8b8524d99c41e32912669ff4be7aba713495ad3fc03e345c5a7e16d473718e48

Analysis

max time kernel
361s
max time network
1445s
platform
windows10_x64
resource
win10v20210410
submitted
06-08-2021 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Raccine/install-raccine.bat
Size

10KB
MD5

be970aa8b06eb4dc9d2e83d31a1dcb8e
SHA1

150dfcff77b43ec46725680a268c0bc6e1950f83
SHA256

37aa4b39bb70e8a634e679276cbaf1db491d37f67843272ee1e6762797d7fb9c
SHA512

30c36e0c0d81b603790f96b514359cccad0cc1389c097dd8d10f2e5c9754d6d5a19531bea26a8270523a0e9b49ab11e42d67b9370b0719e373422edfc05aea4c

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

RaccineSettings.exeRaccineRulesSync.exeRaccineSettings.exeRaccineRulesSync.exeRaccineSettings.exeRaccineRulesSync.exe

pid	process
2728	RaccineSettings.exe
4284	RaccineRulesSync.exe
4020	RaccineSettings.exe
4208	RaccineRulesSync.exe
4328	RaccineSettings.exe
4752	RaccineRulesSync.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

3524 icacls.exe
1956 icacls.exe
2068 icacls.exe

pid	process
3524	icacls.exe
1956	icacls.exe
2068	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray = "C:\\Program Files\\Raccine\\RaccineSettings.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray = "C:\\Program Files\\Raccine\\RaccineSettings.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine Tray = "C:\\Program Files\\Raccine\\RaccineSettings.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in System32 directory 1 IoCs

Processes:

RaccineRulesSync.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RaccineRulesSync.exe.log	RaccineRulesSync.exe

Drops file in Program Files directory 64 IoCs

Processes:

RaccineRulesSync.exeRaccineRulesSync.execmd.exeRaccineRulesSync.exe

description	ioc	process
File opened for modification	C:\Program Files\Raccine\yara\ext-vars-test.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\powershell_loaders.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yara\other_0xa9five_poc.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\RaccineSettings.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara64.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\ext-vars-test.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\RaccineRulesSync.exe	cmd.exe
File created	C:\Program Files\Raccine\yara\mal_revil.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yarac64.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_revil.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yara64.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\ryuk-commandlines.yar	cmd.exe
File created	C:\Program Files\Raccine\yara\other_0xa9five_poc.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_powershell_invocation.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yara\other_0xa9five_poc.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yara\mal_emotet.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_emotet.yar	cmd.exe
File created	C:\Program Files\Raccine\yara\ryuk-commandlines.yar	cmd.exe
File created	C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_raccine_kills.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\Raccine.exe	cmd.exe
File created	C:\Program Files\Raccine\yara\mal_darkside.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_powershell_invocation.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\ryuk-commandlines.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\Raccine.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\ryuk-commandlines.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\ryuk-commandlines.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yarac64.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\powershell_loaders.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\ext-vars-test.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_darkside.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_emotet.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yara\gen_powershell_invocation.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_darkside.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\powershell_loaders.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_powershell_invocation.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_powershell_invocation.yar	cmd.exe
File created	C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar	cmd.exe
File created	C:\Program Files\Raccine\yara\gen_raccine_kills.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_raccine_kills.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_darkside.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\powershell_loaders.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\RaccineSettings.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\ext-vars-test.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\RaccineElevatedCfg.exe	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_emotet.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_revil.yar	cmd.exe
File created	C:\Program Files\Raccine\yara\powershell_loaders.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar	RaccineRulesSync.exe
File opened for modification	C:\Program Files\Raccine\yara\mal_revil.yar	RaccineRulesSync.exe
File created	C:\Program Files\Raccine\RaccineElevatedCfg.exe	cmd.exe
File created	C:\Program Files\Raccine\yara\ext-vars-test.yar	cmd.exe
File opened for modification	C:\Program Files\Raccine\yara\gen_raccine_kills.yar	RaccineRulesSync.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2852 schtasks.exe
3976 schtasks.exe
4432 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1192 timeout.exe
1236 timeout.exe
1468 timeout.exe
2808 timeout.exe
220 timeout.exe
4256 timeout.exe

pid	process
2852	schtasks.exe
3976	schtasks.exe
4432	schtasks.exe

pid	process
1192	timeout.exe
1236	timeout.exe
1468	timeout.exe
2808	timeout.exe
220	timeout.exe
4256	timeout.exe

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3164	taskkill.exe
4260	taskkill.exe
3432	taskkill.exe
2852	taskkill.exe
4276	taskkill.exe
5100	taskkill.exe
1828	taskkill.exe
2392	taskkill.exe
2148	taskkill.exe
4160	taskkill.exe
4244	taskkill.exe
2544	taskkill.exe
4764	taskkill.exe
3980	taskkill.exe
3076	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

RaccineRulesSync.exeRaccineRulesSync.exeRaccineRulesSync.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	RaccineRulesSync.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	RaccineRulesSync.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	RaccineRulesSync.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3152 reg.exe
2464 reg.exe
4200 reg.exe
4032 reg.exe
4684 reg.exe
4716 reg.exe
3816 reg.exe
2396 reg.exe
2656 reg.exe
4712 reg.exe
1456 reg.exe
4524 reg.exe

pid	process
3152	reg.exe
2464	reg.exe
4200	reg.exe
4032	reg.exe
4684	reg.exe
4716	reg.exe
3816	reg.exe
2396	reg.exe
2656	reg.exe
4712	reg.exe
1456	reg.exe
4524	reg.exe

Runs .reg file with regedit 27 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
1528	regedit.exe
4668	regedit.exe
940	regedit.exe
772	regedit.exe
820	regedit.exe
3872	regedit.exe
908	regedit.exe
1916	regedit.exe
3828	regedit.exe
1256	regedit.exe
1192	regedit.exe
4060	regedit.exe
3600	regedit.exe
3672	regedit.exe
4552	regedit.exe
3984	regedit.exe
1068	regedit.exe
1224	regedit.exe
4408	regedit.exe
1368	regedit.exe
1588	regedit.exe
2180	regedit.exe
3624	regedit.exe
4604	regedit.exe
4640	regedit.exe
2660	regedit.exe
1548	regedit.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

RaccineSettings.exeRaccineSettings.exeRaccineSettings.exetaskmgr.exe

pid	process
2728	RaccineSettings.exe
4020	RaccineSettings.exe
4328	RaccineSettings.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeRaccineSettings.exeRaccineRulesSync.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeRaccineSettings.exeRaccineRulesSync.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeRaccineSettings.exeRaccineRulesSync.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	2728	RaccineSettings.exe
Token: SeDebugPrivilege	4284	RaccineRulesSync.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	4020	RaccineSettings.exe
Token: SeDebugPrivilege	4208	RaccineRulesSync.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	4328	RaccineSettings.exe
Token: SeDebugPrivilege	4752	RaccineRulesSync.exe
Token: SeDebugPrivilege	4700	taskmgr.exe
Token: SeSystemProfilePrivilege	4700	taskmgr.exe
Token: SeCreateGlobalPrivilege	4700	taskmgr.exe
Token: 33	4700	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4700	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

RaccineSettings.exeRaccineSettings.exeRaccineSettings.exetaskmgr.exe

pid	process
2728	RaccineSettings.exe
4020	RaccineSettings.exe
4328	RaccineSettings.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4328	RaccineSettings.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

RaccineSettings.exeRaccineSettings.exeRaccineSettings.exetaskmgr.exe

pid	process
2728	RaccineSettings.exe
4020	RaccineSettings.exe
4328	RaccineSettings.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4328	RaccineSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4476 wrote to memory of 4936	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 4936	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 5008	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 5008	4476	cmd.exe	cmd.exe
PID 5008 wrote to memory of 5024	5008	cmd.exe	findstr.exe
PID 5008 wrote to memory of 5024	5008	cmd.exe	findstr.exe
PID 4476 wrote to memory of 3984	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 3984	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 3164	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 3164	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4160	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4160	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4260	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4260	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4244	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4244	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4276	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 4276	4476	cmd.exe	taskkill.exe
PID 4476 wrote to memory of 500	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 500	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1008	4476	cmd.exe	schtasks.exe
PID 4476 wrote to memory of 1008	4476	cmd.exe	schtasks.exe
PID 4476 wrote to memory of 820	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 820	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 908	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 908	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 772	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 772	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1068	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1068	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1192	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1192	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1224	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1224	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1368	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1368	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1528	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 1528	4476	cmd.exe	regedit.exe
PID 4476 wrote to memory of 3152	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 3152	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1712	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1712	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1876	4476	cmd.exe	setx.exe
PID 4476 wrote to memory of 1876	4476	cmd.exe	setx.exe
PID 4476 wrote to memory of 1956	4476	cmd.exe	icacls.exe
PID 4476 wrote to memory of 1956	4476	cmd.exe	icacls.exe
PID 4476 wrote to memory of 1996	4476	cmd.exe	eventcreate.exe
PID 4476 wrote to memory of 1996	4476	cmd.exe	eventcreate.exe
PID 4476 wrote to memory of 2072	4476	cmd.exe	eventcreate.exe
PID 4476 wrote to memory of 2072	4476	cmd.exe	eventcreate.exe
PID 4476 wrote to memory of 2236	4476	cmd.exe	eventcreate.exe
PID 4476 wrote to memory of 2236	4476	cmd.exe	eventcreate.exe
PID 4476 wrote to memory of 2396	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2396	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2464	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2464	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2656	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2656	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2676	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2676	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2728	4476	cmd.exe	RaccineSettings.exe
PID 4476 wrote to memory of 2728	4476	cmd.exe	RaccineSettings.exe
PID 4476 wrote to memory of 2852	4476	cmd.exe	schtasks.exe
PID 4476 wrote to memory of 2852	4476	cmd.exe	schtasks.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
3⤵
PID:5024

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-uninstall.reg
2⤵
- Runs .reg file with regedit
PID:3984

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM Raccine.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineRulesSync.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineRulesSync.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:500

C:\Windows\system32\schtasks.exe
SCHTASKS /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:1008

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-vssadmin.reg
2⤵
- Runs .reg file with regedit
PID:820

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-wmic.reg
2⤵
- Runs .reg file with regedit
PID:908

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-wbadmin.reg
2⤵
- Runs .reg file with regedit
PID:772

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-bcdedit.reg
2⤵
- Runs .reg file with regedit
PID:1068

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-powershell.reg
2⤵
- Runs .reg file with regedit
PID:1192

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-diskshadow.reg
2⤵
- Runs .reg file with regedit
PID:1224

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-net.reg
2⤵
- Runs .reg file with regedit
PID:1368

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-taskkill.reg
2⤵
- Runs .reg file with regedit
PID:1528

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v LogOnly /t REG_DWORD /d 0 /F
2⤵
- Modifies registry key
PID:3152

C:\Windows\system32\reg.exe
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\.NETFramework,Version=v4.5"
2⤵
PID:1712

C:\Windows\system32\setx.exe
SETX /M Path "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Raccine"
2⤵
PID:1876

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Raccine\Raccine_log.txt" /grant Users:F
2⤵
- Modifies file permissions
PID:1956

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine Setup: Registration of Event ID 1 - Used for Informational Messages"
2⤵
PID:1996

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine Setup: Registration of Event ID 2 - Used for Malicious Actitivty"
2⤵
PID:2072

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 3 /so Raccine /d "Raccine Setup: Registration of Event ID 3 - Used for Benign Activity"
2⤵
PID:2236

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v ShowGui /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:2396

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v ScanMemory /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:2464

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v RulesDir /t REG_SZ /d "C:\Program Files\Raccine\yara" /F
2⤵
- Modifies registry key
PID:2656

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /t REG_SZ /F /D "C:\Program Files\Raccine\RaccineSettings.exe"
2⤵
- Adds Run key to start application
PID:2676

C:\Program Files\Raccine\RaccineSettings.exe
"C:\Program Files\Raccine\RaccineSettings.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728

C:\Windows\system32\schtasks.exe
SCHTASKS /create /tn "Raccine Rules Updater" /tr "\"C:\Program Files\Raccine\RaccineRulesSync.exe\"" /sc DAILY /mo 1 /f /RL highest /RU "NT AUTHORITY\SYSTEM" /NP
2⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
SCHTASKS /RUN /TN "Raccine Rules Updater"
2⤵
PID:2668

C:\Windows\system32\timeout.exe
TIMEOUT /t 30
2⤵
- Delays execution with timeout.exe
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
2⤵
PID:3668

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
3⤵
PID:3480

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-uninstall.reg
2⤵
- Runs .reg file with regedit
PID:2180

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM Raccine.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineRulesSync.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineRulesSync.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:5088

C:\Windows\system32\schtasks.exe
SCHTASKS /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:5052

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-vssadmin.reg
2⤵
- Runs .reg file with regedit
PID:4060

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-wmic.reg
2⤵
- Runs .reg file with regedit
PID:3624

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-wbadmin.reg
2⤵
- Runs .reg file with regedit
PID:3600

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-bcdedit.reg
2⤵
- Runs .reg file with regedit
PID:3872

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-powershell.reg
2⤵
- Runs .reg file with regedit
PID:4552

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-diskshadow.reg
2⤵
- Runs .reg file with regedit
PID:4604

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-net.reg
2⤵
- Runs .reg file with regedit
PID:4640

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-taskkill.reg
2⤵
- Runs .reg file with regedit
PID:4668

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v LogOnly /t REG_DWORD /d 0 /F
2⤵
- Modifies registry key
PID:4712

C:\Windows\system32\reg.exe
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\.NETFramework,Version=v4.5"
2⤵
PID:2244

C:\Windows\system32\setx.exe
SETX /M Path "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Raccine"
2⤵
PID:4132

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Raccine\Raccine_log.txt" /grant Users:F
2⤵
- Modifies file permissions
PID:2068

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine Setup: Registration of Event ID 1 - Used for Informational Messages"
2⤵
PID:4736

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine Setup: Registration of Event ID 2 - Used for Malicious Actitivty"
2⤵
PID:4780

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 3 /so Raccine /d "Raccine Setup: Registration of Event ID 3 - Used for Benign Activity"
2⤵
PID:2288

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v ShowGui /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:1456

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v ScanMemory /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:4524

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v RulesDir /t REG_SZ /d "C:\Program Files\Raccine\yara" /F
2⤵
- Modifies registry key
PID:4684

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /t REG_SZ /F /D "C:\Program Files\Raccine\RaccineSettings.exe"
2⤵
- Adds Run key to start application
PID:4768

C:\Program Files\Raccine\RaccineSettings.exe
"C:\Program Files\Raccine\RaccineSettings.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4020

C:\Windows\system32\schtasks.exe
SCHTASKS /create /tn "Raccine Rules Updater" /tr "\"C:\Program Files\Raccine\RaccineRulesSync.exe\"" /sc DAILY /mo 1 /f /RL highest /RU "NT AUTHORITY\SYSTEM" /NP
2⤵
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
SCHTASKS /RUN /TN "Raccine Rules Updater"
2⤵
PID:4056

C:\Windows\system32\timeout.exe
TIMEOUT /t 30
2⤵
- Delays execution with timeout.exe
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
2⤵
PID:408

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
3⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\scripts\windows-hardening.bat"
2⤵
PID:1124

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\scripts\windows-hardening.bat"
3⤵
PID:1216

C:\Windows\system32\timeout.exe
TIMEOUT /t 10
2⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\system32\timeout.exe
TIMEOUT /t 10
2⤵
- Delays execution with timeout.exe
PID:1236

C:\Windows\system32\timeout.exe
TIMEOUT /t 30
2⤵
- Delays execution with timeout.exe
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
2⤵
PID:1592

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
3⤵
PID:1528

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-uninstall.reg
2⤵
- Runs .reg file with regedit
PID:1588

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM Raccine.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineRulesSync.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM RaccineRulesSync.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\reg.exe
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:192

C:\Windows\system32\schtasks.exe
SCHTASKS /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:3664

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-vssadmin.reg
2⤵
- Runs .reg file with regedit
PID:2660

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-wmic.reg
2⤵
- Runs .reg file with regedit
PID:1548

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-wbadmin.reg
2⤵
- Runs .reg file with regedit
PID:3672

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-bcdedit.reg
2⤵
- Runs .reg file with regedit
PID:4408

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-powershell.reg
2⤵
- Runs .reg file with regedit
PID:940

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-diskshadow.reg
2⤵
- Runs .reg file with regedit
PID:1916

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-net.reg
2⤵
- Runs .reg file with regedit
PID:3828

C:\Windows\regedit.exe
REGEDIT.EXE /S reg-patches\raccine-reg-patch-taskkill.reg
2⤵
- Runs .reg file with regedit
PID:1256

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v LogOnly /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:4200

C:\Windows\system32\reg.exe
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\.NETFramework,Version=v4.5"
2⤵
PID:3588

C:\Windows\system32\setx.exe
SETX /M Path "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Raccine"
2⤵
PID:188

C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Raccine\Raccine_log.txt" /grant Users:F
2⤵
- Modifies file permissions
PID:3524

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine Setup: Registration of Event ID 1 - Used for Informational Messages"
2⤵
PID:1380

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine Setup: Registration of Event ID 2 - Used for Malicious Actitivty"
2⤵
PID:4440

C:\Windows\system32\eventcreate.exe
eventcreate.exe /L Application /T Information /id 3 /so Raccine /d "Raccine Setup: Registration of Event ID 3 - Used for Benign Activity"
2⤵
PID:3032

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v ShowGui /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:4032

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v ScanMemory /t REG_DWORD /d 1 /F
2⤵
- Modifies registry key
PID:4716

C:\Windows\system32\reg.exe
REG.EXE ADD HKLM\Software\Raccine /v RulesDir /t REG_SZ /d "C:\Program Files\Raccine\yara" /F
2⤵
- Modifies registry key
PID:3816

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /t REG_SZ /F /D "C:\Program Files\Raccine\RaccineSettings.exe"
2⤵
- Adds Run key to start application
PID:3940

C:\Program Files\Raccine\RaccineSettings.exe
"C:\Program Files\Raccine\RaccineSettings.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4328

C:\Windows\system32\schtasks.exe
SCHTASKS /create /tn "Raccine Rules Updater" /tr "\"C:\Program Files\Raccine\RaccineRulesSync.exe\"" /sc DAILY /mo 1 /f /RL highest /RU "NT AUTHORITY\SYSTEM" /NP
2⤵
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
SCHTASKS /RUN /TN "Raccine Rules Updater"
2⤵
PID:4784

C:\Windows\system32\timeout.exe
TIMEOUT /t 30
2⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
2⤵
PID:5056

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Raccine\install-raccine.bat"
3⤵
PID:5060

C:\Program Files\Raccine\RaccineRulesSync.exe
"C:\Program Files\Raccine\RaccineRulesSync.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Program Files\Raccine\RaccineRulesSync.exe
"C:\Program Files\Raccine\RaccineRulesSync.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Program Files\Raccine\RaccineRulesSync.exe
"C:\Program Files\Raccine\RaccineRulesSync.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Raccine\RaccineRulesSync.exe
MD5
238ed776c03ddd1feb1e3b3a024e5f33

SHA1
f5d2cb5906f72d8692a5555c9bba887354613bca

SHA256
d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7

SHA512
9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076

Download Submit
C:\Program Files\Raccine\RaccineRulesSync.exe
MD5
238ed776c03ddd1feb1e3b3a024e5f33

SHA1
f5d2cb5906f72d8692a5555c9bba887354613bca

SHA256
d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7

SHA512
9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076

Download Submit
C:\Program Files\Raccine\RaccineRulesSync.exe
MD5
238ed776c03ddd1feb1e3b3a024e5f33

SHA1
f5d2cb5906f72d8692a5555c9bba887354613bca

SHA256
d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7

SHA512
9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076

Download Submit
C:\Program Files\Raccine\RaccineRulesSync.exe
MD5
238ed776c03ddd1feb1e3b3a024e5f33

SHA1
f5d2cb5906f72d8692a5555c9bba887354613bca

SHA256
d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7

SHA512
9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076

Download Submit
C:\Program Files\Raccine\RaccineRulesSync.exe
MD5
238ed776c03ddd1feb1e3b3a024e5f33

SHA1
f5d2cb5906f72d8692a5555c9bba887354613bca

SHA256
d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7

SHA512
9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076

Download Submit
C:\Program Files\Raccine\RaccineRulesSync.exe
MD5
238ed776c03ddd1feb1e3b3a024e5f33

SHA1
f5d2cb5906f72d8692a5555c9bba887354613bca

SHA256
d767c82d9ad39a5afddf35df4032afd518b44804a492f9b49ba1e4a7535e87a7

SHA512
9dfa263b6768c132730a993316b1d460cad51c3b00c912dcb6bd9804d8cba9a14d8eaae8806518ee9c2056afd6c497dfbd6b23eab50fe7694c805598ae6b7076

Download Submit
C:\Program Files\Raccine\RaccineSettings.exe
MD5
29befacee533f2fefb428c39412df12c

SHA1
179545ba0f23a84ec2506fb743d5c9d3d0408f3a

SHA256
ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a

SHA512
51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d

Download Submit
C:\Program Files\Raccine\RaccineSettings.exe
MD5
29befacee533f2fefb428c39412df12c

SHA1
179545ba0f23a84ec2506fb743d5c9d3d0408f3a

SHA256
ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a

SHA512
51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d

Download Submit
C:\Program Files\Raccine\RaccineSettings.exe
MD5
29befacee533f2fefb428c39412df12c

SHA1
179545ba0f23a84ec2506fb743d5c9d3d0408f3a

SHA256
ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a

SHA512
51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d

Download Submit
C:\Program Files\Raccine\RaccineSettings.exe
MD5
29befacee533f2fefb428c39412df12c

SHA1
179545ba0f23a84ec2506fb743d5c9d3d0408f3a

SHA256
ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a

SHA512
51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d

Download Submit
C:\Program Files\Raccine\RaccineSettings.exe
MD5
29befacee533f2fefb428c39412df12c

SHA1
179545ba0f23a84ec2506fb743d5c9d3d0408f3a

SHA256
ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a

SHA512
51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d

Download Submit
C:\Program Files\Raccine\RaccineSettings.exe
MD5
29befacee533f2fefb428c39412df12c

SHA1
179545ba0f23a84ec2506fb743d5c9d3d0408f3a

SHA256
ec15047f8a802cf6cadb5ea3860c380bb3314e9a91a96464dc1837192773ab6a

SHA512
51e518494c892e40107154368976f5c83081d19684473a619eb86376652bba684036e8c91a705f78f1bdbb0c47b16559ce0d1412fcd45f41800d7dac2d512e2d

Download Submit
C:\Program Files\Raccine\yara\EXT-VA~1.YAR
MD5
df3c64774d148744623340e01843920e

SHA1
7204570f4948a1877ad5738499fcf4c0253acf32

SHA256
6df76e55312e0f2d653d348ac00e844e428f1bfd33884b15e03af490786075ef

SHA512
3e3779bce7e184499296e2daf136e5e27973a1c004b85df4f0065120f71dcb73ab86686ef6acec8d5a5a6146e9a486ca61a9e990c5d74861f5903a57a65ff767

Download Submit
C:\Program Files\Raccine\yara\EXT-VA~1.YAR
MD5
df3c64774d148744623340e01843920e

SHA1
7204570f4948a1877ad5738499fcf4c0253acf32

SHA256
6df76e55312e0f2d653d348ac00e844e428f1bfd33884b15e03af490786075ef

SHA512
3e3779bce7e184499296e2daf136e5e27973a1c004b85df4f0065120f71dcb73ab86686ef6acec8d5a5a6146e9a486ca61a9e990c5d74861f5903a57a65ff767

Download Submit
C:\Program Files\Raccine\yara\GEN_PO~1.YAR
MD5
98c233afcdfe0957fb53aa2a6e800829

SHA1
02db07843c687883ec8129eb4ca6cb16235fb5d1

SHA256
d6b5e6e8a8e3590c9a373194b164defa6354f6f9d0a6718bb01870079d96f39f

SHA512
51676abfb7e759d176468d17cf419cab8bc697e02b79eaa6e2b70af0df3b3830d6c9141e75c56df1c6a6b0f09cd4d92636b956cd8e8fb12bbe958d9b2c379204

Download Submit
C:\Program Files\Raccine\yara\GEN_PO~1.YAR
MD5
98c233afcdfe0957fb53aa2a6e800829

SHA1
02db07843c687883ec8129eb4ca6cb16235fb5d1

SHA256
d6b5e6e8a8e3590c9a373194b164defa6354f6f9d0a6718bb01870079d96f39f

SHA512
51676abfb7e759d176468d17cf419cab8bc697e02b79eaa6e2b70af0df3b3830d6c9141e75c56df1c6a6b0f09cd4d92636b956cd8e8fb12bbe958d9b2c379204

Download Submit
C:\Program Files\Raccine\yara\GEN_RA~1.YAR
MD5
84918672499b4e7e57d1c87fa1f0e2f9

SHA1
589f0dd8d1e022686f9f12cebf7e4a8e6708cb14

SHA256
b3d57cc3f9b9ae3e626eabf840be8396a721882fbbf2867804aded477b195651

SHA512
6f2921ebd9e6ea535096048e668c4f9a906536b69183d8edb6dc62ec0c639ede58b8ea77d8c9dc3d69dcb8842bcd07886559316275ced87f47126a0fb4703273

Download Submit
C:\Program Files\Raccine\yara\GEN_RA~1.YAR
MD5
84918672499b4e7e57d1c87fa1f0e2f9

SHA1
589f0dd8d1e022686f9f12cebf7e4a8e6708cb14

SHA256
b3d57cc3f9b9ae3e626eabf840be8396a721882fbbf2867804aded477b195651

SHA512
6f2921ebd9e6ea535096048e668c4f9a906536b69183d8edb6dc62ec0c639ede58b8ea77d8c9dc3d69dcb8842bcd07886559316275ced87f47126a0fb4703273

Download Submit
C:\Program Files\Raccine\yara\GEN_RA~2.YAR
MD5
93a973768bbcab1195200efd346b7374

SHA1
e4826632230455350f746a448647ecf817623d14

SHA256
71d501ee89d3757a338cf15adf216310a969a814aca2212ef7e2384c994b9029

SHA512
b208c0e0840c2c5575f0f4f87a04e74f17dc044ea868f79bd9fea3811774026079581892bf1bf807b8c36b9f559a8745f8ccf8d4af8433b42ad0e09e355cf7ca

Download Submit
C:\Program Files\Raccine\yara\GEN_RA~2.YAR
MD5
93a973768bbcab1195200efd346b7374

SHA1
e4826632230455350f746a448647ecf817623d14

SHA256
71d501ee89d3757a338cf15adf216310a969a814aca2212ef7e2384c994b9029

SHA512
b208c0e0840c2c5575f0f4f87a04e74f17dc044ea868f79bd9fea3811774026079581892bf1bf807b8c36b9f559a8745f8ccf8d4af8433b42ad0e09e355cf7ca

Download Submit
C:\Program Files\Raccine\yara\IN-MEM~1\GEN_LO~1.YAR
MD5
f1411a74e4e909a882b57533b432bb73

SHA1
b46583b6d8edf906629c8c7f4861bf6f7bfa09c1

SHA256
4c443dffb738c4f71be7375d9b0b7fe06b7d12eb4452938a04190d37cfb18631

SHA512
40d5934b84ddf21da4ac41c11e6bf3118fda249bc70abd60b9fd201a139cdbb31a3857851da541818f99f94431270a535fb4d7cfde4dd19aa30324a3a8653170

Download Submit
C:\Program Files\Raccine\yara\IN-MEM~1\GEN_LO~1.YAR
MD5
f1411a74e4e909a882b57533b432bb73

SHA1
b46583b6d8edf906629c8c7f4861bf6f7bfa09c1

SHA256
4c443dffb738c4f71be7375d9b0b7fe06b7d12eb4452938a04190d37cfb18631

SHA512
40d5934b84ddf21da4ac41c11e6bf3118fda249bc70abd60b9fd201a139cdbb31a3857851da541818f99f94431270a535fb4d7cfde4dd19aa30324a3a8653170

Download Submit
C:\Program Files\Raccine\yara\MAL_DA~1.YAR
MD5
3d4b4296556faeae0f981fea230e1f9e

SHA1
638339223282f5791440bf04da943c8281129f1d

SHA256
e27732a4c3d825d35f89dbfa73277788be86018c2f8c978d554a8bccff71e378

SHA512
c821fedd97adcc126e9333e701056dab4ff96e30db6ce1df8c7bdb51b7e89339428732b3df954e845a38febb1c8e35c36a11f595e9155cb458ce73a7e3e2f8b4

Download Submit
C:\Program Files\Raccine\yara\MAL_DA~1.YAR
MD5
3d4b4296556faeae0f981fea230e1f9e

SHA1
638339223282f5791440bf04da943c8281129f1d

SHA256
e27732a4c3d825d35f89dbfa73277788be86018c2f8c978d554a8bccff71e378

SHA512
c821fedd97adcc126e9333e701056dab4ff96e30db6ce1df8c7bdb51b7e89339428732b3df954e845a38febb1c8e35c36a11f595e9155cb458ce73a7e3e2f8b4

Download Submit
C:\Program Files\Raccine\yara\MAL_EM~1.YAR
MD5
77d3d09cf471af208f0e1ac47cb1931d

SHA1
7297dffc1a3e22d313d46e35a85660adfa99cd39

SHA256
19c0bc8f42a91fde15ca134d4de25202c5824c55adf2a30e06a245fb0b483436

SHA512
6ac9015c184638780205e76664bf1b571a4a98d3f08b3e4d0c73ed618f4e6a652386bd22ff0e94a15840716a706c2676a9165aa738442666038c4947ff3deeb9

Download Submit
C:\Program Files\Raccine\yara\MAL_EM~1.YAR
MD5
77d3d09cf471af208f0e1ac47cb1931d

SHA1
7297dffc1a3e22d313d46e35a85660adfa99cd39

SHA256
19c0bc8f42a91fde15ca134d4de25202c5824c55adf2a30e06a245fb0b483436

SHA512
6ac9015c184638780205e76664bf1b571a4a98d3f08b3e4d0c73ed618f4e6a652386bd22ff0e94a15840716a706c2676a9165aa738442666038c4947ff3deeb9

Download Submit
C:\Program Files\Raccine\yara\MAL_EX~1.YAR
MD5
c877016676615f2fba347b3798cd280e

SHA1
52a25340a46ce3e26b9b63ad0311056f9915fc83

SHA256
53feb10c0d4cbf9eca182796ca265ae62a5a60b7dcd3711913780d052d5e31c9

SHA512
b34e66f2084d184d0d772da6a759363bf77935d00f647063df5591ee598f6d2aabf3f4e104894b4fdb1c0466105869e78f4630558554926c8464eb10eeb266c6

Download Submit
C:\Program Files\Raccine\yara\MAL_EX~1.YAR
MD5
c877016676615f2fba347b3798cd280e

SHA1
52a25340a46ce3e26b9b63ad0311056f9915fc83

SHA256
53feb10c0d4cbf9eca182796ca265ae62a5a60b7dcd3711913780d052d5e31c9

SHA512
b34e66f2084d184d0d772da6a759363bf77935d00f647063df5591ee598f6d2aabf3f4e104894b4fdb1c0466105869e78f4630558554926c8464eb10eeb266c6

Download Submit
C:\Program Files\Raccine\yara\MAL_RE~1.YAR
MD5
28af6efd8c8918a9b0e76104d2d09cdf

SHA1
ed9c70bc34639790494edf40b0393a52612ad2c4

SHA256
6cedfd74e88cead8073cdee12fd3197cd84f537f10216a48a3f9bed7e0df0698

SHA512
da74384e7bcccfa0045f944ee16a4feee174431b45a3e79d2ed483efe54c1a4b525a78a4e2791ae0d760566d2e52ef865a138031ae1d2311b0e41f4c645b44da

Download Submit
C:\Program Files\Raccine\yara\MAL_RE~1.YAR
MD5
28af6efd8c8918a9b0e76104d2d09cdf

SHA1
ed9c70bc34639790494edf40b0393a52612ad2c4

SHA256
6cedfd74e88cead8073cdee12fd3197cd84f537f10216a48a3f9bed7e0df0698

SHA512
da74384e7bcccfa0045f944ee16a4feee174431b45a3e79d2ed483efe54c1a4b525a78a4e2791ae0d760566d2e52ef865a138031ae1d2311b0e41f4c645b44da

Download Submit
C:\Program Files\Raccine\yara\OTHER_~1.YAR
MD5
aa67cc7661a87437ee80376b74dfd79c

SHA1
4f7c7ce890488a9a119041228d5a1d3c4b4d2574

SHA256
a7c58350906f12b7098ca30b20480110221dcf6db46fde313bf45cdb24aadff1

SHA512
8fe31ee3b83050ac42e6a2359141cb146cbe339fec74b858c06b4e9c29d8b5723dc72abddba090ae470378f8107805cb7187cb335e25a5289ec069ed1d85a848

Download Submit
C:\Program Files\Raccine\yara\OTHER_~1.YAR
MD5
aa67cc7661a87437ee80376b74dfd79c

SHA1
4f7c7ce890488a9a119041228d5a1d3c4b4d2574

SHA256
a7c58350906f12b7098ca30b20480110221dcf6db46fde313bf45cdb24aadff1

SHA512
8fe31ee3b83050ac42e6a2359141cb146cbe339fec74b858c06b4e9c29d8b5723dc72abddba090ae470378f8107805cb7187cb335e25a5289ec069ed1d85a848

Download Submit
C:\Program Files\Raccine\yara\POWERS~1.YAR
MD5
6f857f3943ac7df4c0d802e61be49af7

SHA1
2875aac8b1ee68c7516d47a3fea7dd36cbecb844

SHA256
316712fa2d54dff630025bcf4f3b82276c95a7fbe0df21e4d75f73fb423b7d0e

SHA512
368b74d61a245d3c03c476e98401de28972ab2e2d1eb4f13ecec8db2e97b79c5d35021def4aca0bd725ebacb36b23af013f7dc6987445f3c7e12092cfb132c16

Download Submit
C:\Program Files\Raccine\yara\POWERS~1.YAR
MD5
6f857f3943ac7df4c0d802e61be49af7

SHA1
2875aac8b1ee68c7516d47a3fea7dd36cbecb844

SHA256
316712fa2d54dff630025bcf4f3b82276c95a7fbe0df21e4d75f73fb423b7d0e

SHA512
368b74d61a245d3c03c476e98401de28972ab2e2d1eb4f13ecec8db2e97b79c5d35021def4aca0bd725ebacb36b23af013f7dc6987445f3c7e12092cfb132c16

Download Submit
C:\Program Files\Raccine\yara\RYUK-C~1.YAR
MD5
f4ba51fc6c5b4727f3a69a8861653857

SHA1
b9e45ce8ce2e543d73b458f1b6cb17a36ee64db4

SHA256
cee03ee3fc4f1a594117bfcf512886b0e7b55ac8a223ce85c8b2fec25a57b467

SHA512
5e2f92e48705109dcac369b4481e9c20a9a79857e3fd72e76c68ae4aacb171b37332d338f44a226712c6b028d7d672b58a503f0f71c4006333b0fab95a26c35c

Download Submit
C:\Program Files\Raccine\yara\RYUK-C~1.YAR
MD5
f4ba51fc6c5b4727f3a69a8861653857

SHA1
b9e45ce8ce2e543d73b458f1b6cb17a36ee64db4

SHA256
cee03ee3fc4f1a594117bfcf512886b0e7b55ac8a223ce85c8b2fec25a57b467

SHA512
5e2f92e48705109dcac369b4481e9c20a9a79857e3fd72e76c68ae4aacb171b37332d338f44a226712c6b028d7d672b58a503f0f71c4006333b0fab95a26c35c

Download Submit
C:\Program Files\Raccine\yara\ext-vars-test.yar
MD5
df3c64774d148744623340e01843920e

SHA1
7204570f4948a1877ad5738499fcf4c0253acf32

SHA256
6df76e55312e0f2d653d348ac00e844e428f1bfd33884b15e03af490786075ef

SHA512
3e3779bce7e184499296e2daf136e5e27973a1c004b85df4f0065120f71dcb73ab86686ef6acec8d5a5a6146e9a486ca61a9e990c5d74861f5903a57a65ff767

Download Submit
C:\Program Files\Raccine\yara\ext-vars-test.yar
MD5
df3c64774d148744623340e01843920e

SHA1
7204570f4948a1877ad5738499fcf4c0253acf32

SHA256
6df76e55312e0f2d653d348ac00e844e428f1bfd33884b15e03af490786075ef

SHA512
3e3779bce7e184499296e2daf136e5e27973a1c004b85df4f0065120f71dcb73ab86686ef6acec8d5a5a6146e9a486ca61a9e990c5d74861f5903a57a65ff767

Download Submit
C:\Program Files\Raccine\yara\ext-vars-test.yar
MD5
df3c64774d148744623340e01843920e

SHA1
7204570f4948a1877ad5738499fcf4c0253acf32

SHA256
6df76e55312e0f2d653d348ac00e844e428f1bfd33884b15e03af490786075ef

SHA512
3e3779bce7e184499296e2daf136e5e27973a1c004b85df4f0065120f71dcb73ab86686ef6acec8d5a5a6146e9a486ca61a9e990c5d74861f5903a57a65ff767

Download Submit
C:\Program Files\Raccine\yara\gen_powershell_invocation.yar
MD5
98c233afcdfe0957fb53aa2a6e800829

SHA1
02db07843c687883ec8129eb4ca6cb16235fb5d1

SHA256
d6b5e6e8a8e3590c9a373194b164defa6354f6f9d0a6718bb01870079d96f39f

SHA512
51676abfb7e759d176468d17cf419cab8bc697e02b79eaa6e2b70af0df3b3830d6c9141e75c56df1c6a6b0f09cd4d92636b956cd8e8fb12bbe958d9b2c379204

Download Submit
C:\Program Files\Raccine\yara\gen_powershell_invocation.yar
MD5
98c233afcdfe0957fb53aa2a6e800829

SHA1
02db07843c687883ec8129eb4ca6cb16235fb5d1

SHA256
d6b5e6e8a8e3590c9a373194b164defa6354f6f9d0a6718bb01870079d96f39f

SHA512
51676abfb7e759d176468d17cf419cab8bc697e02b79eaa6e2b70af0df3b3830d6c9141e75c56df1c6a6b0f09cd4d92636b956cd8e8fb12bbe958d9b2c379204

Download Submit
C:\Program Files\Raccine\yara\gen_powershell_invocation.yar
MD5
98c233afcdfe0957fb53aa2a6e800829

SHA1
02db07843c687883ec8129eb4ca6cb16235fb5d1

SHA256
d6b5e6e8a8e3590c9a373194b164defa6354f6f9d0a6718bb01870079d96f39f

SHA512
51676abfb7e759d176468d17cf419cab8bc697e02b79eaa6e2b70af0df3b3830d6c9141e75c56df1c6a6b0f09cd4d92636b956cd8e8fb12bbe958d9b2c379204

Download Submit
C:\Program Files\Raccine\yara\gen_raccine_kills.yar
MD5
84918672499b4e7e57d1c87fa1f0e2f9

SHA1
589f0dd8d1e022686f9f12cebf7e4a8e6708cb14

SHA256
b3d57cc3f9b9ae3e626eabf840be8396a721882fbbf2867804aded477b195651

SHA512
6f2921ebd9e6ea535096048e668c4f9a906536b69183d8edb6dc62ec0c639ede58b8ea77d8c9dc3d69dcb8842bcd07886559316275ced87f47126a0fb4703273

Download Submit
C:\Program Files\Raccine\yara\gen_raccine_kills.yar
MD5
84918672499b4e7e57d1c87fa1f0e2f9

SHA1
589f0dd8d1e022686f9f12cebf7e4a8e6708cb14

SHA256
b3d57cc3f9b9ae3e626eabf840be8396a721882fbbf2867804aded477b195651

SHA512
6f2921ebd9e6ea535096048e668c4f9a906536b69183d8edb6dc62ec0c639ede58b8ea77d8c9dc3d69dcb8842bcd07886559316275ced87f47126a0fb4703273

Download Submit
C:\Program Files\Raccine\yara\gen_raccine_kills.yar
MD5
84918672499b4e7e57d1c87fa1f0e2f9

SHA1
589f0dd8d1e022686f9f12cebf7e4a8e6708cb14

SHA256
b3d57cc3f9b9ae3e626eabf840be8396a721882fbbf2867804aded477b195651

SHA512
6f2921ebd9e6ea535096048e668c4f9a906536b69183d8edb6dc62ec0c639ede58b8ea77d8c9dc3d69dcb8842bcd07886559316275ced87f47126a0fb4703273

Download Submit
C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar
MD5
93a973768bbcab1195200efd346b7374

SHA1
e4826632230455350f746a448647ecf817623d14

SHA256
71d501ee89d3757a338cf15adf216310a969a814aca2212ef7e2384c994b9029

SHA512
b208c0e0840c2c5575f0f4f87a04e74f17dc044ea868f79bd9fea3811774026079581892bf1bf807b8c36b9f559a8745f8ccf8d4af8433b42ad0e09e355cf7ca

Download Submit
C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar
MD5
f1411a74e4e909a882b57533b432bb73

SHA1
b46583b6d8edf906629c8c7f4861bf6f7bfa09c1

SHA256
4c443dffb738c4f71be7375d9b0b7fe06b7d12eb4452938a04190d37cfb18631

SHA512
40d5934b84ddf21da4ac41c11e6bf3118fda249bc70abd60b9fd201a139cdbb31a3857851da541818f99f94431270a535fb4d7cfde4dd19aa30324a3a8653170

Download Submit
C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar
MD5
f1411a74e4e909a882b57533b432bb73

SHA1
b46583b6d8edf906629c8c7f4861bf6f7bfa09c1

SHA256
4c443dffb738c4f71be7375d9b0b7fe06b7d12eb4452938a04190d37cfb18631

SHA512
40d5934b84ddf21da4ac41c11e6bf3118fda249bc70abd60b9fd201a139cdbb31a3857851da541818f99f94431270a535fb4d7cfde4dd19aa30324a3a8653170

Download Submit
C:\Program Files\Raccine\yara\mal_darkside.yar
MD5
3d4b4296556faeae0f981fea230e1f9e

SHA1
638339223282f5791440bf04da943c8281129f1d

SHA256
e27732a4c3d825d35f89dbfa73277788be86018c2f8c978d554a8bccff71e378

SHA512
c821fedd97adcc126e9333e701056dab4ff96e30db6ce1df8c7bdb51b7e89339428732b3df954e845a38febb1c8e35c36a11f595e9155cb458ce73a7e3e2f8b4

Download Submit
C:\Program Files\Raccine\yara\mal_darkside.yar
MD5
3d4b4296556faeae0f981fea230e1f9e

SHA1
638339223282f5791440bf04da943c8281129f1d

SHA256
e27732a4c3d825d35f89dbfa73277788be86018c2f8c978d554a8bccff71e378

SHA512
c821fedd97adcc126e9333e701056dab4ff96e30db6ce1df8c7bdb51b7e89339428732b3df954e845a38febb1c8e35c36a11f595e9155cb458ce73a7e3e2f8b4

Download Submit
C:\Program Files\Raccine\yara\mal_emotet.yar
MD5
77d3d09cf471af208f0e1ac47cb1931d

SHA1
7297dffc1a3e22d313d46e35a85660adfa99cd39

SHA256
19c0bc8f42a91fde15ca134d4de25202c5824c55adf2a30e06a245fb0b483436

SHA512
6ac9015c184638780205e76664bf1b571a4a98d3f08b3e4d0c73ed618f4e6a652386bd22ff0e94a15840716a706c2676a9165aa738442666038c4947ff3deeb9

Download Submit
C:\Program Files\Raccine\yara\mal_emotet.yar
MD5
77d3d09cf471af208f0e1ac47cb1931d

SHA1
7297dffc1a3e22d313d46e35a85660adfa99cd39

SHA256
19c0bc8f42a91fde15ca134d4de25202c5824c55adf2a30e06a245fb0b483436

SHA512
6ac9015c184638780205e76664bf1b571a4a98d3f08b3e4d0c73ed618f4e6a652386bd22ff0e94a15840716a706c2676a9165aa738442666038c4947ff3deeb9

Download Submit
C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar
MD5
c877016676615f2fba347b3798cd280e

SHA1
52a25340a46ce3e26b9b63ad0311056f9915fc83

SHA256
53feb10c0d4cbf9eca182796ca265ae62a5a60b7dcd3711913780d052d5e31c9

SHA512
b34e66f2084d184d0d772da6a759363bf77935d00f647063df5591ee598f6d2aabf3f4e104894b4fdb1c0466105869e78f4630558554926c8464eb10eeb266c6

Download Submit
C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar
MD5
c877016676615f2fba347b3798cd280e

SHA1
52a25340a46ce3e26b9b63ad0311056f9915fc83

SHA256
53feb10c0d4cbf9eca182796ca265ae62a5a60b7dcd3711913780d052d5e31c9

SHA512
b34e66f2084d184d0d772da6a759363bf77935d00f647063df5591ee598f6d2aabf3f4e104894b4fdb1c0466105869e78f4630558554926c8464eb10eeb266c6

Download Submit
C:\Program Files\Raccine\yara\mal_revil.yar
MD5
28af6efd8c8918a9b0e76104d2d09cdf

SHA1
ed9c70bc34639790494edf40b0393a52612ad2c4

SHA256
6cedfd74e88cead8073cdee12fd3197cd84f537f10216a48a3f9bed7e0df0698

SHA512
da74384e7bcccfa0045f944ee16a4feee174431b45a3e79d2ed483efe54c1a4b525a78a4e2791ae0d760566d2e52ef865a138031ae1d2311b0e41f4c645b44da

Download Submit
C:\Program Files\Raccine\yara\mal_revil.yar
MD5
28af6efd8c8918a9b0e76104d2d09cdf

SHA1
ed9c70bc34639790494edf40b0393a52612ad2c4

SHA256
6cedfd74e88cead8073cdee12fd3197cd84f537f10216a48a3f9bed7e0df0698

SHA512
da74384e7bcccfa0045f944ee16a4feee174431b45a3e79d2ed483efe54c1a4b525a78a4e2791ae0d760566d2e52ef865a138031ae1d2311b0e41f4c645b44da

Download Submit
C:\Program Files\Raccine\yara\powershell_loaders.yar
MD5
6f857f3943ac7df4c0d802e61be49af7

SHA1
2875aac8b1ee68c7516d47a3fea7dd36cbecb844

SHA256
316712fa2d54dff630025bcf4f3b82276c95a7fbe0df21e4d75f73fb423b7d0e

SHA512
368b74d61a245d3c03c476e98401de28972ab2e2d1eb4f13ecec8db2e97b79c5d35021def4aca0bd725ebacb36b23af013f7dc6987445f3c7e12092cfb132c16

Download Submit
C:\Program Files\Raccine\yara\powershell_loaders.yar
MD5
6f857f3943ac7df4c0d802e61be49af7

SHA1
2875aac8b1ee68c7516d47a3fea7dd36cbecb844

SHA256
316712fa2d54dff630025bcf4f3b82276c95a7fbe0df21e4d75f73fb423b7d0e

SHA512
368b74d61a245d3c03c476e98401de28972ab2e2d1eb4f13ecec8db2e97b79c5d35021def4aca0bd725ebacb36b23af013f7dc6987445f3c7e12092cfb132c16

Download Submit
C:\Program Files\Raccine\yara\ryuk-commandlines.yar
MD5
f4ba51fc6c5b4727f3a69a8861653857

SHA1
b9e45ce8ce2e543d73b458f1b6cb17a36ee64db4

SHA256
cee03ee3fc4f1a594117bfcf512886b0e7b55ac8a223ce85c8b2fec25a57b467

SHA512
5e2f92e48705109dcac369b4481e9c20a9a79857e3fd72e76c68ae4aacb171b37332d338f44a226712c6b028d7d672b58a503f0f71c4006333b0fab95a26c35c

Download Submit
C:\Program Files\Raccine\yara\ryuk-commandlines.yar
MD5
f4ba51fc6c5b4727f3a69a8861653857

SHA1
b9e45ce8ce2e543d73b458f1b6cb17a36ee64db4

SHA256
cee03ee3fc4f1a594117bfcf512886b0e7b55ac8a223ce85c8b2fec25a57b467

SHA512
5e2f92e48705109dcac369b4481e9c20a9a79857e3fd72e76c68ae4aacb171b37332d338f44a226712c6b028d7d672b58a503f0f71c4006333b0fab95a26c35c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RaccineRulesSync.exe.log
MD5
0035f05223b803c4bec52707d67ae6d0

SHA1
a44d9a3578a7625e524fc05f150bb078571a041e

SHA256
36a73f87f5c90c5b3d45edf5de246d78fa694b1d849cecef8504844bcca6b0a8

SHA512
b57a656ce1a608581e125918f6561541c759de9790eca8e57f0abf6d1fe5c42602a4d71d8b899c0621e2961959002d5e3ebb458a3b4fb2ce3be1b2973a152176

Download Submit
memory/220-152-0x0000000000000000-mapping.dmp

Download
memory/500-123-0x0000000000000000-mapping.dmp

Download
memory/772-127-0x0000000000000000-mapping.dmp

Download
memory/820-125-0x0000000000000000-mapping.dmp

Download
memory/908-126-0x0000000000000000-mapping.dmp

Download
memory/1008-124-0x0000000000000000-mapping.dmp

Download
memory/1068-128-0x0000000000000000-mapping.dmp

Download
memory/1192-129-0x0000000000000000-mapping.dmp

Download
memory/1224-130-0x0000000000000000-mapping.dmp

Download
memory/1368-131-0x0000000000000000-mapping.dmp

Download
memory/1456-208-0x0000000000000000-mapping.dmp

Download
memory/1528-132-0x0000000000000000-mapping.dmp

Download
memory/1712-134-0x0000000000000000-mapping.dmp

Download
memory/1876-135-0x0000000000000000-mapping.dmp

Download
memory/1956-136-0x0000000000000000-mapping.dmp

Download
memory/1996-137-0x0000000000000000-mapping.dmp

Download
memory/2068-204-0x0000000000000000-mapping.dmp

Download
memory/2072-138-0x0000000000000000-mapping.dmp

Download
memory/2180-173-0x0000000000000000-mapping.dmp

Download
memory/2236-139-0x0000000000000000-mapping.dmp

Download
memory/2244-202-0x0000000000000000-mapping.dmp

Download
memory/2288-207-0x0000000000000000-mapping.dmp

Download
memory/2396-140-0x0000000000000000-mapping.dmp

Download
memory/2464-141-0x0000000000000000-mapping.dmp

Download
memory/2656-142-0x0000000000000000-mapping.dmp

Download
memory/2668-150-0x0000000000000000-mapping.dmp

Download
memory/2676-143-0x0000000000000000-mapping.dmp

Download
memory/2728-147-0x0000026B10DF0000-0x0000026B10DF1000-memory.dmp

Filesize
4KB

Download
memory/2728-157-0x0000026B12AC0000-0x0000026B12AC2000-memory.dmp

Filesize
8KB

Download
memory/2728-144-0x0000000000000000-mapping.dmp

Download
memory/2852-149-0x0000000000000000-mapping.dmp

Download
memory/3076-190-0x0000000000000000-mapping.dmp

Download
memory/3152-133-0x0000000000000000-mapping.dmp

Download
memory/3164-118-0x0000000000000000-mapping.dmp

Download
memory/3432-174-0x0000000000000000-mapping.dmp

Download
memory/3480-172-0x0000000000000000-mapping.dmp

Download
memory/3600-195-0x0000000000000000-mapping.dmp

Download
memory/3624-194-0x0000000000000000-mapping.dmp

Download
memory/3668-171-0x0000000000000000-mapping.dmp

Download
memory/3872-196-0x0000000000000000-mapping.dmp

Download
memory/3980-176-0x0000000000000000-mapping.dmp

Download
memory/3984-117-0x0000000000000000-mapping.dmp

Download
memory/4020-218-0x000001B97B700000-0x000001B97B702000-memory.dmp

Filesize
8KB

Download
memory/4020-212-0x0000000000000000-mapping.dmp

Download
memory/4060-193-0x0000000000000000-mapping.dmp

Download
memory/4132-203-0x0000000000000000-mapping.dmp

Download
memory/4160-119-0x0000000000000000-mapping.dmp

Download
memory/4208-230-0x0000022A6F060000-0x0000022A6F062000-memory.dmp

Filesize
8KB

Download
memory/4244-121-0x0000000000000000-mapping.dmp

Download
memory/4260-120-0x0000000000000000-mapping.dmp

Download
memory/4276-122-0x0000000000000000-mapping.dmp

Download
memory/4284-154-0x0000017101CA0000-0x0000017101CA1000-memory.dmp

Filesize
4KB

Download
memory/4284-156-0x000001711AF40000-0x000001711AF41000-memory.dmp

Filesize
4KB

Download
memory/4284-158-0x000001711AF00000-0x000001711AF02000-memory.dmp

Filesize
8KB

Download
memory/4284-159-0x000001711B740000-0x000001711B741000-memory.dmp

Filesize
4KB

Download
memory/4328-255-0x000002B2FDC80000-0x000002B2FDC82000-memory.dmp

Filesize
8KB

Download
memory/4524-209-0x0000000000000000-mapping.dmp

Download
memory/4552-197-0x0000000000000000-mapping.dmp

Download
memory/4604-198-0x0000000000000000-mapping.dmp

Download
memory/4640-199-0x0000000000000000-mapping.dmp

Download
memory/4668-200-0x0000000000000000-mapping.dmp

Download
memory/4684-210-0x0000000000000000-mapping.dmp

Download
memory/4712-201-0x0000000000000000-mapping.dmp

Download
memory/4736-205-0x0000000000000000-mapping.dmp

Download
memory/4752-265-0x000001DF7AAA0000-0x000001DF7AAA2000-memory.dmp

Filesize
8KB

Download
memory/4764-175-0x0000000000000000-mapping.dmp

Download
memory/4768-211-0x0000000000000000-mapping.dmp

Download
memory/4780-206-0x0000000000000000-mapping.dmp

Download
memory/4936-114-0x0000000000000000-mapping.dmp

Download
memory/5008-115-0x0000000000000000-mapping.dmp

Download
memory/5024-116-0x0000000000000000-mapping.dmp

Download
memory/5052-192-0x0000000000000000-mapping.dmp

Download
memory/5088-191-0x0000000000000000-mapping.dmp

Download
memory/5100-189-0x0000000000000000-mapping.dmp

Download