Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
01/03/2024, 03:57
General
-
Target
https://lyricsworld2k24.blogspot.com/2024/02/blog-post_21.html
Malware Config
Extracted
raccoon
fae876a733d51e53773b0b6a05b4249d
http://195.2.81.45:80/
-
user_agent
MrBidenNeverKnow
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 10 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 39 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lyricsworld2k24.blogspot.com/2024/02/blog-post_21.html2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda33846f8,0x7ffda3384708,0x7ffda33847183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5832 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FILMORA 13 [LATEST].rar"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zOCE1F1FF7\FILMORA 13 [LATEST].exe"C:\Users\Admin\AppData\Local\Temp\7zOCE1F1FF7\FILMORA 13 [LATEST].exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Executive Executive.bat & Executive.bat & exit5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 80646⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Pipe + Gentle + Suspended + Currency 8064\Hollywood.pif6⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mug + Accounting + Stamps 8064\F6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\8064\Hollywood.pif8064\Hollywood.pif 8064\F6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15304738527465507816,2617052908435974397,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\" -spe -an -ai#7zMap27063:100:7zEvent277052⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\8064\Hollywood.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\8064\Hollywood.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Executive Executive.bat & Executive.bat & exit3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 81434⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Pipe + Gentle + Suspended + Currency 8143\Hollywood.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mug + Accounting + Stamps 8143\F4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\8143\Hollywood.pif8143\Hollywood.pif 8143\F4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Executive Executive.bat & Executive.bat & exit3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 81884⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Pipe + Gentle + Suspended + Currency 8188\Hollywood.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mug + Accounting + Stamps 8188\F4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\8188\Hollywood.pif8188\Hollywood.pif 8188\F4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Executive Executive.bat & Executive.bat & exit3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 81984⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Pipe + Gentle + Suspended + Currency 8198\Hollywood.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mug + Accounting + Stamps 8198\F4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\8198\Hollywood.pif8198\Hollywood.pif 8198\F4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\8143\Hollywood.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\8143\Hollywood.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"C:\Users\Admin\Downloads\FILMORA 13 [LATEST]\FILMORA 13 [LATEST].exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Executive Executive.bat & Executive.bat & exit3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 82214⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Pipe + Gentle + Suspended + Currency 8221\Hollywood.pif4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Mug + Accounting + Stamps 8221\F4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\8221\Hollywood.pif8221\Hollywood.pif 8221\F4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\8188\Hollywood.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\8188\Hollywood.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\8198\Hollywood.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\8198\Hollywood.pif2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\8221\Hollywood.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\8221\Hollywood.pif2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
Filesize
168B
MD5a0428fb0f159d053f26fee62c7ce5680
SHA1bae85943340ae77454cc773eb47856dbf01de9da
SHA256edba7e3cb2012e8657605fff8945e84c8c5473ab34c8e9e74a5d30c2ea483ad7
SHA512a8b3c07a6de0fc6df7603a47eb7d8389ef95a7b3568bf31861aaece6383a27449a94a40e3c697c86b1d11279cfc7b4e1aca6228cd19244753cbd55cd82023165
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD5ee9d03aec38263e2f7460f72e03b4fa5
SHA17b0f903ce4a575184b4118851ea795bb121b2c25
SHA2569974b603b3c6c680dfd6c681cc04e018e118a7cb3118e7c5bcd25dee7e627635
SHA5122079825b90bd230721ec21de2c638d3e9e88b488a2803d4403d69ed14ec2aaaa567b516b5fc7c8b6e5545da31c4450a04ac8b5b2979017006e0765ceed6dbdad
-
Filesize
6KB
MD5fada9c4b11b8b100b967d8b4cf72d479
SHA197b88a9748de69860f5ec2bbd765c1e149eff04c
SHA2569acf065778dd856529a334b74f66f4b957afd17faad0d894a45cf9af183c8585
SHA5124bb1b46af564668d0d34942083e0bb22974f69f5711014576d3ec894019071ddba5dadad1da5dfcf706c471ce0dbb10fa14adb2087d48acc897ef30b85c30468
-
Filesize
7KB
MD572781f34ba1c4f4916c05165e4c4c602
SHA1fa0937757ad57a18bf108b88d52a2db1af2573f6
SHA256c63c2da719e573f751fc99dd7b81c9679cf1a2cdd542b10d04fb32df3d168a57
SHA512f002461d85c90d2373f3bc568aa41ac3108b7b6fcb6020f8aee5153cee59e80168b5598ce5954d883390603e31045b8e2426f57661169e365b049b1734ca2b56
-
Filesize
7KB
MD5cdee91530e2ca3507f3b7d0dd77f7ecf
SHA1c7f990549edbe5cd0feb1851737662771056e285
SHA25613aeadbaf588df21bdc7c7aa8dcf2e5c2e8f2d0464cd6a36a90b14fcfb47e362
SHA512fecb54239b3e556ea8720981f717ccab4d3c31ca42f6403a3a323a4588196f147f4cb58883db5cbd9f69ca193c6c9c4ee4a5a050f7102d5f5e5a893e5c0257f9
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
72B
MD5ed7f5fc13734e5fded874a571f5654ff
SHA1784aa130209d5db805dd9421eb7f6688db486b42
SHA2566388caeca1ca417a369e6bbbda1572741808e378bccdb7120029adcd19093e55
SHA51254980e6bd19190c25b77c26c8272a6a5a3ec5d1941b9c070f32793069deb29023139481c0a985ac21bc2e5863bef639bddb202d467be0f937965cffac5df46aa
-
Filesize
48B
MD59dd22ab8dfbd291c5424e410d4f7c27d
SHA1c567aa210359317579fd3c65159b387905a9821b
SHA256c22611f2b669ad147af06ea96c89cb7ad41a1b3c9c664994ead8fafc0c738ff3
SHA5120f58bead932854da894ec2ef21a1c56827149273bc588b1e606be1f4a3f812ec54fe341dd201c548e0e470ed46218be5f46b2ad1ab090665c87365a915fbecc1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5946a624ed87bb2b46b3dcb2687942c2f
SHA15e4e3940a80716ef3112573f3d95d623d261dd07
SHA25616759f6eee63e5502ecc2bab85721596f568ccab92a0ae179539ac81f534f7ba
SHA512e297df3897b7d54daefbc1c82bebae48a2e255c469cf9bf571d5724e564baf4ef0f0a7b544fcb6cb54eb21ba2452d7919a8370c780433aa7156502eb3d3a7b3e
-
Filesize
11KB
MD5275971cfbfb923c58d6c8739d7697374
SHA1922019cad6fce924294ceb0e89bd3819928eec55
SHA25633ee98097bd6976c5c2faedcf8d00b3fd56ba9f6bb25a9af7bf22ff12ea302f8
SHA51273a4506c66c38e0efd04b84b1e1f6796b9f81fdcf471a6c924a0f4bb5f1bd54f350fbee0d21e0f5263246ffb75601f1354dc296bca56c41e3ce4aa71de954052
-
Filesize
511KB
MD5292b0c11a0c9852e11253ea81e74f4bc
SHA1ff47d6c828f50af626cbacd61fbfacc4418cf1ab
SHA256bec566da2c2a5ab23b0b74efc4dc7f17901e14233c2371bc0f9f6601eb0a2267
SHA5128f563b413309ae5ecc6fab14008ef4603eb85e26eb220ac4d47e4f165a2e0cb88b917f0d1c874b88bb78672d7851da1ec69335836d373b39441b206cfaf7e90d
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
245KB
MD57888394b660edf096960f2f7a5e4eada
SHA105c261ea2b1b786caeda5eab7a69c0b479815662
SHA2563a46a2116ebcfcd36c4c81490d5f9223bfc48c6a09594611b3553e0341c1e426
SHA51279503c5528db299afaab0a1df23d6367ec9f42c26014b01e81b77dbd7514b0d47f4b62d91113446e6ff35c1b4196e3c0e98aff8bfe7ddadf075ed3d44bdcb7a3
-
Filesize
156KB
MD5e9a499047577588d5c6471ab754601ed
SHA1fc8853264cd6e4708de450fd3851640b7f7637d8
SHA256361d5d05f86a2759c3bb3f9bf98dd56b89c3d4a9c6574bcfcf376b39787f8559
SHA512a4b473a9f85b434d1b5b34a6e6cd4a07494d9ae243064eb2dea1a66dd9e21d9dc31c1ce9bef45fac10997887a2ec90922b49c7974168f3e105329732c84bc60a
-
Filesize
12KB
MD5c4d438fc167ea779c1090832c5437763
SHA13b215d36928a80c9168ffcf0601e231ba4c72287
SHA2564efffdfd408fa4ae1f923f399dc4fdf1fccb91d3127fafe4f96c446c48cdfe75
SHA5121dea08324d67daf0c463b7f58965a2412169092d559325bcf44e39d41afa8010f6bb84b1d12fd392c23f0ac1b33ac2e4a97d7884a136a0e75d029dffc1bdbafa
-
Filesize
293KB
MD5174943ec0216a66ad4cc51c4ed6bb38e
SHA1852693dc6cd36c7575546cce0fbdf13fb4c3bc5e
SHA2566e776a65df5bade334bc1ecfd15eef1b52c4a506ddac6b58e8836e8c27a99a59
SHA5125af10dd4542be3dfaa3b36ed1c96877fe0f1ba5f41d3d9dd18b992c9d05a5aad7c6546bbfc98736fe5d3c345f41996cc534031cfb46b2a9d7d77c71bbe9b8205
-
Filesize
238KB
MD556f01e96426b05cbe05c1a6778d79a30
SHA190e70ddf46f28a5242e1b4396a939d6ca6a3c623
SHA256eb8e8b7b80bed8037f5a80e3f4b99b07397b8d85730873595180a54017fcbf92
SHA512259770138360619a9ec354533ae668b8107100b6ce4959aff31ad4883968008c5e12ac8f1fee5a22c2a367ed565ab3181bbc613e0a55658417eb5a1748adf200
-
Filesize
273KB
MD5682666f91e22c6ac7cedd633988b356f
SHA182433c143553668e24367767a05c362d4fe20ecd
SHA2561245f5fd801249ff3184a2e22e46d5ab4916db9218fc1db7fd31bae605cb166b
SHA512aa55a437aeafde2c913e53e82815c36046dbdf54483f134996f2b89041c86cef36ebfc4dfc191ead8e3790d9d27d406a68beb18948fc88c981d384cb9b35c761
-
Filesize
28KB
MD5141dbfff57314a5527b93ad27a59869a
SHA10e55795a94ba09df3eed67d4beceac5a44fbdaeb
SHA256e85db9d34efa36e613865b710b7418858089efb1fceaee9218a60af20df63462
SHA512a37c1cb57f636fdf697349f279d3d29d38b9594a0fe5af174e1e1f95ec060ca7448b98ce65258a91288c8b60c9523bc92a2fad16979157c79aa184d6ff5e593a
-
Filesize
202KB
MD5a8e61fb77e0a32778afde3be1e68eeec
SHA1bdbfe783c6abcaa47b22c279b19b47efeff95b45
SHA256982d07be28eaa0559a41d894f235d111ce71e5c39da7371e2458454c75f80a15
SHA51252f868614f30e87371c9befeabdb8457cf82d7b84011350dbc623e2f89b9ccb8e148d371d97635370e9baa707c248ca10aef1f49b5f5724494d818d6693dce77
-
Filesize
240KB
MD5a1bae235618bd8488e38ab83503d2721
SHA1b8c512fb36b61121d62d3ee7685c139faf944f4b
SHA256f2f47db527b1a7798606b72c7ee5186d393bad64515d73306c28ffa63c292dd5
SHA512b2618d54a7be920443ab0bc1c94d7fdd049dd879dffa0795a70814a894541d7cbd00c5a734440579a7a9c119ae64640075670c883f42f690df0a3cd438e6ed66
-
Filesize
803KB
MD51cd8e4f3e4b71d0efaa247b9a20eef50
SHA1d9b8cebfde04269fa26d0903c66e7f0aab03c06a
SHA256e68ecc8bfee0998ab7c4c8a8be10bacc7d3adb16c199c6224321175386511341
SHA5128b49f46a513c1c25b6a6b885ef3210423269ef6aa8b236d8e24200980081bbc62748eaf2866cd3790babd99a023910bf3ff720bdbde9516e3b469bb64db2207c
-
Filesize
722KB
MD58ae7a3bdd8dede72bfe10dd34ecfae0e
SHA1b34b1b82d9d89f3d79e50788205a65738ece3554
SHA25619f052565393b703157962cdbc19741df62416dcc23acfff0bc0fc6787957399
SHA5129248959019e7fd221bc0b0dbc101fa94f7586ca5ac178988fa2e598b5cf3d9eecfe463e9e072b24325630582a5f80a782e9c9f0cc1d5de154f8b9f70f2a94e6f
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB