raccoon | 2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

Resubmissions

29-08-2021 09:08

210829-kbvd4yh12j 10

29-08-2021 09:00

210829-d9htsa2ade 10

Analysis

max time kernel
1800s
max time network
1596s
platform
windows11_x64
resource
win11
submitted
29-08-2021 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf56d1d215d546e5add6dd065232224.exe
Size

143KB
MD5

bdf56d1d215d546e5add6dd065232224
SHA1

07b2cc6992490266a7cce234e7a4e2efafc72bec
SHA256

2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950
SHA512

2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Score

10^/10

raccoon smokeloader backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	Process	procid_target
PID 4516 created 2536	4516	WerFault.exe	88
PID 4748 created 848	4748	WerFault.exe	94

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

2030.exe213A.exe7670.exe

pid	Process
4616	2030.exe
2536	213A.exe
1584	7670.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7670.exe

pid	Process
1584	7670.exe
1584	7670.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.exe

description	pid	Process	procid_target
PID 3440 set thread context of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4460	2536	WerFault.exe	88
4644	848	WerFault.exe	94

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bdf56d1d215d546e5add6dd065232224.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdf56d1d215d546e5add6dd065232224.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdf56d1d215d546e5add6dd065232224.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdf56d1d215d546e5add6dd065232224.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe

Modifies registry class 4 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.exe

pid	Process
4712	bdf56d1d215d546e5add6dd065232224.exe
4712	bdf56d1d215d546e5add6dd065232224.exe
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3100

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.exe

pid	Process
4712	bdf56d1d215d546e5add6dd065232224.exe
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100
3100

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

WerFault.exe7670.exe

description	pid	Process
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeRestorePrivilege	4460	WerFault.exe
Token: SeBackupPrivilege	4460	WerFault.exe
Token: SeBackupPrivilege	4460	WerFault.exe
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeDebugPrivilege	1584	7670.exe
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100
Token: SeShutdownPrivilege	3100
Token: SeCreatePagefilePrivilege	3100

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2030.exe7670.exe

pid	Process
4616	2030.exe
1584	7670.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.exeWerFault.exeWerFault.exe

description	pid	Process	procid_target
PID 3440 wrote to memory of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83
PID 3440 wrote to memory of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83
PID 3440 wrote to memory of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83
PID 3440 wrote to memory of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83
PID 3440 wrote to memory of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83
PID 3440 wrote to memory of 4712	3440	bdf56d1d215d546e5add6dd065232224.exe	83
PID 3100 wrote to memory of 4616	3100		87
PID 3100 wrote to memory of 4616	3100		87
PID 3100 wrote to memory of 4616	3100		87
PID 3100 wrote to memory of 2536	3100		88
PID 3100 wrote to memory of 2536	3100		88
PID 3100 wrote to memory of 2536	3100		88
PID 4516 wrote to memory of 2536	4516	WerFault.exe	88
PID 4516 wrote to memory of 2536	4516	WerFault.exe	88
PID 3100 wrote to memory of 1584	3100		92
PID 3100 wrote to memory of 1584	3100		92
PID 3100 wrote to memory of 1584	3100		92
PID 3100 wrote to memory of 848	3100		94
PID 3100 wrote to memory of 848	3100		94
PID 3100 wrote to memory of 848	3100		94
PID 3100 wrote to memory of 848	3100		94
PID 3100 wrote to memory of 3096	3100		95
PID 3100 wrote to memory of 3096	3100		95
PID 3100 wrote to memory of 3096	3100		95
PID 4748 wrote to memory of 848	4748	WerFault.exe	94
PID 4748 wrote to memory of 848	4748	WerFault.exe	94
PID 3100 wrote to memory of 3812	3100		98
PID 3100 wrote to memory of 3812	3100		98
PID 3100 wrote to memory of 3812	3100		98
PID 3100 wrote to memory of 3812	3100		98
PID 3100 wrote to memory of 4692	3100		99
PID 3100 wrote to memory of 4692	3100		99
PID 3100 wrote to memory of 4692	3100		99
PID 3100 wrote to memory of 2884	3100		100
PID 3100 wrote to memory of 2884	3100		100
PID 3100 wrote to memory of 2884	3100		100
PID 3100 wrote to memory of 2884	3100		100
PID 3100 wrote to memory of 492	3100		101
PID 3100 wrote to memory of 492	3100		101
PID 3100 wrote to memory of 492	3100		101
PID 3100 wrote to memory of 4484	3100		102
PID 3100 wrote to memory of 4484	3100		102
PID 3100 wrote to memory of 4484	3100		102
PID 3100 wrote to memory of 4484	3100		102
PID 3100 wrote to memory of 3108	3100		103
PID 3100 wrote to memory of 3108	3100		103
PID 3100 wrote to memory of 3108	3100		103
PID 3100 wrote to memory of 4528	3100		104
PID 3100 wrote to memory of 4528	3100		104
PID 3100 wrote to memory of 4528	3100		104
PID 3100 wrote to memory of 4528	3100		104

C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe
"C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe
  "C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4712

C:\Users\Admin\AppData\Local\Temp\2030.exe
C:\Users\Admin\AppData\Local\Temp\2030.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Users\Admin\AppData\Local\Temp\213A.exe
C:\Users\Admin\AppData\Local\Temp\213A.exe
1⤵
- Executes dropped EXE
PID:2536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 240
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2536 -ip 2536
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.2
1⤵
- Modifies data under HKEY_USERS
PID:3788

C:\Users\Admin\AppData\Local\Temp\7670.exe
C:\Users\Admin\AppData\Local\Temp\7670.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 876
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4644

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 848 -ip 848
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3812

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2884

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4484

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2030.exe

MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\2030.exe

MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\213A.exe

MD5
8ea09d8188949391c7bb78bf0a34c6e7

SHA1
18450807fa7508293e448d2d378c0f7b7504dd3a

SHA256
3921bcce737b772f675fba1f1464983a5de8a3cad79f45738d442cb600e3b561

SHA512
38fa3025098e10503c7e9084b1a94bc2284bb22a339c90ce13ae2b48ac6c92e099068b1130c285237d2530b8e1e0938283e67f4a915d96236ef3cb95933b6c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\213A.exe

MD5
8ea09d8188949391c7bb78bf0a34c6e7

SHA1
18450807fa7508293e448d2d378c0f7b7504dd3a

SHA256
3921bcce737b772f675fba1f1464983a5de8a3cad79f45738d442cb600e3b561

SHA512
38fa3025098e10503c7e9084b1a94bc2284bb22a339c90ce13ae2b48ac6c92e099068b1130c285237d2530b8e1e0938283e67f4a915d96236ef3cb95933b6c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7670.exe

MD5
5ec2215d373512cc10930265afea55b1

SHA1
d79f2abc714668bba0fa3b41f59e5be7b053a844

SHA256
2446da0af06eaddedd95c88af2f3588a7c17e044c0edf9b09a98da5311e7f174

SHA512
988dd8e6245631c70eaaae6fa6ead9f9eb312622ef7393369b6d2d130ccedc81282013cb5c2a89a1943495448e0ac03c2f7fb484fb53772faf8435917001a2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7670.exe

MD5
5ec2215d373512cc10930265afea55b1

SHA1
d79f2abc714668bba0fa3b41f59e5be7b053a844

SHA256
2446da0af06eaddedd95c88af2f3588a7c17e044c0edf9b09a98da5311e7f174

SHA512
988dd8e6245631c70eaaae6fa6ead9f9eb312622ef7393369b6d2d130ccedc81282013cb5c2a89a1943495448e0ac03c2f7fb484fb53772faf8435917001a2e5

Download Submit
memory/492-190-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/492-191-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/492-189-0x0000000000000000-mapping.dmp

Download
memory/848-164-0x0000000002F90000-0x0000000002FFB000-memory.dmp

Filesize
428KB

Download
memory/848-163-0x0000000003200000-0x0000000003274000-memory.dmp

Filesize
464KB

Download
memory/848-161-0x0000000000000000-mapping.dmp

Download
memory/1584-180-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/1584-159-0x0000000000000000-mapping.dmp

Download
memory/1584-208-0x000000000A2C0000-0x000000000A2C1000-memory.dmp

Filesize
4KB

Download
memory/1584-207-0x0000000009840000-0x0000000009841000-memory.dmp

Filesize
4KB

Download
memory/1584-206-0x000000000A340000-0x000000000A341000-memory.dmp

Filesize
4KB

Download
memory/1584-165-0x000000007F820000-0x000000007FBF1000-memory.dmp

Filesize
3.8MB

Download
memory/1584-205-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download
memory/1584-167-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/1584-169-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/1584-170-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1584-171-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/1584-172-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/1584-204-0x0000000009640000-0x0000000009641000-memory.dmp

Filesize
4KB

Download
memory/1584-175-0x00000000068A0000-0x0000000006EB8000-memory.dmp

Filesize
6.1MB

Download
memory/1584-203-0x0000000009330000-0x0000000009331000-memory.dmp

Filesize
4KB

Download
memory/1584-176-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/1584-177-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/1584-178-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/1584-202-0x0000000009860000-0x0000000009861000-memory.dmp

Filesize
4KB

Download
memory/1584-201-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/1704-230-0x000001819C9F0000-0x000001819C9F4000-memory.dmp

Filesize
16KB

Download
memory/1704-234-0x000001819C720000-0x000001819C724000-memory.dmp

Filesize
16KB

Download
memory/1704-233-0x000001819C720000-0x000001819C721000-memory.dmp

Filesize
4KB

Download
memory/1704-232-0x000001819C730000-0x000001819C734000-memory.dmp

Filesize
16KB

Download
memory/1704-231-0x000001819C9B0000-0x000001819C9B1000-memory.dmp

Filesize
4KB

Download
memory/1704-211-0x000001819C700000-0x000001819C704000-memory.dmp

Filesize
16KB

Download
memory/1704-235-0x000001819C600000-0x000001819C601000-memory.dmp

Filesize
4KB

Download
memory/1704-209-0x000001819A080000-0x000001819A090000-memory.dmp

Filesize
64KB

Download
memory/1704-210-0x000001819A110000-0x000001819A120000-memory.dmp

Filesize
64KB

Download
memory/2536-158-0x0000000000860000-0x00000000008EF000-memory.dmp

Filesize
572KB

Download
memory/2536-155-0x0000000000000000-mapping.dmp

Download
memory/2884-187-0x0000000002B20000-0x0000000002B25000-memory.dmp

Filesize
20KB

Download
memory/2884-188-0x0000000002B10000-0x0000000002B19000-memory.dmp

Filesize
36KB

Download
memory/2884-186-0x0000000000000000-mapping.dmp

Download
memory/3096-166-0x0000000000000000-mapping.dmp

Download
memory/3096-173-0x00000000007F0000-0x00000000007F7000-memory.dmp

Filesize
28KB

Download
memory/3096-174-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/3100-149-0x0000000006DF0000-0x0000000006E06000-memory.dmp

Filesize
88KB

Download
memory/3100-222-0x0000000008B10000-0x0000000008B90000-memory.dmp

Filesize
512KB

Download
memory/3100-214-0x0000000005320000-0x00000000053A0000-memory.dmp

Filesize
512KB

Download
memory/3108-196-0x00000000012F0000-0x00000000012F5000-memory.dmp

Filesize
20KB

Download
memory/3108-197-0x00000000012E0000-0x00000000012E9000-memory.dmp

Filesize
36KB

Download
memory/3108-195-0x0000000000000000-mapping.dmp

Download
memory/3440-148-0x0000000003A40000-0x0000000003A4A000-memory.dmp

Filesize
40KB

Download
memory/3812-182-0x0000000002E70000-0x0000000002E7B000-memory.dmp

Filesize
44KB

Download
memory/3812-179-0x0000000000000000-mapping.dmp

Download
memory/3812-181-0x0000000002E80000-0x0000000002E87000-memory.dmp

Filesize
28KB

Download
memory/4484-194-0x00000000027C0000-0x00000000027C9000-memory.dmp

Filesize
36KB

Download
memory/4484-193-0x00000000027D0000-0x00000000027D4000-memory.dmp

Filesize
16KB

Download
memory/4484-192-0x0000000000000000-mapping.dmp

Download
memory/4528-200-0x00000000027C0000-0x00000000027C9000-memory.dmp

Filesize
36KB

Download
memory/4528-199-0x00000000027D0000-0x00000000027D5000-memory.dmp

Filesize
20KB

Download
memory/4528-198-0x0000000000000000-mapping.dmp

Download
memory/4616-150-0x0000000000000000-mapping.dmp

Download
memory/4692-185-0x00000000007F0000-0x00000000007FF000-memory.dmp

Filesize
60KB

Download
memory/4692-184-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/4692-183-0x0000000000000000-mapping.dmp

Download
memory/4712-146-0x0000000000000000-mapping.dmp

Download
memory/4712-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download