redline | hxxps://gofile[.]io/d/wOuT2J

Analysis

max time kernel
50s
max time network
53s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-07-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/wOuT2J

Score

10^/10

redline sectoprat cheat discovery infostealer rat spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

194.55.186.129:26644

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1544-108-0x0000000000680000-0x000000000069E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ravenupdate.exe	family_sectoprat
behavioral1/memory/1544-108-0x0000000000680000-0x000000000069E000-memory.dmp	family_sectoprat

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

ravenX.exeravenupdate.exeravenX.exeravenX.exeravenupdate.exeravenX.exe

pid process

4364 ravenX.exe
1544 ravenupdate.exe
2960 ravenX.exe
4536 ravenX.exe
4552 ravenupdate.exe
2200 ravenX.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4364	ravenX.exe
1544	ravenupdate.exe
2960	ravenX.exe
4536	ravenX.exe
4552	ravenupdate.exe
2200	ravenX.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ravenX.exe	themida
behavioral1/memory/2960-116-0x00007FF791FC0000-0x00007FF793304000-memory.dmp	themida
behavioral1/memory/2200-261-0x00007FF710AF0000-0x00007FF711E34000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662018252521269"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exeravenupdate.exeravenupdate.exe

pid process

5032 chrome.exe
5032 chrome.exe
1544 ravenupdate.exe
1544 ravenupdate.exe
4552 ravenupdate.exe
4552 ravenupdate.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

5032 chrome.exe
5032 chrome.exe
5032 chrome.exe
5032 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeravenupdate.exe

description	pid	process
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeDebugPrivilege	1544	ravenupdate.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5032 wrote to memory of 1908	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1908	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 508	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1184	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 1184	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe
PID 5032 wrote to memory of 168	5032	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/wOuT2J
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcdeac9758,0x7ffcdeac9768,0x7ffcdeac9778
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:2
2⤵
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:1
2⤵
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:1
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4920 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4388 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:808

C:\Users\Admin\Downloads\ravenX.exe
"C:\Users\Admin\Downloads\ravenX.exe"
2⤵
- Executes dropped EXE
PID:4364

C:\Users\Admin\AppData\Local\Temp\ravenupdate.exe
"C:\Users\Admin\AppData\Local\Temp\ravenupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Local\Temp\ravenX.exe
"C:\Users\Admin\AppData\Local\Temp\ravenX.exe"
3⤵
- Executes dropped EXE
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1720,i,10948663473963568621,12238224795698272622,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

C:\Users\Admin\Downloads\ravenX.exe
"C:\Users\Admin\Downloads\ravenX.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Users\Admin\AppData\Local\Temp\ravenupdate.exe
"C:\Users\Admin\AppData\Local\Temp\ravenupdate.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Users\Admin\AppData\Local\Temp\ravenX.exe
"C:\Users\Admin\AppData\Local\Temp\ravenX.exe"
2⤵
- Executes dropped EXE
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
7fd7117002fb8ad171e31c529393b4cc

SHA1
b4d3e3c2ed6b63d6f38694a334d89946ea585d87

SHA256
e1a67b2ffcb24072751ec390e4a0c49a2503ca213040cf00c1be5d236a4d3b87

SHA512
22f0d5597e246fbe14cf69f2fb76f0d07990127fff4911dfa0bdb2f5c6dc6ac0d79b5db474bd05429d192aae3fc08ce16d05b4ec1c49c23d733d06fbfb6a49d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
5a4829365f41ac4f4ce7bddb7cd09eee

SHA1
97545c41f31f4aa341395f448ca4201db48cc034

SHA256
6a0297f9950452cdeda2af9d700e8d9886a4e100678d98c648818a6114362c36

SHA512
41170887a1ebca5861f84a42761986ae3dcda3e04adfadd89fb4707fadc158f33da465127599910979a92a3a962be5875f63cfea88884f54c2b8d21fcdaf6958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13a827b18a921e77ba35d94218ec90b9

SHA1
e580f18ff855036ac42f5d7f99975e31058cb258

SHA256
09a60eb51f1ce12cf4865d3d942a30f4f39f8c0befaa10cab3df3300c25ab5e7

SHA512
35630bd3dd59df60aead773ac3cf2d8f80595b5ad1a5933bcd92700afb2375ab3db81c57d6f7d27066f5e5ea7d8d1d4978539e5343bc22f4890ff8c99eab2de9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4a0ec58a15d71fafc51711a54fa3215d

SHA1
1e7d90e3d73269801246f6eae7f1908f4aa1df6c

SHA256
89c076f0a80a33bc73b432f1a030a395bf0884ad2a1f3d82075b25963c2c1c17

SHA512
51ac9f22962d5767cd5c723539590fab3e3a1deecc34ed4388f0af1e6f49750005c8399f94945479eecd20bcac85554f061529e3847874a2b16b11906f3387cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
37563153108eec70c2ef0f8980883ffb

SHA1
f44abdab97eb41eb63881dafb2f23300505bc697

SHA256
d6abd606a2ce3189a39e299403214f09e6699b228b07571e3baa80cf6301dd70

SHA512
6be122b0328efe7764dc930e58f0bd3b2a6b5b2925c65f1198df73eb6cdf2a9057d8aafdbfe11cfed14881809c4111645456254fee6045072d3063455e1d2181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
672bf7da5c4874d6b79af47f7e08ff70

SHA1
d9cb9ed6b3cab951d88a1c33c4e4105629d90a72

SHA256
c5fbde12a3395b2a3f6a45369a2779d9f8d67a852a8baa702927d0f681e2436f

SHA512
67c74ac1566d98637f1fb958a22925551b2f7da0cc69e27e4b5ec043b5f54052dab133f20b645c1a9bc5afe1173b36c2fa576474038ddf2b3d01b0f5d9d4fa35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ravenX.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ravenupdate.exe.log

Filesize
2KB

MD5
48ab429dfbe6d06b63c31eff55ac2b58

SHA1
48525ec5a93b6d3aada3007432fbb00771e29dda

SHA256
e5753c4664b0236490edaf31ebd2daf4ff8017701f1fdb13eab4732ac3b323af

SHA512
322d32e27ab68f36bcbf6942594ab9c412757e7a9be99b3453ae5a8d398525ab6d2405e9f13a53e0b401c494f68beb8ef309a19d2231ee43cdf6cbf927d1099c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ravenX.exe

Filesize
12.0MB

MD5
3a2ae10c84b29000bdce225b47d9d449

SHA1
ddefe82d60f0b592bc952be0a945bb170234b1df

SHA256
2000f6dc7513ce05d366b8dda00b905d24818adfa1be9b6effdf103adeec3b17

SHA512
352fd2be6a778489e737ab8c897053dd2e25df1356ddcdd1f892fa6a87d9994ae51e2f91d24f154d0ac8de66cec85ce915eef34723fb7a5277752c87db4f0cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ravenupdate.exe

Filesize
5.0MB

MD5
64fafd3369956375e0ac1c9ef85c2002

SHA1
c53f2f752edaeb5453d73aaf89b6fed216d6cfb6

SHA256
6cd6ec0104f52d232dfe5c59b00e87d24490a7774e154233d467b8887616d1a6

SHA512
344328457469fc29e8a8af21027becc146c1407e39f62475b62760a7411135c953362fded218507845277909a20d1774d224245797166a8f19dffced2a8c800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC241.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC256.tmp

Filesize
92KB

MD5
f0764eecc2d52e7c433725edd7f6e17a

SHA1
2b6c1165e7ca5c433b29db548ac2624037c8cb38

SHA256
6764736d2bd111036bea0eeb890cd75a5bb4114275abfffe615d9f79049f0ffc

SHA512
3cb2f0abc6925907488de7ecef46d60106efb98cec3c63e24e531bbf94dcd8c89ad57e0a88084eaa5083265f32134e6636f23808622db5cb3f5c83faaba96ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC281.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\Downloads\ravenX.exe

Filesize
12.0MB

MD5
0078672c430406ac8115d2fb19508f08

SHA1
0d0c893bf9256ad417d00965b93da251c5712780

SHA256
5fd391a6494563e189edd3bf6948a750a5578b2297c9dd355f7385b2d1db176c

SHA512
8857016c4f5d0c13d5915a9e0922698d203d23aae07a780415804fc6e56a3787a72b191a0377a72b99dd8bb3104c5d4a228e13c8690dfafb8b544cfe0df8abf8

Download Submit
\??\pipe\crashpad_5032_KHUQDCOWPVMQFZEY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1544-118-0x0000000002A70000-0x0000000002ABB000-memory.dmp

Filesize
300KB

Download
memory/1544-240-0x0000000006980000-0x0000000006A12000-memory.dmp

Filesize
584KB

Download
memory/1544-242-0x0000000007270000-0x000000000728E000-memory.dmp

Filesize
120KB

Download
memory/1544-121-0x0000000005240000-0x000000000534A000-memory.dmp

Filesize
1.0MB

Download
memory/1544-124-0x0000000006360000-0x0000000006522000-memory.dmp

Filesize
1.8MB

Download
memory/1544-125-0x0000000006A60000-0x0000000006F8C000-memory.dmp

Filesize
5.2MB

Download
memory/1544-126-0x00000000065A0000-0x0000000006606000-memory.dmp

Filesize
408KB

Download
memory/1544-114-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/1544-132-0x0000000007490000-0x000000000798E000-memory.dmp

Filesize
5.0MB

Download
memory/1544-241-0x0000000006F90000-0x0000000007006000-memory.dmp

Filesize
472KB

Download
memory/1544-113-0x0000000005740000-0x0000000005D46000-memory.dmp

Filesize
6.0MB

Download
memory/1544-108-0x0000000000680000-0x000000000069E000-memory.dmp

Filesize
120KB

Download
memory/1544-115-0x0000000002AE0000-0x0000000002B1E000-memory.dmp

Filesize
248KB

Download
memory/2200-261-0x00007FF710AF0000-0x00007FF711E34000-memory.dmp

Filesize
19.3MB

Download
memory/2960-116-0x00007FF791FC0000-0x00007FF793304000-memory.dmp

Filesize
19.3MB

Download
memory/4364-102-0x00007FFCC9E70000-0x00007FFCCA85C000-memory.dmp

Filesize
9.9MB

Download
memory/4364-112-0x00007FFCC9E70000-0x00007FFCCA85C000-memory.dmp

Filesize
9.9MB

Download
memory/4364-94-0x00000000009F0000-0x00000000015EC000-memory.dmp

Filesize
12.0MB

Download
memory/4364-79-0x00007FFCC9E73000-0x00007FFCC9E74000-memory.dmp

Filesize
4KB

Download
memory/4552-260-0x0000000005460000-0x00000000054AB000-memory.dmp

Filesize
300KB

Download