redline | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbmlUc2dnUFY2ckdHSG10RkQ2Yk1aU3ZxcVlIQXxBQ3Jtc0trdGs0dUtyRzFSOGdRc0tpWjdGekJnLURSLV9GenNtTzJYaVZpaC03anV5Rm5mcWFJdzN5NVRhaXdHcGRCdWlfSEw4d2VHbjFDVGNrOVc3TGxEYjFNb1pEdjl2NmtGb2Z3WU5uQlBKMDVxeVNHTC1Zcw&q=https%3A%2F%2Ftelegra[.]ph%2FCorel-videostudio-crack-10-14&v=3o7bNc_Zu4U

Analysis

max time kernel
105s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmlUc2dnUFY2ckdHSG10RkQ2Yk1aU3ZxcVlIQXxBQ3Jtc0trdGs0dUtyRzFSOGdRc0tpWjdGekJnLURSLV9GenNtTzJYaVZpaC03anV5Rm5mcWFJdzN5NVRhaXdHcGRCdWlfSEw4d2VHbjFDVGNrOVc3TGxEYjFNb1pEdjl2NmtGb2Z3WU5uQlBKMDVxeVNHTC1Zcw&q=https%3A%2F%2Ftelegra.ph%2FCorel-videostudio-crack-10-14&v=3o7bNc_Zu4U

Score

10^/10

redline infostealer persistence

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
6048	Corel videostudio.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133243994273495860"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4080	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
6048	Corel videostudio.exe
6048	Corel videostudio.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeCreatePagefilePrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
6112	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2068	1732	chrome.exe	89
PID 1732 wrote to memory of 2068	1732	chrome.exe	89
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 4000	1732	chrome.exe	91
PID 1732 wrote to memory of 2344	1732	chrome.exe	92
PID 1732 wrote to memory of 2344	1732	chrome.exe	92
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93
PID 1732 wrote to memory of 4168	1732	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmlUc2dnUFY2ckdHSG10RkQ2Yk1aU3ZxcVlIQXxBQ3Jtc0trdGs0dUtyRzFSOGdRc0tpWjdGekJnLURSLV9GenNtTzJYaVZpaC03anV5Rm5mcWFJdzN5NVRhaXdHcGRCdWlfSEw4d2VHbjFDVGNrOVc3TGxEYjFNb1pEdjl2NmtGb2Z3WU5uQlBKMDVxeVNHTC1Zcw&q=https%3A%2F%2Ftelegra.ph%2FCorel-videostudio-crack-10-14&v=3o7bNc_Zu4U
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddc539758,0x7ffddc539768,0x7ffddc539778
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3316 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5376 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5648 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5864 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5728 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6044 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6276 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6448 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6436 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6700 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6888 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6656 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7392 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2280 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7672 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 --field-trial-handle=1784,i,410507538336809233,17330934142898116091,131072 /prefetch:8
  2⤵
  PID:5740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6064

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17592:96:7zEvent21671
1⤵
- Suspicious use of FindShellTrayWindow
PID:6112

C:\Users\Admin\Downloads\Corel videostudio.exe
"C:\Users\Admin\Downloads\Corel videostudio.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
  2⤵
  PID:2948

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6d84e5126bc31247d5a3cb27eb467729

SHA1
e80db2073c0f2878d8ef734d5cee0454cd5ae2fe

SHA256
433e23a2c448fa9828a8cd1e25174fdeab8bbd53dda36bc7847e2959aa948bfd

SHA512
4a053fe5432f476aef9229a1fe084bd7caff8110d988759458010b67f54f4ba885fe2498a5316eb4aeedff81667e3c4e19250a6a5e842d0032a91614789f6858

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a3d7ba2bf76decc077e45cd1e32d6bb2

SHA1
652a6991930d7a82e5606800211071828abd8b3b

SHA256
b63ae0ca0a04a3c583ccd5c0174bb375d8f4ce196fa22ad38aa335e57febd823

SHA512
e9075309d89392b92db5f8b0958f1050601f0c55a4f59e9ff370f75f8d960f114756887c7e96ea16d5d61c9aa3a3ace2c94801bb6917b1f056f95ccf6e97948a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
63dec72d646835e4222fbb2145e6895b

SHA1
1a92a51a697312439f8e69b304fc65e6e8310ab9

SHA256
d8ab5614a00715e6c829d183606020ae7815f86a8ae325857469097f4e61239f

SHA512
d7646c3b6d7483eb5314552f500c230e164aa8b2fd7c0008e5e08780acd7a9e2e8fcb699a2cae4cdb2aa96420018b8c5e47b95fabd34c505b389526a1c5bcd86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\648cd60c-d38a-4ed1-bb15-8367abf0ef7d.tmp

Filesize
3KB

MD5
e38f0ceb7955f0e611c17bb67ee17df7

SHA1
9212e852e65189981cab5d542302315b256b88ce

SHA256
87902f64f1afc41ac959e92df51a418db2a4fd3c02f978bc503690cc42830f0c

SHA512
ebcd3a56ecd8b34260a6ad27038a5d6f2cf3782093f9071a84a7c0f74ab71ad04025306946988f7b0318f5f0874f4f4a24ba8feb11c0cf5e8cbd9fc37598b782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
3f1085dee4c29e4988f946ab5093df55

SHA1
f548479c8b1c3c53d8e3194175dedf1524fb7919

SHA256
94820f75605f6123e0030f1cd9e36e9cf15e5498e21b5d06b657354fe3b0db3e

SHA512
319caf45e4f2532ee64fb79bd10c08ef87a8e30bd6896e0a86def2344f138ad2770f2e6a4c5d7913c6d5d77afd7acd3b32eeb0bc3c9aeacab5d5371bfb27c28b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
61d0359a17e941a93cb7bb67c7693148

SHA1
aa5154252a40ca8a27daa676a7a20677bc286033

SHA256
513955b0aca960c8403d9c7254bc16c4efa6821e7d8646ca054e52d8c2310769

SHA512
668f78ebbb6a2585035c98fa42917a9ee4db23c0436403ceeb705d0d333390ffcbd12af0863c1318eff3def561ed38dd13d7958855a0973a2f3ff4642e64215c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a912fff7b118a584cc1994d061e10e80

SHA1
e3d55215476dcbd868ca790a191f5e20cc407f4f

SHA256
af51954ac350114d9575ac5926ba3c53258bb75393312c2d3305d83dc944128c

SHA512
28af3b031f06a266cdb51415637e5a343e0302fba71a6c32a48cecff81375d66af5266263540478042d714e5da6500b4cce65dfa960991530f71aadb7d71f802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
12950477b94a49f6d69d691fc2d776c5

SHA1
c629c438be2196caebfe7cb8ac922e1bcb09471c

SHA256
3bcd4b1217f2e6d31f5e57690728e4017a54077738ca6def85fd98340800eb8b

SHA512
470ee0212efc98b01ea44858e03a595cbd576f158e6af7a2dcd0c254948e828b27e1202a20920805b3ecfb52605f29a2de555807b072326c87e3564439137efc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
efc4157b6d879a3f5ddb6453be587ea5

SHA1
d72575f8e1385a61111035cb9ef898235b0f1342

SHA256
3690b7279956b32aab1af3596824a026913f437127cf7a84ac62fcaf372102f5

SHA512
6faaaa3baedd3535de3ef42a19787822325bb85c3348950e008e7670e13482c8c25e271cd388e8b94a322d6f39a673fdcb564a935f9ad919640aa95fe9d5b117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cee8157b7e78368828a672bf8f86e0bb

SHA1
b5facf057f9a2c4d382f6c7c05c1139231a8e605

SHA256
19b961acd6b6facfdd6d1a9c2909f65d09d764fbac5efc65753f0676417fbc4a

SHA512
b66d02200fefa1c4ffa9445d124419954eac441b3222ab7d21d99ac4f0ee712552c32a4f9bc4cadcf3c7726ff79ec782eb654bb2d82daa2568298b6e15b5e7d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
164b8ec7f062fd2c58e5c710bb4edc42

SHA1
0c6c0d765eb39a0fc24a4166deb2b28b88c8087c

SHA256
ce4f938727f762b14e1c3db0dc4583125db141b33671103916aaebf466aabd10

SHA512
8d5002eb9f9527ae55cc08db132cee8e419770d057c417285e6f56329aa8daeb791c83e485e551c4a57b5600784343d7f4033a36b7941dfa1894d34a21268826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
5c9f45765844be83bc0f734b87a16cf8

SHA1
1fb64ca66ba04af4bda9760f4725ad467541c485

SHA256
92ab2c2c35dce5f04b4e8de1a438565344d63ea22687520e75252a8052be97d2

SHA512
86869ff8ca2cbb53dd1f12d9093a5c84ca668f294b8dec3f8a8821e263f44eeea457b710bb02bce6c5fa98de87918b5ed0871cc86e8a4e03cd736869af2a0601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
6a9d83c5056428a88c672a2be3885170

SHA1
4a30f2eecb5b17bcb64d228b9e420d58b918cf2f

SHA256
3a6328b459cd9be65cfde8957d425302758c113a9c90d027f2c9f631dad342ce

SHA512
aaf155b5024f45e219e0665de3264c1be535401c57d8b29bb320815eb2e22dbb21e2d8885517712a80c8363beeff1aa352c4cd5ef9a5d19c4ce102af065d1a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Additional Files\VisualStudio\v15.0\Microsoft.Portable.CurrentVersion.targets

Filesize
8KB

MD5
b1ef042f6302baf23e8b5b0379740eab

SHA1
5158d234b39e55f1cabe48317975807184d1ba01

SHA256
f243566a8c3b8bb32e752b9f17fa9afaaf1218c5e288b4432dbc49324c7dff79

SHA512
576f26e1ce3287344312ccdeaa0c026309028c2641858d6a5d290da811e3857b2ec31c822874a7fad287b00b173c5bb29645df0ac4d2a71871d0fd69cb476d14

Download Submit
C:\Users\Admin\Downloads\Corel videostudio.exe

Filesize
524.2MB

MD5
601126c21bf43d424454505034ccf573

SHA1
55aed021c0fc94e7be5039f90f944e2076784627

SHA256
18ede2825ccc8ff8b83da0ec0d4ab77e438f1121bcdbf85eb31f69ccfc8b7e82

SHA512
b4cc52626334399ada6b47cd1b41df26d62a350a6ebd0303fc0ac7bd0f54cc772685f2b2ff5b1c2b074ff5e7483a9185abe19c66b3a2ea148fa33e28e3f78ce3

Download Submit
C:\Users\Admin\Downloads\Corel videostudio.exe

Filesize
551.3MB

MD5
49ff6a768ed373820ad18fc9bf4132fa

SHA1
484ecaa33ee32d5e08919ec961822c741a51b28f

SHA256
aaacabf219d179f0a0aaffb52ed800cc487a5d7c3f2da6b753c706a6309e6fe4

SHA512
d054500a39372e5fcb96e020a4fc23bfdba49c52b6ff399a5b26404f88f2b4f47e83b0d150f609578916c417312ccceaf14b1dc198338d1b798edf91ad13a2b2

Download Submit
C:\Users\Admin\Downloads\Corel videostudio.rar

Filesize
6.5MB

MD5
ae6b314503cf619464b235ef83010ac7

SHA1
77cf575c7de3a3cbb1caec591c0aeed304353549

SHA256
f044fe9b1f1fd93d0eb1fbfc6b0413f09bd9b066abeda40bf3a28ceed4c4a92d

SHA512
6241bd316a0af3f10701905a3c289be458a0333e37faa17da3b5c749c0e5b173f4340c8d2f5201c5119eef7b3abc7b671bbea228f5459da46b6451cc9837a15a

Download Submit
C:\Users\Admin\Downloads\README.txt

Filesize
214B

MD5
7a0342e72c2bb0432f61081b16d8da09

SHA1
dc1731ea65b11cd97a5f054466f398382d9af5f9

SHA256
cedd3f4490cf652bc91f177c53d8d84eab1ef37bb566c6a13310f788d9c36cdb

SHA512
15b24ac93589b4d186e0e9f19ef9879649bee2ec8c50c554912626a7de99175129935e5e3fffe0898c439451c8970ed181500f1eb9c801b63a0ed2c7adb560bc

Download Submit
memory/6048-729-0x0000000000B20000-0x000000000120A000-memory.dmp

Filesize
6.9MB

Download
memory/6048-730-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/6048-731-0x0000000001970000-0x0000000001971000-memory.dmp

Filesize
4KB

Download