redline | hxxps://gofile[.]io/d/D1GC4n

Resubmissions

Analysis

max time kernel
94s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
14-04-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/D1GC4n

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

TKANDERS.theworkpc.com:49182

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4240-107-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4240-107-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

pid process

2464 MSBuild.exe
2876 MSBuild.exe
4240 MSBuild.exe
3276 MSBuild.exe
4496 MSBuild.exe
416 MSBuild.exe
2820 MSBuild.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2464	MSBuild.exe
2876	MSBuild.exe
4240	MSBuild.exe
3276	MSBuild.exe
4496	MSBuild.exe
416	MSBuild.exe
2820	MSBuild.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exe

description	pid	process	target process
PID 2464 set thread context of 4240	2464	MSBuild.exe	MSBuild.exe
PID 3276 set thread context of 4496	3276	MSBuild.exe	MSBuild.exe
PID 416 set thread context of 2820	416	MSBuild.exe	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133576112531572039"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\MSBuild.exe:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\MSBuild.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

chrome.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

pid	process
2896	chrome.exe
2896	chrome.exe
2464	MSBuild.exe
2464	MSBuild.exe
2464	MSBuild.exe
2464	MSBuild.exe
2464	MSBuild.exe
4240	MSBuild.exe
4240	MSBuild.exe
3276	MSBuild.exe
3276	MSBuild.exe
3276	MSBuild.exe
4496	MSBuild.exe
4496	MSBuild.exe
416	MSBuild.exe
416	MSBuild.exe
416	MSBuild.exe
2820	MSBuild.exe
2820	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2896 chrome.exe
2896 chrome.exe
2896 chrome.exe
2896 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeDebugPrivilege	2464	MSBuild.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeDebugPrivilege	4240	MSBuild.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeCreatePagefilePrivilege	2896	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe
2896	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2896 wrote to memory of 2888	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 2888	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4960	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4744	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4744	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe
PID 2896 wrote to memory of 4688	2896	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/D1GC4n
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc0c9ab58,0x7ffdc0c9ab68,0x7ffdc0c9ab78
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:2
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:1
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:1
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3656 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:1
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4528 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:1
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4884 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4516 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5100 --field-trial-handle=1812,i,6536980954691800690,17664476084092138081,131072 /prefetch:8
2⤵
PID:2532

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2936

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
2⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3276

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Users\Admin\Downloads\MSBuild.exe
"C:\Users\Admin\Downloads\MSBuild.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
9a8c2514a3dd28c67c7c91a358226782

SHA1
428ffd5f76d7e4c6c75c1b35fe04cbf324e75e9c

SHA256
341d955bbf9f4140463187f0cc69258e7c4be16a0404fc06613c999b620547bf

SHA512
7012f710dd838f0941b0d1de8eb9d8b3e8e08fefa116fa92c25abd05dce94f228d461aecfd0738624086c2d87f5b5a22c2fe0a4f1ccd8a71a630b661f33b6661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f210c208d88d556eebece4c1510e5c91

SHA1
e556b3cc92d385282b3008f7fad11b94f7eb5065

SHA256
fde9cddabf4c3e31de7d147082b930a1476b0a8f4ad14132944025151c8f5762

SHA512
7c48fe93c7835c761ee92e41affdf383fb93439de3b25841ee8e6c2452030d9a6a583a650f0cda61525be5274a416c1b4cb16ab7c585bb1affdcb608fba02da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
688B

MD5
4679988ef629139b5629b473ffe14628

SHA1
c477ecc1350f4b90942931a4819be19c9bb32edc

SHA256
63a566b959507b1496420a37b4f7fd35501db59c833f3b02b14575ee5b7e219a

SHA512
2747367dabc67e60295e939261b508a0a85c77e88096fca6a8ff431fc56bbefe04f3acd6aba9f8b2bd8462324abd136e1a1b9ea330933a283f1da6109db65264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7cbb4b5dd839d1067e96b0db48a40d23

SHA1
1bc06c7ecaca3cb9a596de19a682435aea1a7eb7

SHA256
9cdf815733f78d25da39dfc13128bf2f50cdcf56f74b40b95cd87ccbdd284921

SHA512
c62e0754bc36336054ce7a90789cd5e42255ac01ff725283f31e842c15ca62d926e9654a5d076b1ae08264184876cd1d9456e7e6fe5488a59a287918c1a481ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b5975a5f6d04020801446bd3b3d38e2d

SHA1
85c941dc12fca23dedc077d8529c298b7b836c97

SHA256
fca76dfe23f4bd0a36b0e9eefe9072152567a0ef12b277ce12c8704475206584

SHA512
3eaca3b9d591f160ab4921bf5ad312444f63fbfa7594f845daab974740af32ce6084f9c064bbca3121d7cae781e1b6b3a302cffb0dc109efb21b04c117f07cc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
864401a2cd76d381a505c2c53083bb27

SHA1
377cc6326eb86bec17c13b8e6214cf27481adbd0

SHA256
3316e9c6eccca6c1ce2e82a329beca95361cd3756c76356570cd899ec35641cf

SHA512
9618d8f9fa42e86431cfcb15e11da9946c28d82644569860843c6b274529bbc327d3bd7d8c1a5dbd11254278fe8d038cf517045d806da2fa6d09c22a60df7bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
127KB

MD5
31a608701a1385a99451c5bbff2b9ea4

SHA1
c4247de88d6b212639b2e37c448aba1943175b4c

SHA256
aa8a4c3c921492ab9d1412adf357dd7b131ef1f36f9352b06d49ad48f8bf0b65

SHA512
af5d3621e1331d40c17cf957f2c4be4b0228a91ecd61733cb83b4e24728ffc2907a0660d0b118eb6c16c391193ecbd19e94db760c7490eb3369fcb1805a841ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
127KB

MD5
87326fff847fda6a0956b29a5c4d25c7

SHA1
ca21caafaa6c12ce7ab138bb973e07d835909629

SHA256
262d695f153910a3653652756f5abfc7dcec0fb04e7e86c3a66a41e53066653a

SHA512
630e2aa5b88425ecef67c779eb795dcb20d0c8295325a0985c5a3fa6b2515ebb6be9277bf884cf49e6b61282266dd513a8b13d841406468cf59c6fd6264572e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
7726e4e6e2c431dfa576df64738cac43

SHA1
46585ab6d7b8540cf65df1dcb0bbf4600f3a8aeb

SHA256
f1738a5d26eb0352092f27efe0b58878940b32fc7f175dc03240433069ff45ec

SHA512
aef855fb59cd9cf4711655f1067d33f2f7fa19f24164b42db8b0e61a1d01d2ed3d8729a70be7d3e197637b80b23e80f0494de0a3d1adfe1948ff65eafc5152ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Filesize
847B

MD5
ef375f28c91db0202bf7db29c0cbc2ce

SHA1
5a3f5d4ec75a468b908c2eb2b9e6f4b1e76c1017

SHA256
f4d1c038db378dec10e7e2fc81ccc2e2d4b8132ef0d66905e3625a0b0cbbde5f

SHA512
f18141e352fcd253e02cb25fa0cff29ab06dec62bafd5aa80ca48c959d1dba97deae830d01bf521f851a8143b9416747eb170d0cedafa32b59155027c02f244d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F2.tmp
Filesize
1.3MB

MD5
4e5c0ce13eb38c3b5c07be9f05495645

SHA1
78de0126dd9a7c55d50be7f359e60ebd145a8969

SHA256
211547382ca59de974ccb8b2b54b432733dcfd639082c20cfcb0764a8548eaeb

SHA512
95affdaab641698c44a2c14080ca8d55e2a7fab78f123a9d4d83d74162078e8eb4777ec264130011b2807a8c469682232f96f034528aa697d4a9934e93b0fc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F3.tmp
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F4.tmp
Filesize
800KB

MD5
294c2c17228f180b04a3570f0d623cb8

SHA1
00c41008ddb2060947c1da063aadc773b1589c55

SHA256
ddd7ebecddea5f6c8c2612aa389b72ddeacf595a183dcee492eb314559e1d2b0

SHA512
fd1ba2df5dedf05393fc9a5c1f3355ae959e41266602d326fb9ff9d1289e177420cc7ce8b6fdc86b3e5f52006e74b540c41a9e9a14c5f27cc9b63bc2fad3f58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F5.tmp
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F6.tmp
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F7.tmp
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F8.tmp
Filesize
960KB

MD5
466a1260d63b47c819294b29984935a0

SHA1
820c63062d510b1642a5e9d9310730e7b45fa46c

SHA256
a8b8df45a3f8d8fb9d85b384d0a67ed7f6939fb76f0a9f0d661a50875cb202f3

SHA512
1a1150661e6b781c549bb4a0217fe7709bb4509342518a0da2a51f75d6d9814da2ac154cf2e633eb8020973438ef0236e388ddef27fd1b50a654d38f810a95b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD3F9.tmp
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3EE.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF423.tmp
Filesize
100KB

MD5
d67511e6b6353f4790d1c1bfdf2f53ee

SHA1
edd9873c0aa895f8af3dfeaee87edbda77a46aec

SHA256
601cbdbcca7389cc5adf6e87730de1ab78f12e64097feb3129dda15b949701da

SHA512
57474c3ab9426bac786d4d3b794bae856feb78a326fb8de6fae1fb86abcf196159ded93e21f887abd854118a4dab0e965aae506dd439846fa11f4042e5c52258

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF44E.tmp
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF454.tmp
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF46A.tmp
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF476.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\Downloads\MSBuild.exe
Filesize
180KB

MD5
7bb3d913742d3d4ab1e2236bfde7e4a6

SHA1
abff865c52824231776460bd7b1d068b121d3986

SHA256
1c8ba0ea86801366c0e20104ab91dee4693847b2a30c7fe6a65c91ee5e449c09

SHA512
3c197af92e31ea114494c3843f1c1dedb869828db9130435478ebd792cfb09a5101832447be85aa18a8c86b9051dfb23108f5a23841553d4c5cd1951c2a6ed65

Download Submit
C:\Users\Admin\Downloads\MSBuild.exe:Zone.Identifier
Filesize
154B

MD5
d8381149c9db344f4d18c8a675caf567

SHA1
51ee2e18834bb25fed4f3463bf8ab4fe4fafad30

SHA256
3f91854c4f699788d8d1eec4c0b6a106b87e3a4841e032a77957eb1cb4d40e27

SHA512
3e76017942f557fda6bee82e8d898bc19c36bdb8bb67b5534d1e4ccd1e1e549887d33dbad8ae7d552b749f64b16404567ac0371b19d790dc188d8c65da2ea87d

Download Submit
\??\pipe\crashpad_2896_LZNJYFQIZOITEITQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/416-529-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/416-528-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/416-533-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/2464-103-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2464-111-0x00000000746A0000-0x0000000074E51000-memory.dmp

Filesize
7.7MB

Download
memory/2464-105-0x0000000004F70000-0x0000000004F76000-memory.dmp

Filesize
24KB

Download
memory/2464-104-0x0000000004F00000-0x0000000004F1A000-memory.dmp

Filesize
104KB

Download
memory/2464-102-0x00000000746A0000-0x0000000074E51000-memory.dmp

Filesize
7.7MB

Download
memory/2464-101-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/2820-534-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/2820-795-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3276-345-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/3276-342-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3276-341-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/4240-133-0x0000000007030000-0x000000000704E000-memory.dmp

Filesize
120KB

Download
memory/4240-115-0x00000000054B0000-0x00000000054EC000-memory.dmp

Filesize
240KB

Download
memory/4240-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4240-113-0x00000000746A0000-0x0000000074E51000-memory.dmp

Filesize
7.7MB

Download
memory/4240-324-0x00000000746A0000-0x0000000074E51000-memory.dmp

Filesize
7.7MB

Download
memory/4240-323-0x00000000746A0000-0x0000000074E51000-memory.dmp

Filesize
7.7MB

Download
memory/4240-112-0x0000000005B20000-0x0000000006138000-memory.dmp

Filesize
6.1MB

Download
memory/4240-134-0x0000000007A20000-0x0000000007A86000-memory.dmp

Filesize
408KB

Download
memory/4240-132-0x0000000007C40000-0x00000000081E6000-memory.dmp

Filesize
5.6MB

Download
memory/4240-131-0x0000000006CD0000-0x0000000006D46000-memory.dmp

Filesize
472KB

Download
memory/4240-130-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/4240-129-0x0000000007160000-0x000000000768C000-memory.dmp

Filesize
5.2MB

Download
memory/4240-128-0x0000000006A60000-0x0000000006C22000-memory.dmp

Filesize
1.8MB

Download
memory/4240-118-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4240-117-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4240-116-0x0000000005500000-0x000000000554C000-memory.dmp

Filesize
304KB

Download
memory/4240-114-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/4496-346-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/4496-530-0x0000000074740000-0x0000000074EF1000-memory.dmp

Filesize
7.7MB

Download
memory/4496-347-0x00000000055F0000-0x000000000563C000-memory.dmp

Filesize
304KB

Download
memory/4496-348-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download