redline | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqblFRblhBLUtadzVBeWY3M0JiOTZWSTh6VHE4d3xBQ3Jtc0trdldITGtMSVhJV252RUlFR0E0Mm9aZEpLUVV5RzVLcWJXV0YwZDE5N1FVR0lpTTVjY0FsanpJQVVKVVFQOEViWmpHdFJnQnZiWktBX2tRZHl4aVhoQV9mWmd4d2pyT256MGMzcGFuT3dPMFVxOUhlTQ&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffolder%2F73lizwn9j9n16%2FEwIn%282&v=--J_steGUnI

Analysis

max time kernel
131s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 05:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqblFRblhBLUtadzVBeWY3M0JiOTZWSTh6VHE4d3xBQ3Jtc0trdldITGtMSVhJV252RUlFR0E0Mm9aZEpLUVV5RzVLcWJXV0YwZDE5N1FVR0lpTTVjY0FsanpJQVVKVVFQOEViWmpHdFJnQnZiWktBX2tRZHl4aVhoQV9mWmd4d2pyT256MGMzcGFuT3dPMFVxOUhlTQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F73lizwn9j9n16%2FEwIn%282&v=--J_steGUnI

Score

10^/10

redline credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

185.196.9.26:6302

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2752-939-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 2 IoCs

pid	Process
4800	CritV1.exe
1356	CritV2.exe

Loads dropped DLL 2 IoCs

pid	Process
4800	CritV1.exe
1356	CritV2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 860	4800	CritV1.exe	115
PID 1356 set thread context of 2752	1356	CritV2.exe	118

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CritV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CritV1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673959560932984"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3840	chrome.exe
3840	chrome.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
860	MSBuild.exe
2752	MSBuild.exe
2752	MSBuild.exe
2752	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe
Token: SeShutdownPrivilege	3840	chrome.exe
Token: SeCreatePagefilePrivilege	3840	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
1744	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe
3840	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2904	3840	chrome.exe	83
PID 3840 wrote to memory of 2904	3840	chrome.exe	83
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 3184	3840	chrome.exe	85
PID 3840 wrote to memory of 4288	3840	chrome.exe	86
PID 3840 wrote to memory of 4288	3840	chrome.exe	86
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87
PID 3840 wrote to memory of 1624	3840	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqblFRblhBLUtadzVBeWY3M0JiOTZWSTh6VHE4d3xBQ3Jtc0trdldITGtMSVhJV252RUlFR0E0Mm9aZEpLUVV5RzVLcWJXV0YwZDE5N1FVR0lpTTVjY0FsanpJQVVKVVFQOEViWmpHdFJnQnZiWktBX2tRZHl4aVhoQV9mWmd4d2pyT256MGMzcGFuT3dPMFVxOUhlTQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F73lizwn9j9n16%2FEwIn%282&v=--J_steGUnI
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffc7b3cc40,0x7fffc7b3cc4c,0x7fffc7b3cc58
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3764,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3436,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3364,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4960,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5312,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3376,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5676,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5928,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6132,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6236,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5832,i,14219847844626670915,7746009788402349166,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Alexx\" -spe -an -ai#7zMap25921:72:7zEvent32106
1⤵
- Suspicious use of FindShellTrayWindow
PID:1744

C:\Users\Admin\Downloads\Alexx\CritV1.exe
"C:\Users\Admin\Downloads\Alexx\CritV1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:860

C:\Users\Admin\Downloads\Alexx\CritV2.exe
"C:\Users\Admin\Downloads\Alexx\CritV2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
af2ac817e91cbbc9f636481382b93e59

SHA1
894ef7346e32f322bb069e7b352e501bdfe9d60b

SHA256
a792c41e8f33b310d4702758b37ab67a8ee262d24a8d1c85121f4a00ccbc0b6a

SHA512
d8a5a59f87ac493f187a0609972e1e5b05ce579c1879df5172f24c66429d58d7f587b5dc440c3fea3a7b568ff1455f8aa73e8524ebf4d03b537c63b8850dd932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
28KB

MD5
13d4f13cd34f37afc507ac239d82ddbd

SHA1
6d500935a441d438ed052e90de0443bccc8c6d17

SHA256
76464e77d22532976bbe5d1829e97854d5c37ed5a46ff300ad9680876ec81d01

SHA512
152e6449d09a7b544cf6f986c9695ae07c330f4b13068cca028ab56ffdad6ff2467f371ea4385ad71da023f3beb83fe0ba1d6d413f1ddde14372efe82ae36b6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
54KB

MD5
37959a576d1c511c860b54d397c637b9

SHA1
473769a31b689601101799417ef37e224e96c5fe

SHA256
6f0b3c89250cca84a1caeefe090b014e1a4a5c48d349debe74f365cc863d026b

SHA512
b83ea3aa7884b5a372f0ddcf644a8227dfa90b6e4e8c4019000b7f6765116ec3fef379ab613f4cbd1a186c37842c7ce6f876ea89aad27cfa1686293c0541499e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003e

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6052de2ff0e9902a44cd80cff7b80008

SHA1
a1c36802da786846bf3f8b3740d48bf5d14586ab

SHA256
dc26836e8a34ad8d36fc1099f6ecdda3692d22df6f010257676b26f07a1666fe

SHA512
16d9d288c099169ae2cc08e2f60fc1bb3ddaa0e6e72176df4d641f80ee145d4b76b19c05eccf3b941deb406e942d11f0e6830c71de0bed19e34b8a6f2ca146c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
48KB

MD5
a2cc785925191302c636cc41bbd1e857

SHA1
5413e8d967805898afd43e597914ca028c7d5e62

SHA256
9af731dca8fc9861a175bf0974ec77c28e741a560997ad91527bb1b7ede40825

SHA512
0d45ae7e4cdc7d43d2ea2cbba0ba6bc9261cf8da0dc30df29a1c3821778110eb4705d83e102e6d66b947d6663013aaec3d0cb40bbc12fd3dc4e9780f4296fe9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0ffacf57e7c8a1400849c589cf952a0

SHA1
eb75e4fd4b3c3d32e40e57a1e7b9879d6ff7b121

SHA256
6de86bd6994ebb5353f0f409c8376b9c6593cbe93e1644f40fe04531fa55b7d6

SHA512
ef7ebb1ce07b273c3b2a2fb4a8761d07bd43ba3dc75431cf54aad3200e27d8559a0978430565809ba76565149a49e631bfbbc191e76bdbb1048601eaec18df9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f967d9bdcf26489120b14722d92af50c

SHA1
606006d2ba968764dd0c31831a2bfcaa4feef970

SHA256
c7088088fae14b0fbcb728b9016bbdcd8bb87bf9875e89df439081bf9f737acb

SHA512
c7eefcabc04de31b96905897e3f41c817911202be2f965fa9dd7a39271be6273ecc9fed15fa5009b79b549ad501e31c63fbebc63cb978dbe256bf7a7487b624b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4405b4e83972dc050cae0adfb7aed06f

SHA1
c9f3aaafae1dd95febef7596c828ef0813380d20

SHA256
e0bda75ac1f9f13a2a701c49fbc9f680e1de55f5ebe3c9a3c491102ee69d23cf

SHA512
770b97758f50ae5b9d3f6b1290fab86edca87ee30f8dbd0c5fdd15d01a8a0b77fcb5126ab0845f462e337870d44a48cc97febeaaf87cf31b0a17e26d3cf5a51b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ede8628dfbe068606349bb75671914b1

SHA1
d5e0b6bb33ff31eba17760d210d2538595498a5c

SHA256
57d5c49ff6187a41ea935587825bc45eef70036b0ed338d4d7586d797619a862

SHA512
fca5abbec43664ad567dfa1c263f490a5febd386991621f44336afa7202c3fc8dcbe0369a3a29839206a212eff5cd07f2616725d7096800d417b172cbfa699d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14cb2b1b6c4220382ffe1ff8855319d5

SHA1
5b145a6f338ad948826cade04c0a2c5eb70a49e5

SHA256
a9c48957d5d92769d43123b720247641d9ca39351cb2de8643701e40f5bb7def

SHA512
a7d080c83c7447fca515f853f4b6bf625b529046a2d3100084c835777f1b919017abd5bbfc7e1d94e10af95e3aae130ddda78d6aa0d64ade76b4c09618e2e8f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3bbfb6339014c2352d651d8ff3b7cc17

SHA1
d068f0da34e0f719e0566afaf130a92cca88511d

SHA256
f0344e7d0af85a13e46bb8e5ea0b04bdeb5135a72ee3c5ca60cfcc5ce1c9ab93

SHA512
004420d2d5af629fe5502cc8a3780492252d8eadee65e9081391fdb780995882bac461732340fdd9820e6b85afa6699a701ffa64756f0d0ba73551962f5342a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6c90afbf59531f3df9fee97bf0a17c73

SHA1
51325add4814d5ca74bfce7a7450456f808ea84e

SHA256
f5dc6779b74d70fd73c8681878f43b4947d35984415eba98f41a01e5d94ee7e1

SHA512
6cc004a898c57fee7b3adf0f64b39f232294f3bce3ef1560f732040a634de9b656adf43976dab06b2f7a1ed3f12a6192e2c28b4832645ff6de2493e32422b6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2c06180ac37e21f7f4da517f14ca1fc

SHA1
97995750c3f1062bdb5539acbb515217c6f55723

SHA256
3e062b7d5594a07ece009daf3f68c228d977cdcea03f8e1a86ab35a9bd502c3c

SHA512
1f2176b903e4783970d725a564af9925a6f9c0ad027452dd2d586f1cae0c0aa5849917e12be977e3b012998cc880e82a4e7ee70f45676922eec5d7d1ba0d50bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c63ff00dfccdc6496d0dd854d598750c

SHA1
1fed70036131312ab3247150d9f5ec1247ef9c55

SHA256
15d5096ef4b1a9a11890c4cd2ceddb0c3da7278f2d19674cc6a9bf4e5087cef9

SHA512
a70804eed69a756b762eb03c6da81f8047a503a1a68e98aa4626762f7a866acf086c28486fc1a17490810cc983da149866f1c648ec0bb3be3224b28f215a56bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c63bdd2edd3a352c0acad3760c2c49f8

SHA1
f06e3efed6d2dfc802336155820fab2e7d024370

SHA256
fcc1a815843fadf75ebb49e929db16982daed13d458416ead73d894e28527f99

SHA512
7fe2aa484b2130dd5ad7aec3c29f6a6a76820d0dd3091b42530f3c81505f03b63bf5ad180ee9b01bcf04bfa73e7b257f6b83e51d355a039377f4615c9ad1b6f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c346d5d1c7998a3032a7a3a70325307e

SHA1
f66837cda0692ec699523e5ca6f4301cb71013ae

SHA256
d679c34bc3e47326fbb7a43dc026b9c60e2b03b3c56431e6adbab27b7595d4da

SHA512
a77cba7f538739dd89b8b13926895386d1d1052ec94ca717c3aff44db7f92cfcb3257eda6ab76a2cbc53763ce5c918a6da6a4e62396efdd516e8606d9f2ef018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
2KB

MD5
60ad21e008a8447fc1130a9c9c155148

SHA1
5dfa21d14dc33de3cc93a463688fe1d640b01730

SHA256
bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

SHA512
42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
978KB

MD5
122dd8881602f97a12dcbea071bc41a2

SHA1
d71b2c9b165654b2a63d975596097805b774a649

SHA256
1987167c81dcd93f940e9603a02231857f4676689d0db6884d37c5135cb62d3b

SHA512
21ce7fc809cafc3e01f2a7fd59dab92d20c6ec9d7ca0e3c6c98b309e3711ce4ad22aa9b71d8a20e9625e61a25c6bc6f87dfb751bcad2c1e97b6ad238035cd51a

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
508KB

MD5
9e37524f02417a1965ae2cd652437ae6

SHA1
8ff71dded48d0486ac1d05e6857d56b54e446322

SHA256
0cda51dda990c8b1c529fce48a3722dacce55ef88ae676fb13037ba36990b9d0

SHA512
ee44edfdbf8c3bb95d1756731c2f1b7b419ed21c91bac0e4cbc46216c5134bbf8af3c96c949389dc3e61c89620c227d9ca76db101ce26d6df115fd987c478a69

Download Submit
C:\Users\Admin\Downloads\Alexx.zip

Filesize
5.3MB

MD5
741d0af7b31fdfdd1ec8137bcf60fcc7

SHA1
ef2961a97c8909eb05080da78b5ed3253a0f6773

SHA256
92057df675debcb064e5aeef7a9b5924f3fe9d97ce71440292a0be626718737f

SHA512
0d3ea5dbd6c3f055a607d3e552b333d17ca884e2acdaeccaaefef47bb4260550551f7894a1cfddc2a2387c36555803b4ae0b531bb68ab0c59bc2946f72a597d9

Download Submit
C:\Users\Admin\Downloads\Alexx\CritV1.exe

Filesize
674KB

MD5
82e24c2b282c5f8af237753df3ec0351

SHA1
672602ae1d201016fddf7e0e11476507beb9c4e0

SHA256
2c0385e022ca35bcc70831175e0a4c60dade19bec55c4174aaa4622dc42d8bcb

SHA512
8d8319a474096b9686521510372c4221179d9515de75b9b1bab00323d31a2891e37560395f0c172d61febfcc2cd9daad3a0dc855074a2ccc2853696266509f83

Download Submit
C:\Users\Admin\Downloads\Alexx\CritV2.exe

Filesize
612KB

MD5
2d0b9fc615f9cf966d971dfe822c9796

SHA1
344f6729b5fee1d08ba58afe00a07593b52ec518

SHA256
ca80b9bfe33c36e86ea77847e076d155b762d991575eda2dd50a1bde6cc6e69d

SHA512
4a3e8dcb5fed13f2414d5d721390140d9b2894cf6639694a6bf130dff571ba9d52e005f94fa92b1c24e713c3828ff5527f62e91a69194eb486b8add05ad70fc7

Download Submit
memory/860-951-0x0000000008B40000-0x0000000008BB6000-memory.dmp

Filesize
472KB

Download
memory/860-941-0x0000000007D30000-0x0000000007D96000-memory.dmp

Filesize
408KB

Download
memory/860-926-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

Filesize
72KB

Download
memory/860-927-0x0000000005E20000-0x0000000005E5C000-memory.dmp

Filesize
240KB

Download
memory/860-928-0x0000000005E60000-0x0000000005EAC000-memory.dmp

Filesize
304KB

Download
memory/860-924-0x00000000082A0000-0x00000000088B8000-memory.dmp

Filesize
6.1MB

Download
memory/860-921-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/860-923-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/860-922-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/860-925-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/860-954-0x0000000009770000-0x0000000009932000-memory.dmp

Filesize
1.8MB

Download
memory/860-919-0x0000000000600000-0x00000000006C8000-memory.dmp

Filesize
800KB

Download
memory/860-952-0x0000000007DD0000-0x0000000007DEE000-memory.dmp

Filesize
120KB

Download
memory/860-955-0x0000000009E70000-0x000000000A39C000-memory.dmp

Filesize
5.2MB

Download
memory/1356-931-0x0000000000A10000-0x0000000000AB0000-memory.dmp

Filesize
640KB

Download
memory/2752-939-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2752-960-0x0000000006BD0000-0x0000000006C20000-memory.dmp

Filesize
320KB

Download
memory/4800-912-0x0000000000B20000-0x0000000000BCE000-memory.dmp

Filesize
696KB

Download