redline | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbGlaY3Q2bFVpVVpZWlVpa3lRanowX3R0a3Rod3xBQ3Jtc0tuYk5jU2VUTFdCVGxZZjVjMUp0MXNVdG5FUGwzQkxzVUNDV1ZVVjNzRTF2OVcwaGlKQnVPLTc3M2Ruemd0QzRwRUJ6by1tVE1kZGdWdDN1bXRYTW8zRktoSlBIelczQW9ZNzc4Z25hSngxSDMxWVRMWQ&q=https%3A%2F%2Flavacheat[.]com%2Fcheat%2Fsot-5040&v=0YO5nVTPCmA

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2023, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbGlaY3Q2bFVpVVpZWlVpa3lRanowX3R0a3Rod3xBQ3Jtc0tuYk5jU2VUTFdCVGxZZjVjMUp0MXNVdG5FUGwzQkxzVUNDV1ZVVjNzRTF2OVcwaGlKQnVPLTc3M2Ruemd0QzRwRUJ6by1tVE1kZGdWdDN1bXRYTW8zRktoSlBIelczQW9ZNzc4Z25hSngxSDMxWVRMWQ&q=https%3A%2F%2Flavacheat.com%2Fcheat%2Fsot-5040&v=0YO5nVTPCmA

Score

10^/10

redline scarflog infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

Scarflog

135.181.49.56:17248

Attributes

auth_value
01eab890df4b5da430be4638d836c22f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2700	SoT_bWsU0jV.exe
4760	SoT_bWsU0jV.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 3896	2700	SoT_bWsU0jV.exe	130
PID 4760 set thread context of 3012	4760	SoT_bWsU0jV.exe	135

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2536	2700	WerFault.exe	127
2928	4760	WerFault.exe	133

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133249040610345921"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1260	chrome.exe
1260	chrome.exe
3896	AppLaunch.exe
3896	AppLaunch.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
3012	AppLaunch.exe
3012	AppLaunch.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe
Token: SeShutdownPrivilege	1260	chrome.exe
Token: SeCreatePagefilePrivilege	1260	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe
1148	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	SoT_bWsU0jV.exe
4760	SoT_bWsU0jV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4176	1260	chrome.exe	87
PID 1260 wrote to memory of 4176	1260	chrome.exe	87
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 2920	1260	chrome.exe	88
PID 1260 wrote to memory of 3364	1260	chrome.exe	89
PID 1260 wrote to memory of 3364	1260	chrome.exe	89
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90
PID 1260 wrote to memory of 2360	1260	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbGlaY3Q2bFVpVVpZWlVpa3lRanowX3R0a3Rod3xBQ3Jtc0tuYk5jU2VUTFdCVGxZZjVjMUp0MXNVdG5FUGwzQkxzVUNDV1ZVVjNzRTF2OVcwaGlKQnVPLTc3M2Ruemd0QzRwRUJ6by1tVE1kZGdWdDN1bXRYTW8zRktoSlBIelczQW9ZNzc4Z25hSngxSDMxWVRMWQ&q=https%3A%2F%2Flavacheat.com%2Fcheat%2Fsot-5040&v=0YO5nVTPCmA
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff384e9758,0x7fff384e9768,0x7fff384e9778
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4560 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3532 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4548 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2772 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1812,i,3630940927070204469,15537098020137251181,131072 /prefetch:8
  2⤵
  PID:3868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5020

C:\Users\Admin\Desktop\SoT_bWsU0jV\SoT_bWsU0jV.exe
"C:\Users\Admin\Desktop\SoT_bWsU0jV\SoT_bWsU0jV.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 688
  2⤵
  - Program crash
  PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2700 -ip 2700
1⤵
PID:392

C:\Users\Admin\Desktop\SoT_bWsU0jV\SoT_bWsU0jV.exe
"C:\Users\Admin\Desktop\SoT_bWsU0jV\SoT_bWsU0jV.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 664
  2⤵
  - Program crash
  PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4760 -ip 4760
1⤵
PID:4900

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\58a8457e-f5d5-48f4-b086-38defff84b8b.tmp

Filesize
106KB

MD5
32c471114ccb6f86e0458c4c433a481d

SHA1
f5808445c9fecd053674e00b6122181053dd72df

SHA256
73a2a888768a91510a4a6dc3e2ba7bf110ace6074ab706e37348e8301621d7c8

SHA512
757b03a2b9e70986fac5695c623b52560302b203d9d64b3d63813b47b83c0327e40fbe390b244fef8fc3b5cd49fd9f30d7b4e99426a83d4cbc3fd61c8d29639b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
162KB

MD5
b81d6636c3ad72c63e532e5180eaf7f9

SHA1
ddcd059999fff6218e98af62dbe3fa9c885a0de8

SHA256
2fb4351c49b47b7cdaa9516237a8b1e690e4448339d09d70a84c658729e461ef

SHA512
4f0b87bbf60061a8efca4906554f958b7c28cf582452e01a8316d8c5ea8c98beda6c3230afff207f0b92d316c4c2e0ca1b4631e7d7364344b4a76394115af06b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
51ca06a7e9aa0a31929acd1dc28065c0

SHA1
faebb740594c63147d3118aeacf4ee92515de18e

SHA256
72e0dc592beeca47e1ccae1e773350d280e3bf55989f5922c9dc81c8a859e26f

SHA512
9751b7ebc2973fc6b1b8258d83d0ff142aa3e25235f7b248657ff07c6579f09769836e35bb4af5aa8c8924569b46c323b0bd495fc3196590bf48914d75ff697a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
66efbe4192442efe29c0883da0be0ea6

SHA1
2f13a6404d05b72cd47548208471969000334ec5

SHA256
70628ad91f38cf2be0867626624a8d071cd97b79bbce54d644c616f45abe31e7

SHA512
de0a83c72ece931fdde57e6071cff9abf18ce9315943ee4d3341b8c455522c7f9c7872b475e1eaf3ca0236ddb7f105cc59733a3d7dc68759d11f57b5bbebad4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d0a5c875beef9c366f4c7ecf8c61194e

SHA1
0b37aa0cb974d25779da1960c1669f8582c5c547

SHA256
9e90765ba619ce916f88cb92e2ce8d02b46355dbb01ad4328b8d603fe4f4b4d8

SHA512
a928a5d67bdaf3d0d177f6a4d31b5aee563ea22e321de0e9ad114f311adca27a12fe556c7a6d1a9560988028c97402e009a7f4a74329ff21104f5d3bab3955fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
270330eb4f2eca99ef7d94cf6cc47ae0

SHA1
6f88b8bc2b3c69ac1044af6a5ce719ffff79af81

SHA256
d86a7e7e955b203a44f47750243084c014508173175e56f4656680acd8b64ebc

SHA512
7dff49a1b76a65da10ff2ffd1c24b7a62b320c6f55f3d4e2ddd50e6d7839a180b4d0af1a822e53cb19eb9aa7c029eddccfeb73b0b523ab40663d1f498cc4d0b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
7613d464255f9268af37e29e63833367

SHA1
5f721bdbe551f98eda15cd259d0f27482dafbc4b

SHA256
b8d9b191a4ffb0fa30f2ab5e209650b4a24b7f9c2a73b3835ae8107575447603

SHA512
17b7be64cb54dcdc50e9d437e164a6ee031213dbbcd59a46cb0d18167efb210d9ff3c6b30803b85fe38e34be04f71ed9edc1ddde46fea886628423dc2c3f4441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
782f55579baf6a495541fdd95bce9015

SHA1
8fd298a9efef1ceef08899e791a17132849f64a7

SHA256
05ee5ca32ef95ddefbedb9a5c389e093ccde340a62430c087ad7e221a113a85d

SHA512
30f35cfadf614a83239af4e9817902cbbb475d4ab5b109268d6887aaf2bd4ebdc334d15f24732fdb96dc0d184459c3efe4300d698ea53dcaf6d7aa2c7807b45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
14617d8a8da99544eb5f431bf393daec

SHA1
058fa6f78b32e929493c20cdb7cf92ffd8f7cbd2

SHA256
01f708a8ec88b56514d2c1bd1a2d437e94bf0ad7a35aced13dcd9047ae8640ee

SHA512
12eb98713a7e98fd54c9eff581564b351b37a17500dde6f51ae47fa07208e7df8383ce34b368b7be361562f6a6ccdd829b6025bc5f672448c130849d1fee3e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c0747db37ad0fda061ea24377bbd3021

SHA1
8da2682f20b25cb87f533ebfa937133dd4d27df5

SHA256
99722b7cc9d5be911c90d60e68a07ea1dc1149336af575a12123f6d9f089ad34

SHA512
8e2cb161df4ef2d58087336ccd8c97cab8e3ce92b6bf7aad831bfa8f518b2763035ac551dfaca8497c1081c59c925798c6846ba1406aae4943ec9d0303bbbcb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2ca4178a6c93c279aae6a72cc5e1da75

SHA1
d3366ce9342496997d4e423a10ccc7c246f1e9fa

SHA256
d3c68f2a1e174de119b29b77f90eaab1fcd66d3b456fafa8e75bd26fd92b97b7

SHA512
0b38ca806a39e30a0c9ad6f5363baee87d0310111b18779cc2013a39288dd444f99df94c15c2623b46b5351de833163abe745da79a1a3172650752af8fbe812a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
9f0c507ff31ee477f316435294aaf82b

SHA1
cf49be29877ac7c272c02fced2393efa78dc19e6

SHA256
c9207f110165f2f4555323c840eb84438998f934a5989ce60d32ca24bb7102ce

SHA512
4d2cb38ac848637f388ff53d477615964add19622e32bff0741cd4e2a6b4a9d5bfd0a20d122cb972fa1392ec1f4c16b6fbe0c4d020f74490c25736f6f68cccaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
146cdbd3907ff4649ec86fcfa1c5448a

SHA1
e60650899521b5459968cbbba76d24d1f0402051

SHA256
873aa7fdd49a83405204d6ad369425efafa89d4c830f645559600d6fad51fb13

SHA512
6cf6f6c4a2649db8b55638a24618a07598dfcb851f897c374ff1e7fe0a61f5bf0c4976c671151bec212f86122b9449f446d644ad7531560277e0e028df382935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
e6a2d01bcf93c18fef80a7f730a16c03

SHA1
c84d2ed29c71bfe2b49ead927c0c191e9461a86f

SHA256
9f0b541a32c30dc43f2814c7a04791c04cae96092558cac7f2d87472167c4ed3

SHA512
2be5d8f79146e81cd5905da1dbbdadb18c446961eac2b532e66ae24f48792eee4e9ed639619478ae7b1d2a85a96affaef0a03333dfbfc2b91b225519679a44ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
2556554f6da9d647a69b7b4e48c3be7e

SHA1
4dbd58804c7db74a5b831daf01d8563fdef56ed2

SHA256
80974cab9701c497e7fa307da80304f01f71722cf9ba7e82dd534e9f68e7a5b4

SHA512
9ba3bc3d7d0460a127f7184a1d2ba36eefafa59565470e1a0db4fce2f3a7793a3a6b429818f128cf4c285437e2de25c64b941bb978a3098853909f97e7e9ca4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
146cdbd3907ff4649ec86fcfa1c5448a

SHA1
e60650899521b5459968cbbba76d24d1f0402051

SHA256
873aa7fdd49a83405204d6ad369425efafa89d4c830f645559600d6fad51fb13

SHA512
6cf6f6c4a2649db8b55638a24618a07598dfcb851f897c374ff1e7fe0a61f5bf0c4976c671151bec212f86122b9449f446d644ad7531560277e0e028df382935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
97ae1ac6595bb7a660be29025804122a

SHA1
96ddd58b794f5365f691d1844d60cc6d3457dd37

SHA256
4e1e3cc3c37e0b14f76ca1e865d593a75bd2836b0148b58bc33949bf033814bf

SHA512
c386ce0f964a5597b7277f70de4e47c05c899aea91dda73f3967c7bb8e8f56e4a3ca5536c710420a2ba050a6c5ba7b4370eba3b9e787f0596f4ddea3d44b685a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe577f13.TMP

Filesize
100KB

MD5
56d733f577fa3a99e304e0dd81cefa63

SHA1
cd1101efa4ac3146fa3c8a9c6ed8392b623d9abb

SHA256
b314a75a9a506c89f1c09ada37637120e715b9111a2e5d2f3ee60dfac7b37eeb

SHA512
220bcc5634b5b99e6837a6d8f60d91d51698861a8103b686c896ae86b548cff67ac59f3c2bb8434a6ef2a0f76ebd2347a9ccdbd926ead1a678594ee0391fde3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
405c0e78d3c3352bff262ae177366841

SHA1
afc89e95f95aa76f3eb774e71fc28eca12967063

SHA256
8e359462a26479eb028d44f6ec8b751779d046a121e28b57e69022298701f642

SHA512
81bf4d0682319b0caf96e7326100d7b563abf34e15c1b9cfa1209182476eebdaca2c19c2b4855d226f505635b73852e5de48bacd0fb2c0c21571a4422e424a15

Download Submit
C:\Users\Admin\Downloads\SoT_bWsU0jV.zip

Filesize
6.3MB

MD5
085ff68f77efeb377e88d77cd6c6bfba

SHA1
ded955e56a074edc5e4c81dce765a8ea5ff8ed0e

SHA256
9b243543de3de1ebfb16c9bba14b14690cbcd62749168e3aa20a01184d3911ef

SHA512
eb19f712af8d202150c6acdd7fc0db928564b909a1029f045bad83fb31f4d0dcf979b4e3d24d302a94477b2148b5baec2b4af9b35b0f751b28116cc36ae3c300

Download Submit
memory/1148-493-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-484-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-494-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-495-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-486-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-485-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-492-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-490-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-491-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/1148-496-0x000001D11B250000-0x000001D11B251000-memory.dmp

Filesize
4KB

Download
memory/2700-450-0x0000000000400000-0x0000000001CF4000-memory.dmp

Filesize
25.0MB

Download
memory/2700-451-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2700-461-0x0000000000400000-0x0000000001CF4000-memory.dmp

Filesize
25.0MB

Download
memory/3012-483-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/3896-460-0x0000000005980000-0x00000000059BC000-memory.dmp

Filesize
240KB

Download
memory/3896-464-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3896-452-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3896-472-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/3896-457-0x0000000005E80000-0x0000000006498000-memory.dmp

Filesize
6.1MB

Download
memory/3896-471-0x0000000006A30000-0x0000000006A80000-memory.dmp

Filesize
320KB

Download
memory/3896-469-0x0000000007830000-0x0000000007D5C000-memory.dmp

Filesize
5.2MB

Download
memory/3896-468-0x0000000006AF0000-0x0000000006CB2000-memory.dmp

Filesize
1.8MB

Download
memory/3896-466-0x0000000006880000-0x0000000006912000-memory.dmp

Filesize
584KB

Download
memory/3896-465-0x0000000006D50000-0x00000000072F4000-memory.dmp

Filesize
5.6MB

Download
memory/3896-458-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3896-463-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/3896-459-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/4760-473-0x0000000000400000-0x0000000001CF4000-memory.dmp

Filesize
25.0MB

Download
memory/4760-482-0x0000000000400000-0x0000000001CF4000-memory.dmp

Filesize
25.0MB

Download
memory/4760-479-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download