540bda6254

SHA256
6824c2c92eb7cee929f9c6b91e75c8c1fc3bfe80495eba4fa27118d40ad82b2b

SHA512
1889c7cee50092fe7a66469eb255b4013624615bac3a9579c4287bf870310bdc9018b0991f0ad7a9227c79c9bd08fd0c6fc7ebe97f21c16b7c06236f3755a665

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Host\Kurome.Host.exe

Filesize
119KB

MD5
4fde0f80c408af27a8d3ddeffea12251

SHA1
e834291127af150ce287443c5ea607a7ae337484

SHA256
1b644cdb1c7247c07d810c0ea10bec34dc5600f3645589690a219de08cf2dedb

SHA512
3693aeaa2cc276060b899f21f6f57f435b75fec5bcd7725b2dd79043b341c12ebc29bd43b287eb22a3e31fd2b50c4fa36bf020f9f3db5e2f75fe8cc747eca5f5

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Host\Kurome.Host.exe.config

Filesize
189B

MD5
5a7f52d69e6fca128023469ae760c6d5

SHA1
9d7f75734a533615042f510934402c035ac492f7

SHA256
498c7f8e872f9cef0cf04f7d290cf3804c82a007202c9b484128c94d03040fd0

SHA512
4dc8ae80ae9e61d2801441b6928a85dcf9d6d73656d064ffbc0ce9ee3ad531bfb140e9f802e39da2a83af6de606b115e5ccd3da35d9078b413b1d1846cbd1b4f

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Host\Kurome.WCF.dll

Filesize
123KB

MD5
e3d39e30e0cdb76a939905da91fe72c8

SHA1
433fc7dc929380625c8a6077d3a697e22db8ed14

SHA256
4bfa493b75361920e6403c3d85d91a454c16ddda89a97c425257e92b352edd74

SHA512
9bb3477023193496ad20b7d11357e510ba3d02b036d6f35f57d061b1fc4d0f6cb3055ae040d78232c8a732d9241699ddcfac83cc377230109bf193736d9f92b8

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Loader\Kurome.Loader.exe

Filesize
2.2MB

MD5
a3ec05d5872f45528bbd05aeecf0a4ba

SHA1
68486279c63457b0579d86cd44dd65279f22d36f

SHA256
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e

SHA512
b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Kurome.Loader\Kurome.Loader.exe.config

Filesize
186B

MD5
9070d769fd43fb9def7e9954fba4c033

SHA1
de4699cdf9ad03aef060470c856f44d3faa7ea7f

SHA256
cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b

SHA512
170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe

Filesize
9.3MB

MD5
f4e19b67ef27af1434151a512860574e

SHA1
56304fc2729974124341e697f3b21c84a8dd242a

SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\Panel.exe.config

Filesize
26KB

MD5
494890d393a5a8c54771186a87b0265e

SHA1
162fa5909c1c3f84d34bda5d3370a957fe58c9c8

SHA256
f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

SHA512
40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\chromeBrowsers.txt

Filesize
2KB

MD5
5c06977f634c911382ca6f6107a8489a

SHA1
645062b6f09924255cd1c2c98265bacfee3f2371

SHA256
92308e2b67aa3c6989d5d744ac51faafb40886e6863adb933a3cf2e9beba0737

SHA512
19c9e324314725038a39b0e596e537b5937954f7358c56cddc25c51fdd9ef10346d77ce5c7a0703db854c9aa232dcef1bdcd16411937d526a080dd87a3793e28

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\geckoBrowsers.txt

Filesize
395B

MD5
84d16e157a64d476231d1ff7d53c562d

SHA1
ad863e9956be1b32a82062e076e1c7fc0092a479

SHA256
c2f35b643afa2d013602a448a5c14a73942f9faa281564040ac5c044602e0e1e

SHA512
4fe76a0e2e00640de9107091625c4c3392ff8f35d2bee9dbad77d04df5ba614eb8555c40d4028f80258369abae05020ea2d03acd43e24330c0bc08a6c83d2a46

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\serviceSettings.json

Filesize
73B

MD5
73b79de9d46049e7822bbdff3d40774b

SHA1
c833914b3b8a1e642b6dd158f4db1f6a0bd1bf2f

SHA256
1fed3ac4c3057dc39c94e8ed896154a1280d071f1c0a256028992cce8d783436

SHA512
abecac06f4dc011afd307115a3ca5df015b925520d0efed3e3ccef2c600a53b9a82f4bbe3f70e27d6a43e9ad97668d6a4ffae619099a9dc1af4281b2ffff6800

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\Panel\RedLine_20_2\Panel\telegramChatsSettings.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\Desktop\Redline-Botnet-_ed--drcrypter.ru-\Redline Botnet Cracked [drcrypter.ru]\ReadMe.txt

Filesize
15B

MD5
e78931b35c504b515c77a7bb2712931d

SHA1
c2950f1a9d128291b7d64059093e381a5861c1c5

SHA256
521115e504205d1d2e4d20d5408a09be97d295208bd1cfea79fcade0750171e2

SHA512
91c246828d0f9c03bb150107236b628b54f8aa046c89e0fcf08c3f18e5a6b9c74bc5d79703cf1c63a4a288b6d7086b054e5e2a92b1f0943620a27e1546c537c9

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll

Filesize
3.4MB

MD5
059d51f43f1a774bc5aa76d19c614670

SHA1
171329bf0f48190cf4d59ce106b139e63507457d

SHA256
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d

SHA512
a299cb18c8a47fc27c46db0011266b7fa273852b302374eb98a54034e1281150af8e54e58f76a384d3b92fbcb1a67fc0452cabe592a379e15cce2c5f9a4b6cb7

Download Submit
memory/556-12451-0x0000000005810000-0x000000000586E000-memory.dmp

Filesize
376KB

Download
memory/556-12445-0x0000000005C00000-0x00000000061A6000-memory.dmp

Filesize
5.6MB

Download
memory/556-12446-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/556-12447-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/556-12440-0x0000000000630000-0x0000000000658000-memory.dmp

Filesize
160KB

Download
memory/1092-4440-0x000000001F370000-0x000000001F4EC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-4408-0x000000001E900000-0x000000001EEA6000-memory.dmp

Filesize
5.6MB

Download
memory/1092-4409-0x000000001F0B0000-0x000000001F142000-memory.dmp

Filesize
584KB

Download
memory/1092-4407-0x000000001E590000-0x000000001E8F2000-memory.dmp

Filesize
3.4MB

Download
memory/1812-4216-0x00000000079A0000-0x0000000007FB0000-memory.dmp

Filesize
6.1MB

Download
memory/1812-4215-0x0000000000910000-0x0000000000B46000-memory.dmp

Filesize
2.2MB

Download
memory/1872-12490-0x0000000008700000-0x0000000008766000-memory.dmp

Filesize
408KB

Download
memory/1872-12476-0x0000000000BE0000-0x0000000000BFE000-memory.dmp

Filesize
120KB

Download
memory/1872-12497-0x0000000008350000-0x00000000083A0000-memory.dmp

Filesize
320KB

Download
memory/1872-12489-0x00000000081F0000-0x000000000820E000-memory.dmp

Filesize
120KB

Download
memory/1872-12488-0x0000000007930000-0x00000000079A6000-memory.dmp

Filesize
472KB

Download
memory/1872-12487-0x0000000007CA0000-0x00000000081CC000-memory.dmp

Filesize
5.2MB

Download
memory/1872-12486-0x00000000075A0000-0x0000000007762000-memory.dmp

Filesize
1.8MB

Download
memory/2372-8320-0x0000000022840000-0x000000002288F000-memory.dmp

Filesize
316KB

Download
memory/2372-8211-0x0000000020220000-0x0000000020838000-memory.dmp

Filesize
6.1MB

Download
memory/2372-8197-0x000000001FD70000-0x000000001FFF6000-memory.dmp

Filesize
2.5MB

Download
memory/2372-8196-0x000000001FD00000-0x000000001FD66000-memory.dmp

Filesize
408KB

Download
memory/2372-8342-0x0000000022800000-0x0000000022818000-memory.dmp

Filesize
96KB

Download
memory/2372-8212-0x0000000020840000-0x0000000020940000-memory.dmp

Filesize
1024KB

Download
memory/2372-8313-0x0000000022680000-0x000000002271C000-memory.dmp

Filesize
624KB

Download
memory/2372-8326-0x00000000227B0000-0x00000000227D2000-memory.dmp

Filesize
136KB

Download
memory/2372-8327-0x0000000025EA0000-0x000000002620C000-memory.dmp

Filesize
3.4MB

Download
memory/2372-8321-0x0000000025730000-0x000000002583A000-memory.dmp

Filesize
1.0MB

Download
memory/2372-8322-0x00000000228E0000-0x0000000022910000-memory.dmp

Filesize
192KB

Download
memory/3320-4241-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/3320-4227-0x00000000007B0000-0x00000000007D4000-memory.dmp

Filesize
144KB

Download
memory/3320-4233-0x00000000051B0000-0x0000000005512000-memory.dmp

Filesize
3.4MB

Download
memory/3320-4250-0x0000000005AC0000-0x0000000005AF0000-memory.dmp

Filesize
192KB

Download
memory/3320-4249-0x00000000064B0000-0x00000000065B0000-memory.dmp

Filesize
1024KB

Download
memory/3320-4247-0x00000000058D0000-0x00000000058F8000-memory.dmp

Filesize
160KB

Download
memory/3320-4248-0x0000000005A60000-0x0000000005AB0000-memory.dmp

Filesize
320KB

Download
memory/3320-4246-0x00000000065C0000-0x00000000066CA000-memory.dmp

Filesize
1.0MB

Download
memory/3320-4245-0x0000000005940000-0x0000000005A0E000-memory.dmp

Filesize
824KB

Download
memory/3320-4244-0x0000000005680000-0x00000000056CC000-memory.dmp

Filesize
304KB

Download
memory/3320-4243-0x0000000005B00000-0x0000000005D86000-memory.dmp

Filesize
2.5MB

Download
memory/3320-4242-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3320-4240-0x0000000005110000-0x0000000005122000-memory.dmp

Filesize
72KB

Download
memory/3320-4239-0x0000000005E90000-0x00000000064A8000-memory.dmp

Filesize
6.1MB

Download
memory/3320-4234-0x00000000056F0000-0x000000000586C000-memory.dmp

Filesize
1.5MB

Download
memory/3320-4238-0x0000000005030000-0x0000000005056000-memory.dmp

Filesize
152KB

Download
memory/5560-233-0x000000001DA50000-0x000000001DB92000-memory.dmp

Filesize
1.3MB

Download
memory/5560-223-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5560-212-0x000000001AC70000-0x000000001AE10000-memory.dmp

Filesize
1.6MB

Download
memory/5560-213-0x000000001AC70000-0x000000001AE10000-memory.dmp

Filesize
1.6MB

Download
memory/5560-211-0x000000001AC70000-0x000000001AE10000-memory.dmp

Filesize
1.6MB

Download
memory/5560-209-0x00007FF8249D0000-0x00007FF825492000-memory.dmp

Filesize
10.8MB

Download
memory/5560-229-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5560-227-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5560-225-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5560-222-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/5560-299-0x000000001EB90000-0x000000001EBAC000-memory.dmp

Filesize
112KB

Download
memory/5560-260-0x000000001DB50000-0x000000001DB5A000-memory.dmp

Filesize
40KB

Download
memory/5560-261-0x000000001DB50000-0x000000001DB5A000-memory.dmp

Filesize
40KB

Download
memory/5560-274-0x00007FF8247C0000-0x00007FF82490F000-memory.dmp

Filesize
1.3MB

Download
memory/5560-263-0x000000001DB50000-0x000000001DB5A000-memory.dmp

Filesize
40KB

Download
memory/5560-265-0x000000001DB50000-0x000000001DB5A000-memory.dmp

Filesize
40KB

Download
memory/5560-273-0x000000001DB60000-0x000000001DB6A000-memory.dmp

Filesize
40KB

Download
memory/5560-238-0x000000001DA50000-0x000000001DB92000-memory.dmp

Filesize
1.3MB

Download
memory/5560-234-0x000000001DA50000-0x000000001DB92000-memory.dmp

Filesize
1.3MB

Download
memory/5560-246-0x000000001DE20000-0x000000001DF62000-memory.dmp

Filesize
1.3MB

Download
memory/5924-12501-0x0000000022840000-0x000000002284A000-memory.dmp

Filesize
40KB

Download
memory/5924-12334-0x0000000025EC0000-0x000000002622C000-memory.dmp

Filesize
3.4MB

Download
memory/6004-4266-0x00000000213A0000-0x00000000213DC000-memory.dmp

Filesize
240KB

Download
memory/6004-4119-0x000000001F1B0000-0x000000001F1CA000-memory.dmp

Filesize
104KB

Download
memory/6004-4265-0x0000000021380000-0x0000000021392000-memory.dmp

Filesize
72KB

Download
memory/6004-4133-0x000000001F200000-0x000000001F212000-memory.dmp

Filesize
72KB

Download
memory/6004-4147-0x000000001F460000-0x000000001F49A000-memory.dmp

Filesize
232KB

Download
memory/6004-4162-0x000000001F550000-0x000000001F600000-memory.dmp

Filesize
704KB

Download
memory/6004-4196-0x0000000020480000-0x00000000204F4000-memory.dmp

Filesize
464KB

Download
memory/6004-4210-0x0000000023970000-0x00000000239BA000-memory.dmp

Filesize
296KB

Download
memory/6004-4211-0x00000000209C0000-0x0000000020A10000-memory.dmp

Filesize
320KB

Download