redline | 5af1b2b8d2c05c980dcc639322202c3c465ad25821c2c445559353da2b1930b8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Excellent/bin/Excellent.exe
Size

558KB
MD5

42661ea68d2293c67cb878d88257f7f2
SHA1

a63f14b94257e93f483fba2dc9c9338a4d487d99
SHA256

8157fd69bd3a3259d7911729323d4fe91eb4745fdccf2b605787b956ffe8d1c2
SHA512

1d506d5815f44a27ea65601ef7da36e912f2f00accce63532f5c793808235a187589a6bddaa12d3feddd483f0f7d9a67ebd73d7a0f5c30df34ef9dcb5ddcab9d
SSDEEP

12288:lgP1HBOB7Nu02X6CVswMK8qDapoEts/bj9XVk2TtF2gip5/V59ihmPWjZ7hHl1H5:lgP1IB00hze

Score

10^/10

redline 1464974140_99 credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1464974140_99

https://t.me/+J_Z1QGHfHko0MGZi

https://steamcommunity.com/id/elcadillac

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4344-9-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 1 IoCs

pid	Process
4772	Excellent.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4772 set thread context of 4344	4772	Excellent.exe	89

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Excellent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663851585840848"	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
4344	MSBuild.exe
704	chrome.exe
704	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	MSBuild.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe
Token: SeCreatePagefilePrivilege	704	chrome.exe
Token: SeShutdownPrivilege	704	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe
704	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 4772 wrote to memory of 4344	4772	Excellent.exe	89
PID 704 wrote to memory of 1952	704	chrome.exe	106
PID 704 wrote to memory of 1952	704	chrome.exe	106
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 1416	704	chrome.exe	107
PID 704 wrote to memory of 4208	704	chrome.exe	108
PID 704 wrote to memory of 4208	704	chrome.exe	108
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109
PID 704 wrote to memory of 4192	704	chrome.exe	109

C:\Users\Admin\AppData\Local\Temp\Excellent\bin\Excellent.exe
"C:\Users\Admin\AppData\Local\Temp\Excellent\bin\Excellent.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffda240cc40,0x7ffda240cc4c,0x7ffda240cc58
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2228,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2968,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:3208
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x7ff7eee44698,0x7ff7eee446a4,0x7ff7eee446b0
    3⤵
    - Drops file in Program Files directory
    PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4064,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4060,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5240,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3404,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3364,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3200,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4644,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5584,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5752,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6012,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4652,i,1005327034188715587,12270702436901999372,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:1176

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0e8f804dce202d18e3affc881860c5b1

SHA1
3e2637117443f6ce8a648f651bbded602ff7eacd

SHA256
b60c654762c4353475721f9bfd4e89c8c5b0a32f352d23c59d4c932a307d2821

SHA512
ddd2f11b3e2a0552a38cd95839803b8ba41e63e38c6a719e5e74668051bdeee21634df4b58db9fbd2dc34f8a0b2332fbacfee3211369149529535d9e4e857b73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
20KB

MD5
12e636f1d788211d64c7e085be42b6d7

SHA1
45dd78f6c42a73de7fad6611abcc29e93751b483

SHA256
c7f6ad61c450bd027955c322f191e9eb4b9f87f70936f7f79ec6a73e0bdba1d7

SHA512
a49903ff20f1fd8a4873dfbf2d51e43a03e95bf0b939919007af5ad27f1507b5574165815bc75b499d20f4a925835b8e8167ed7e0b940c53d28dd1256cd5fc62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bd0b92cc81dbfa62b9048056d75afc72

SHA1
f3f9f9c6ad009984960128094cb9d0cc69b781c3

SHA256
ca9c14da454ad6cb118cc91e2838a881813d329e5d7267e169b85082c259cc6b

SHA512
54c9bea59ce1eec0a1dd04e4c322a2c599f0d1b601a6d7d035b270989933473a7f37f145f0b8e6b205581cd3d2b4ca037c3f4c05fc34621240af7072984b1c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
02b45e774949b982dd77f173151546ca

SHA1
c03aafd5d8181b6f173788ea38dd441292e7b4c6

SHA256
dcf4323feb9247ee3f8786ce4913d77dc5feccf919a356775914b3793b835a50

SHA512
6b857a54a9fe34a177929047606421755354ec0519e8d95aadac52699a80d3cf63bca329b89523d2e26b0c21fc4401dd9e6d2500f627e65f2e8caa9299d24f40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a029f211b326df9452b8dfab9a8afe7b

SHA1
084ed64cc331b1527b997b5072855d18ea7b7064

SHA256
fa14637756a6964f4dea28cc556b712b1ee95e0acb1dd45915ec0375c305a03d

SHA512
4ca1bac83af5b405a6338a8d30b6a28cf0c20638cf987be495c04bb935d6c9073e8dbc7f3e29cf4351c3deec8467f28a973333a2075c3e73ebd5ce97075fed55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6bf8d0a6583fdeaa48cce4aeae80b817

SHA1
ac3b0904849f09df5bcaa294ed0b6a13a2367d64

SHA256
c5fbc1061e055f9b713c62b0ee224f6748b741889095d3913cc54c4612fcfb1c

SHA512
fd2a57fe489f683d918a3796bc2211839b82211b081f4e1d5bc332cb021e43c6db1ceeb0ae43bc6f8914b889b2690a53cf319e55e53ce0f67d056512e3068e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
852B

MD5
800773e36a119b40ac4665c04e8d2d11

SHA1
d74f9860d9d1762c7b37eeb0997e9ea63d4b9535

SHA256
279dab6b6cfbd913d45a9c243c09274dd09bd1971009d24d113b24060559a383

SHA512
dd0255df609657f6187304f138f456b85b7bdcdfeecf4debf179b8c3a722ee21a959cbc8a62024a8e3e7bd6d6e93c0f3962392c3d02a7c1a6cdeb5105b4c56d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7996ca7cac5693b66ee3c20d1e107a1

SHA1
22c73a641d00808e1a9e9512a76375d875335603

SHA256
33a9e87c96ad0b3e2fd410ebe0c372aabb675b44bc51b0cc3da2c737aa13c58b

SHA512
ec19c1bed7f07725f3d12f11f75fce299dfc495f63a29b1b6d53f3382046b02f9df75fdadb406a0adee4de35ccc2981a595759d96bb1f5ee5a766e8196b84380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d0cdac2450daad3130d816594e86af5

SHA1
7232dd87c897099779176cbf8911773a89474108

SHA256
50b66120b41972cff360153677fb862211b89f6df93e6f52f1ea47444c8154d0

SHA512
7a8a4be3479e3310e23c55e148d7577732ffde2514484deb2421530ed8dee73f1bc6d5e95c4a8bc1d650126c0d6303e79e8e56b918629fa2b1606bc33091e995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b8c81377d13326bf40e754d7b2d17e4

SHA1
67969a398aa0b98399a9ef40c5cb89ac74f40b06

SHA256
ff9d1f3e4f14ec99d041be58f8862b4c12be8a24db696b3730e3af55c31d85db

SHA512
ef296dc0ad3ae035805b5486d85d561f2deb824c9ef86abb92648fa0bc410ff536d0b6a186516dbaac6e712a8226e586ad929fe8d63f298b0c19f474047474cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eeec51a90df8f14d7fbe64ee1ef60d91

SHA1
a34a072b4aca9b7a99b699fa7507663536ddc635

SHA256
39aa9b007d66c1675f0857d28ddd30f69c42717ae0a7cab835d1d03ece536345

SHA512
b54eaf032ae63bd891fbe0313a7b1f956e28b83845c443c5ea3991da8f7bf6fb17ab367f368a73e5d4a1959db1af0e6389a71b2eb3a4d418b4d14c3fb8ababa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b9363005e101625aea2f7da740fd042

SHA1
2ffc896c64446014b2a2e4106a5e24ae5ef3e238

SHA256
9e046ea2e3994349c96b02849ddabd01fbb9c0e3c16ff671c1740db39c48c4f1

SHA512
92b890610539efc9525c21bc8f8c757c4e09a136f517aee8f7ecb095afe9807a71d7382cac5e0077138b771e55fc99f15e654dbf7a78f55b81dd302f7637efe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce335e4e210553828a5d61b143941b90

SHA1
733d6db5df5ac67c9a3033186c47ffc6ec634c1f

SHA256
d3da7e8cf793c33b40cf5a67c32720e034a030efb62c2ef7b44e32f7cb2089ed

SHA512
7024fee9496dd5a6dbe756e042f0df48af82f7c5aab1d2548a4a9f4f6a584e6c7c45deafe70073c8046c4c97abfbc06b4a971b60ccae4309347088c7e205fd67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bd2d50a9d56598ffca7746e21232506a

SHA1
559c939e8ff501cb25f64210415298ad90858185

SHA256
0c3ffbb91303304a0674d766ce2bee3d58a0fffca9ef310be1183aa9cd5a7189

SHA512
4ba856dff91a957a433d46dff27e252e548a959e98ab60a70e94e2231c901a455500856188e3783895271776ff04c58353ebf99d080c49868838e48f1553f05e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
edb46022bf275ee25d1c9583b9d4017b

SHA1
eebb6b0f091a3fccd0fb0af97cb17409e6d91897

SHA256
ca8c99d07f9f5b4153922f5c8a0786e87cb8de1a48d25585dcb1ff55321b5e1a

SHA512
9b9c3b94666b45526ad3fdde91513acf0aaad093e22d690fee193e0ad59792816481d663f7fefc25c8dd1a2bc79aca4b32330326542404698c0f0a0618bbc21a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
fe1cb6881a85df2c8c0c137c40c2b6b7

SHA1
5ac3a20727f5e422288e45f40189c672e0e4dec4

SHA256
9813b024c2b43e47f354749cd9504aeb99e51473bc066a3cc161592c0dd918f5

SHA512
2a9b3356d50b8e285ff887aa04417aac4a94b37eba5eadc5c265cdb1d84530dc7c9edb4a77d4d3fc81ab0a6aab5a481e47a69a3654df2eef7d6dac16333b7c72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
9fd99b5907cc39ae0f1d61559c7866c5

SHA1
8aa1c330f78748838d7753309ffdd20ef9375995

SHA256
c91d4d0eac788ded963d7e811ad9f1bcd25f8d3484029ac9e29afe3c2247c12e

SHA512
d5a2fa445e9696ae0b808ac72b8c42e1449db7eaa1cea930da2f49537435d59d1cf05d4f66aa998f141bc029ab264df3fdcb1912ce4fb9ee25f95f3b63fa5c10

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
285KB

MD5
a159a8f54865b84d038166e0e61adef9

SHA1
61b0275b761d057a6ae52c0117714328ea934c42

SHA256
a024a176adec30449a16fac5ff34d5f93b6b0004a7ba92220bafe74c18ff9a71

SHA512
7baca77bb715dace626e8abf6156c6d356045bb8dd962b77428c72f9652262647ff9b36ecfb359f2a6e1995eb09fa057c8e4ff3a376d4ab0ca98328b4caf99fe

Download Submit
memory/4344-17-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4344-18-0x0000000006250000-0x000000000628C000-memory.dmp

Filesize
240KB

Download
memory/4344-28-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4344-26-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/4344-25-0x0000000006920000-0x0000000006996000-memory.dmp

Filesize
472KB

Download
memory/4344-24-0x0000000006850000-0x00000000068A0000-memory.dmp

Filesize
320KB

Download
memory/4344-23-0x00000000077C0000-0x0000000007D64000-memory.dmp

Filesize
5.6MB

Download
memory/4344-22-0x00000000067B0000-0x0000000006842000-memory.dmp

Filesize
584KB

Download
memory/4344-21-0x0000000006CE0000-0x000000000720C000-memory.dmp

Filesize
5.2MB

Download
memory/4344-20-0x00000000065E0000-0x00000000067A2000-memory.dmp

Filesize
1.8MB

Download
memory/4344-19-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/4344-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4344-12-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4344-16-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/4344-15-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/4344-14-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/4344-13-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/4772-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4772-11-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4772-29-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4772-2-0x0000000004C60000-0x0000000004C66000-memory.dmp

Filesize
24KB

Download
memory/4772-1-0x00000000001A0000-0x0000000000232000-memory.dmp

Filesize
584KB

Download