redline | hxxps://anonfiles[.]com/c6j1mcb6z3/build_exe

Analysis

max time kernel
40s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/c6j1mcb6z3/build_exe

Score

10^/10

redline sectoprat redline discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

redline

not-qualities.at.ply.gg:59219

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 895388.crdownload	family_redline
C:\Users\Admin\Downloads\build.exe	family_redline
C:\Users\Admin\Downloads\build.exe	family_redline
behavioral1/memory/4796-277-0x0000000000260000-0x000000000027E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 895388.crdownload	family_sectoprat
C:\Users\Admin\Downloads\build.exe	family_sectoprat
C:\Users\Admin\Downloads\build.exe	family_sectoprat
behavioral1/memory/4796-277-0x0000000000260000-0x000000000027E000-memory.dmp	family_sectoprat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

4796 build.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4796	build.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133221661303195662"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exetaskmgr.exebuild.exe

pid	process
2188	chrome.exe
2188	chrome.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
4796	build.exe
4796	build.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
4796	build.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2188 chrome.exe
2188 chrome.exe
2188 chrome.exe
2188 chrome.exe
2188 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exebuild.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeDebugPrivilege	4796	build.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeDebugPrivilege	5556	taskmgr.exe
Token: SeSystemProfilePrivilege	5556	taskmgr.exe
Token: SeCreateGlobalPrivilege	5556	taskmgr.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe
Token: SeShutdownPrivilege	2188	chrome.exe
Token: SeCreatePagefilePrivilege	2188	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
2188	chrome.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe
5556	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2188 wrote to memory of 4728	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 4728	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3708	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 404	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 404	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe
PID 2188 wrote to memory of 3972	2188	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://anonfiles.com/c6j1mcb6z3/build_exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe6389758,0x7fffe6389768,0x7fffe6389778
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:2
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:1
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:1
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4812 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:1
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3880 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:1
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5492 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5020 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:1
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5864 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:3264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6164 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 --field-trial-handle=1800,i,2390674760906818542,10358603927988945029,131072 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5088

C:\Users\Admin\Downloads\build.exe
"C:\Users\Admin\Downloads\build.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
0d2e9fa0017c849d31ba73ac608d5bd2

SHA1
1c8c128c3519efaaa552601142afbff243d00d4d

SHA256
2dfb1adf7bcfbecc27a4771aa474eff22548ab38ba120ae644e4bbca27b9efed

SHA512
e4af38f52fa991d33ecb93a191eec31c9f8acb9ff90c273a1a1be78fd4cdec068993ce6c79c1e081c80997bdcfb7a6f52de587b4476246206b9075fd3e408fa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
bec6f3c708882f6999ec1b992b2e2eb1

SHA1
7a32fd1013326794d7309b0a9fd303ffdf383809

SHA256
6615ff3670aeed3489496732b22653c5ce8e2c20b6e8a71bea6b607d091b1c4b

SHA512
70732baf64047afb4b4b88970482f5ce175699da709aeb4e385554cac654a34e1384e40a82cf13bcfdf83b3530b220b1f917f2164fee9a9804adaca2129a9ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9baf89854da6be83529418461cce9bf9

SHA1
7f83eb0e09637e3ec706762c68435543dd0e7c86

SHA256
de9baa251b9c425d9aabeccc0a28cfc17fabed8a939a3ac7796eb766198a5b42

SHA512
7db9cc2a1cd0782feb3babdadf6cfd02ed31d0c697257ca920ae5747c3189272079550bda60cccfdfdeb590ae0a7d1f75a7c12c5ab40d6ff191ea1856927f849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
aa47b111a316440fbd43ea123b3adfc0

SHA1
57b856e8cb0a4730244bef5de8924dfde726a9e3

SHA256
7c5bea3a0972d6cba96049351896fcf319f2fd6e48a856dcc1ffabb65a5c8d05

SHA512
0e791435b554287d5f97bc9dbba4d4250cb54d2c1f26b17e2aa9361d6f47b170a00d788553d59172090f1124138c6f501b06e944e5ce8b736df80ecfa0850861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
b8572be53b8533e086a3718de020c553

SHA1
48a2aadaf170d9cf1fe480632d8d8171f84350f0

SHA256
e56122a5ede0f8e9e6c03d520a4385c210708fac83f9064b56effa511771c319

SHA512
a975b2619a1f8b243f284baedb1106ca94c32b643587f0419059ce19366b5ba0290330602b80fe5f313d13a32a5a37ca7eb081b10d21ba9373fdcaa44b5b03d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
ab55f754ae1e92a7cf634a3693fbcabd

SHA1
f8f71e62a7ccd8e32088df7b43bc2ed12fb0ab24

SHA256
748253bd64288664b1b8fe9a21109986fd4d415762879ff68384a3f5a71a0d50

SHA512
47e6a3c601a66286b441013430a697a4a356f077b945269d17476e11a13269a8f87baf97957a142f894341a3097ddd7c6e06f4d9893a43b770b14b26fb3076a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
59792e120ffc9bd76e3b75c56cc7e74a

SHA1
39486315820bc972095f1462819a1e6e5adb438e

SHA256
9d0052a45f0665e1d5c84370881ed150b5a93905a39a44ef9b1b49b5bbef5dcc

SHA512
f473fbb24311b7ebaae32c90670a1307a987a8e160cef07887f367d17e662751e6addbc24a86159b5a097bafcd2c38dfc0a2bac9d13514fe484ac1e52e30243e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe56fb7c.TMP
Filesize
48B

MD5
d2456c5eb35bf0ac18e346db8b7286c7

SHA1
8eab3ae9f0701f3be401d96777a927c7f9ad96c2

SHA256
2f636454899940c41bec2133ef354b34e1bd350ba2d4f9ff85204099a9860606

SHA512
ee0b10ef65eaa09f8665bdfe4604d44e38338b84f6fc937556f548e1b82b29b2dfe736dea1aa41ccaa166488701a733880ddda3ca65d382d3ebda6d2f9ad7753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
141KB

MD5
5bf4e80e0011c916a136aa64b1bbdf09

SHA1
e66a8b33dccdb9e6fa3e13616c2421dabd97dd51

SHA256
86efb5346fba9e5bfffda80f31737f008c7281cb9a8afdc91424ac6cab7ebb91

SHA512
83e0a555c7bb16e7599beb8de3fea5e819bfa68d8b9d352ecc75b7a04d922e4e87d5f312057cf84d66aa314ab2ca8f2784b321355f5a9a0b974757bfa352f0ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
141KB

MD5
5dd36e0d0aa3ceff34c4f53670b545ab

SHA1
433609b3395a237a4883c4714e315380cdb4ab49

SHA256
ddd7fe57df8a5ac1e1a42feba116b999cff12be5fe576c2efa55db77b8b7a32c

SHA512
089bb24c287322c10c57339d40213bac52b6caad1a5c3e4bc057fe6db605e9ed916c9bcb096fc9648d91cb1bad37582529e3de74993c553340cae3ca914367dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
141KB

MD5
5dd36e0d0aa3ceff34c4f53670b545ab

SHA1
433609b3395a237a4883c4714e315380cdb4ab49

SHA256
ddd7fe57df8a5ac1e1a42feba116b999cff12be5fe576c2efa55db77b8b7a32c

SHA512
089bb24c287322c10c57339d40213bac52b6caad1a5c3e4bc057fe6db605e9ed916c9bcb096fc9648d91cb1bad37582529e3de74993c553340cae3ca914367dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp162.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp168.tmp
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C2.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp66.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9.tmp
Filesize
92KB

MD5
721d9e468a6d6d0276d8d0e060e4e57b

SHA1
62c635bf0c173012301f195a7d0e430270715613

SHA256
0be20bbaa9d80dfefd3038e5c7904d4b426719607c563254ec42500d704021f0

SHA512
0af08f0f5ecda8cdaaaba317f16e835032797e4e6e64f3f4e5b0bb8fd20f1afd9e8e2ca50b549e1c1a48a26ff02f59bc8212deb354b095294c97016a3c9dbb12

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 895388.crdownload
Filesize
95KB

MD5
401ae697c9602127ccadf631c1fbd437

SHA1
53290d042e2890626421f2657a9d258ecb59aa33

SHA256
9887f49e92ce29898cf42e5c0e8113f0d3d4b61fb98d7f56a9abc27ee885858f

SHA512
723e6edd5f9dd5d730571ba17aa99c255e143ab4bf16b7c24e81f28536ff15b1c1fd9d5acb3cf3e19059e1f42790c3609721d364c156d67db5aa05e209f0b338

Download Submit
C:\Users\Admin\Downloads\build.exe
Filesize
95KB

MD5
401ae697c9602127ccadf631c1fbd437

SHA1
53290d042e2890626421f2657a9d258ecb59aa33

SHA256
9887f49e92ce29898cf42e5c0e8113f0d3d4b61fb98d7f56a9abc27ee885858f

SHA512
723e6edd5f9dd5d730571ba17aa99c255e143ab4bf16b7c24e81f28536ff15b1c1fd9d5acb3cf3e19059e1f42790c3609721d364c156d67db5aa05e209f0b338

Download Submit
C:\Users\Admin\Downloads\build.exe
Filesize
95KB

MD5
401ae697c9602127ccadf631c1fbd437

SHA1
53290d042e2890626421f2657a9d258ecb59aa33

SHA256
9887f49e92ce29898cf42e5c0e8113f0d3d4b61fb98d7f56a9abc27ee885858f

SHA512
723e6edd5f9dd5d730571ba17aa99c255e143ab4bf16b7c24e81f28536ff15b1c1fd9d5acb3cf3e19059e1f42790c3609721d364c156d67db5aa05e209f0b338

Download Submit
\??\pipe\crashpad_2188_TQBNSHWMCOFLAZQN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3632-252-0x00007FF804120000-0x00007FF804121000-memory.dmp

Filesize
4KB

Download
memory/3632-251-0x00007FF804400000-0x00007FF804401000-memory.dmp

Filesize
4KB

Download
memory/3708-136-0x00007FF803350000-0x00007FF803351000-memory.dmp

Filesize
4KB

Download
memory/4796-338-0x00000000067A0000-0x0000000006CCC000-memory.dmp

Filesize
5.2MB

Download
memory/4796-494-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/4796-501-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4796-500-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/4796-497-0x0000000007280000-0x0000000007824000-memory.dmp

Filesize
5.6MB

Download
memory/4796-496-0x0000000006690000-0x0000000006706000-memory.dmp

Filesize
472KB

Download
memory/4796-495-0x00000000065F0000-0x0000000006682000-memory.dmp

Filesize
584KB

Download
memory/4796-280-0x0000000004B20000-0x0000000004B5C000-memory.dmp

Filesize
240KB

Download
memory/4796-277-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/4796-278-0x0000000005060000-0x0000000005678000-memory.dmp

Filesize
6.1MB

Download
memory/4796-337-0x00000000060A0000-0x0000000006262000-memory.dmp

Filesize
1.8MB

Download
memory/4796-279-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/4796-282-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4796-281-0x0000000004DC0000-0x0000000004ECA000-memory.dmp

Filesize
1.0MB

Download
memory/5556-326-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-311-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-310-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-312-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-327-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-321-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-325-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-324-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-322-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download
memory/5556-323-0x000001E000B70000-0x000001E000B71000-memory.dmp

Filesize
4KB

Download