raccoon | 72a5c757284def375d51e6b90aea5df9ad99d1b7765029ab19a485c8f59dc903

General

Target

Download-07-04-19.html
Size

6KB
MD5

fdf285faa9ebb125f479f9dcaa460bed
SHA1

11d5c8b9ec3316079eb03b4537d6c7c14726c7ac
SHA256

72a5c757284def375d51e6b90aea5df9ad99d1b7765029ab19a485c8f59dc903
SHA512

7c9f27a8e89713445f51a484ed6f8fb9fc40d15de9ce69a279e4e64a3dc2b121e6e3980f58b1d8f7cf94d4701695eaa356288e87c0570f1010158a8951d06dd0

Score

10^/10

raccoon 8f4e4706e9b4e3a904862901d32e2123 stealer

Malware Config

Extracted

Family

raccoon

Botnet

8f4e4706e9b4e3a904862901d32e2123

C2

http://78.159.97.21/

http://78.159.103.195

http://78.159.103.196

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/688-58-0x00000000001C0000-0x0000000000C6B000-memory.dmp	family_raccoon
behavioral1/memory/688-60-0x00000000001C0000-0x0000000000C6B000-memory.dmp	family_raccoon
behavioral1/memory/688-61-0x00000000001C0000-0x0000000000C6B000-memory.dmp	family_raccoon

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

launch.exe

pid process

688 launch.exe
688 launch.exe

pid	process
688	launch.exe
688	launch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DA04151-1562-11ED-B908-5AA4E0BAB593} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f00000000020000000000106600000001000020000000d1c8824c5647b6458543d249195e4ea6fff287671bb8ff5b6643132c3c9d56d7000000000e8000000002000020000000822a4b5a6b53a5ca15f3963946dcc03a90ba79ecd5cc9cde2be573928f305f442000000089356dfd95df5d5e420023b954812189d46fec55440cba90244a5b8b6857a8d740000000645c6694123e0988db7ea830e656cfc373ee3aea8b3a845483e2929ef815de3ca155f6c7525b3aa2bb8b2832f36edd6746aef022d3ff7d729b548f60ddd0a689	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fa01e86ea9d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366539615"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f000000000200000000001066000000010000200000005b4ea43464e9fe8b642badfcba214895af0ca496c2733cdfaffddd98cc799d7c000000000e800000000200002000000017e36379979e1a28fd88b3e2e6c7849e09948e7f3311a582ec92bc6a3cab76fb90000000754acacdcdcc2528d7f881a83edaa62a01ef63a4f43b29f66a14c12489fadd08bb57d805ffc8ee62f57fec3538b2688e1e478e7b098dc18ff1efb3dbc83a625a26bb9c5a177419bb4dd336323431329fd6e6203c561aab287fe8f1839cb52c78a0a1f55a6d839dbcbe48aae70970a74921f67246cccb9384fd084ddba14d737f0e2fb64639e02a53cef32726db3dd16c4000000011bed4c03b33262799eb0ffcf7819eebe1bdb380ba1827f13375c6b22c4bffc53b57329628b22db800ac8ed6051700bf167e7cf2926b4fa199ed3b0b122f73bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exelaunch.exe

pid	process
1200	chrome.exe
1044	chrome.exe
1044	chrome.exe
2424	chrome.exe
2416	chrome.exe
2864	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
2932	chrome.exe
1556	chrome.exe
688	launch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2076	AUDIODG.EXE
Token: 33	2076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2076	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

iexplore.exechrome.exe

pid	process
1676	iexplore.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1676 iexplore.exe
1676 iexplore.exe
1768 IEXPLORE.EXE
1768 IEXPLORE.EXE
1768 IEXPLORE.EXE
1768 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 1676 wrote to memory of 1768	1676	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 1768	1676	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 1768	1676	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 1768	1676	iexplore.exe	IEXPLORE.EXE
PID 1044 wrote to memory of 1752	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1752	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1752	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1144	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1200	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1200	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 1200	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe
PID 1044 wrote to memory of 2000	1044	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Download-07-04-19.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ae4f50,0x7fef6ae4f60,0x7fef6ae4f70
2⤵
PID:1752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1152 /prefetch:2
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1304 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1916 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
2⤵
PID:608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3364 /prefetch:2
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3588 /prefetch:8
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3688 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=108 /prefetch:8
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:8
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 /prefetch:8
2⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 /prefetch:8
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1140,17060578457938544486,11736154265071536848,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Users\Admin\Downloads\Software\Software\launch.exe
"C:\Users\Admin\Downloads\Software\Software\launch.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
90daccdf16915966517911604cc5728c

SHA1
2e9436c12ac32d8ba7f3f712ac12eb455bbb3d04

SHA256
2dece581fcaad9d3959d6381cdc8254ccfabce9c4f55206e0da449340dde400a

SHA512
bd8276c7f69d88f6089f1422a794943789db7f434fd41c2b19e9645584ddc6fe4fab4b73995512f56253c35e259a184b629fe55f46c2e733666eab45f78ae99b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YF1H0HK1.txt
Filesize
608B

MD5
049a7d4c04dac0e89279ba593e2b0c0b

SHA1
35b8a6cbfa839b923af350f9e2141ae047da0040

SHA256
648a98c9fe68809bf4a5bacc87069f2c621f0326ea650a4d312ce79b7d79b65c

SHA512
d3688749517dfb7f5c248c3ea9979cc4e5347697f7c547924d09ba904c27ed1966eee55aea15e05fd0488bb78ed11bb1a8dfba2e6cf40638d888242a87ded6d7

Download Submit
\??\pipe\crashpad_1044_VKGBYEPTSDFEWLHD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/688-57-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/688-58-0x00000000001C0000-0x0000000000C6B000-memory.dmp

Filesize
10.7MB

Download
memory/688-60-0x00000000001C0000-0x0000000000C6B000-memory.dmp

Filesize
10.7MB

Download
memory/688-61-0x00000000001C0000-0x0000000000C6B000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads