raccoon | 677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a

Analysis

max time kernel
153s
max time network
142s
platform
windows10_x64
resource
win10v20210408
submitted
12-10-2021 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
Size

222KB
MD5

d4c1b28a379541f4863d88626a222b1d
SHA1

8ff062a14bc961f8157eb418e5f761a964a4bff5
SHA256

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a
SHA512

f96e499098380994b1da9e1d3a77a4e3544ad6c8151b7563862265d0df70ea30c8ba954bebf91c8739e3142f9136aef3f71a34eef11e997092b0a2811f829759

Malware Config

Extracted

Family

smokeloader

Version

2020

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

27d80aa27e80cd2ef63c638e2752e24242d1b37c

Attributes

url4cnc
http://telemirror.top/ararius809b

http://tgmirror.top/ararius809b

http://telegatt.top/ararius809b

http://telegka.top/ararius809b

http://telegin.top/ararius809b

https://t.me/ararius809b

rc4.plain

Extracted

Family

raccoon

Version

1.8.2

Botnet

676b1a32c7d2ce2aba84e8823871900d67e00049

Attributes

url4cnc
http://telemirror.top/kaba4ello

http://tgmirror.top/kaba4ello

http://telegatt.top/kaba4ello

http://telegka.top/kaba4ello

http://telegin.top/kaba4ello

https://t.me/kaba4ello

rc4.plain

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

redline

Botnet

MegaProliv

93.115.20.139:28978

Extracted

Family

raccoon

Version

1.8.2

Botnet

c8fdd015293e99dac71bc0cfc194d3ce612abf3e

Attributes

url4cnc
http://telemirror.top/rocketmanthem2

http://tgmirror.top/rocketmanthem2

http://telegatt.top/rocketmanthem2

http://telegka.top/rocketmanthem2

http://telegin.top/rocketmanthem2

https://t.me/rocketmanthem2

rc4.plain

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3616-133-0x0000000000740000-0x0000000000771000-memory.dmp	family_redline
behavioral1/memory/3616-140-0x0000000002850000-0x000000000286C000-memory.dmp	family_redline
behavioral1/memory/3048-178-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/3048-179-0x000000000041B25E-mapping.dmp	family_redline
behavioral1/memory/3048-193-0x0000000005740000-0x0000000005D46000-memory.dmp	family_redline

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	Process	procid_target
PID 2516 created 2632	2516	WerFault.exe	75

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

D5E3.exeDBE0.exeE084.exeF19C.exeF576.exe3A0.exeF576.exeC5B.exe

pid	Process
2256	D5E3.exe
2632	DBE0.exe
3616	E084.exe
3516	F19C.exe
1708	F576.exe
2352	3A0.exe
3048	F576.exe
3868	C5B.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

Processes:

pid	Process
2536

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exeF576.exe

description	pid	Process	procid_target
PID 764 set thread context of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 1708 set thread context of 3048	1708	F576.exe	80

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2516	2632	WerFault.exe	75

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1996	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe

pid	Process
496	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
496	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2536

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
616

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe

pid	Process
496	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

E084.exeF576.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	Process
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeDebugPrivilege	3616	E084.exe
Token: SeDebugPrivilege	3048	F576.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeRestorePrivilege	2516	WerFault.exe
Token: SeBackupPrivilege	2516	WerFault.exe
Token: SeDebugPrivilege	2516	WerFault.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
2536
2536

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid	Process
2536
2536
2536

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2536

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exeF576.exeF19C.exepowershell.execsc.exe

description	pid	Process	procid_target
PID 764 wrote to memory of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 764 wrote to memory of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 764 wrote to memory of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 764 wrote to memory of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 764 wrote to memory of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 764 wrote to memory of 496	764	677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe	73
PID 2536 wrote to memory of 2256	2536		74
PID 2536 wrote to memory of 2256	2536		74
PID 2536 wrote to memory of 2256	2536		74
PID 2536 wrote to memory of 2632	2536		75
PID 2536 wrote to memory of 2632	2536		75
PID 2536 wrote to memory of 2632	2536		75
PID 2536 wrote to memory of 3616	2536		76
PID 2536 wrote to memory of 3616	2536		76
PID 2536 wrote to memory of 3616	2536		76
PID 2536 wrote to memory of 3516	2536		77
PID 2536 wrote to memory of 3516	2536		77
PID 2536 wrote to memory of 3516	2536		77
PID 2536 wrote to memory of 1708	2536		78
PID 2536 wrote to memory of 1708	2536		78
PID 2536 wrote to memory of 1708	2536		78
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 2536 wrote to memory of 2352	2536		81
PID 2536 wrote to memory of 2352	2536		81
PID 2536 wrote to memory of 2352	2536		81
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 1708 wrote to memory of 3048	1708	F576.exe	80
PID 2536 wrote to memory of 3868	2536		82
PID 2536 wrote to memory of 3868	2536		82
PID 2536 wrote to memory of 3868	2536		82
PID 3516 wrote to memory of 3164	3516	F19C.exe	83
PID 3516 wrote to memory of 3164	3516	F19C.exe	83
PID 3516 wrote to memory of 3164	3516	F19C.exe	83
PID 3164 wrote to memory of 2240	3164	powershell.exe	88
PID 3164 wrote to memory of 2240	3164	powershell.exe	88
PID 3164 wrote to memory of 2240	3164	powershell.exe	88
PID 2240 wrote to memory of 1316	2240	csc.exe	89
PID 2240 wrote to memory of 1316	2240	csc.exe	89
PID 2240 wrote to memory of 1316	2240	csc.exe	89
PID 3164 wrote to memory of 3132	3164	powershell.exe	90
PID 3164 wrote to memory of 3132	3164	powershell.exe	90
PID 3164 wrote to memory of 3132	3164	powershell.exe	90
PID 3164 wrote to memory of 2864	3164	powershell.exe	92
PID 3164 wrote to memory of 2864	3164	powershell.exe	92
PID 3164 wrote to memory of 2864	3164	powershell.exe	92
PID 3164 wrote to memory of 360	3164	powershell.exe	94
PID 3164 wrote to memory of 360	3164	powershell.exe	94
PID 3164 wrote to memory of 360	3164	powershell.exe	94
PID 3164 wrote to memory of 1900	3164	powershell.exe	96
PID 3164 wrote to memory of 1900	3164	powershell.exe	96
PID 3164 wrote to memory of 1900	3164	powershell.exe	96
PID 3164 wrote to memory of 1996	3164	powershell.exe	97
PID 3164 wrote to memory of 1996	3164	powershell.exe	97
PID 3164 wrote to memory of 1996	3164	powershell.exe	97
PID 3164 wrote to memory of 776	3164	powershell.exe	98
PID 3164 wrote to memory of 776	3164	powershell.exe	98
PID 3164 wrote to memory of 776	3164	powershell.exe	98
PID 3164 wrote to memory of 3540	3164	powershell.exe	99
PID 3164 wrote to memory of 3540	3164	powershell.exe	99

C:\Users\Admin\AppData\Local\Temp\677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
"C:\Users\Admin\AppData\Local\Temp\677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe
  "C:\Users\Admin\AppData\Local\Temp\677522504448bf38829bf36ac5f7bec74725370cb77539ce7bb9578da6f5182a.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:496

C:\Users\Admin\AppData\Local\Temp\D5E3.exe
C:\Users\Admin\AppData\Local\Temp\D5E3.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Local\Temp\DBE0.exe
C:\Users\Admin\AppData\Local\Temp\DBE0.exe
1⤵
- Executes dropped EXE
PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 916
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

C:\Users\Admin\AppData\Local\Temp\E084.exe
C:\Users\Admin\AppData\Local\Temp\E084.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Users\Admin\AppData\Local\Temp\F19C.exe
C:\Users\Admin\AppData\Local\Temp\F19C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tqmznkhv\tqmznkhv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442E.tmp" "c:\Users\Admin\AppData\Local\Temp\tqmznkhv\CSCC964AAB5C2D5489489626116283E7EDB.TMP"
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:776
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:3540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2528
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:3176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2124
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:1144
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:672

C:\Users\Admin\AppData\Local\Temp\F576.exe
C:\Users\Admin\AppData\Local\Temp\F576.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\F576.exe
  C:\Users\Admin\AppData\Local\Temp\F576.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3048

C:\Users\Admin\AppData\Local\Temp\3A0.exe
C:\Users\Admin\AppData\Local\Temp\3A0.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\AppData\Local\Temp\C5B.exe
C:\Users\Admin\AppData\Local\Temp\C5B.exe
1⤵
- Executes dropped EXE
PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F576.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A0.exe

MD5
22ab283ddfc22feb42ba6a41213b7e3d

SHA1
9395ae63430d1fa5cc380bda62728b5b9cc44a81

SHA256
11ef22f15adf21fe32253179105ff52efd7410176a445dd2c2fe7bac48203d5f

SHA512
6d1e2ec6fd493ab676fc951ec7cf2e5c7f5a114a4824ce5f77f3712447b14453f3264e816bb0ed0d2f9cbec2593b0c562f5eba9df79ef0db972650a4a7da376e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A0.exe

MD5
22ab283ddfc22feb42ba6a41213b7e3d

SHA1
9395ae63430d1fa5cc380bda62728b5b9cc44a81

SHA256
11ef22f15adf21fe32253179105ff52efd7410176a445dd2c2fe7bac48203d5f

SHA512
6d1e2ec6fd493ab676fc951ec7cf2e5c7f5a114a4824ce5f77f3712447b14453f3264e816bb0ed0d2f9cbec2593b0c562f5eba9df79ef0db972650a4a7da376e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5B.exe

MD5
a0dc6b82eb7c6f4d6f78a29a0c336c6f

SHA1
0fd350c689142e002bf7e2e65ae76d5ee171cc2d

SHA256
f218df468cc2c548521476048a3808266fa420fc103177db5c8eae95b68d5c74

SHA512
62f93742665cd731555efd6e6e95ccda543f3c36f049e0eaebc802e2259aadb9d10e88e9d1b63a649f9732501add9e999c119cca3745cf1826ad6287ddcf9cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5B.exe

MD5
a0dc6b82eb7c6f4d6f78a29a0c336c6f

SHA1
0fd350c689142e002bf7e2e65ae76d5ee171cc2d

SHA256
f218df468cc2c548521476048a3808266fa420fc103177db5c8eae95b68d5c74

SHA512
62f93742665cd731555efd6e6e95ccda543f3c36f049e0eaebc802e2259aadb9d10e88e9d1b63a649f9732501add9e999c119cca3745cf1826ad6287ddcf9cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5E3.exe

MD5
304fc140f23e50e1ca9c753d7ead32c6

SHA1
55db5552e5ac7a0e6ced8cd7e1ad2af2e3bf089e

SHA256
62b627269aeb306a6c25c7b118ede17354d0191b7a3ae1abbe44a7869239e9ae

SHA512
b13b8ed9ec826dd5d9ab4ae67d407556e08a1a11330e8320bf513b01ef3e710a3259874085009ad92002a999d8618c77054eeb31803e28b2bda3a97066e77e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5E3.exe

MD5
304fc140f23e50e1ca9c753d7ead32c6

SHA1
55db5552e5ac7a0e6ced8cd7e1ad2af2e3bf089e

SHA256
62b627269aeb306a6c25c7b118ede17354d0191b7a3ae1abbe44a7869239e9ae

SHA512
b13b8ed9ec826dd5d9ab4ae67d407556e08a1a11330e8320bf513b01ef3e710a3259874085009ad92002a999d8618c77054eeb31803e28b2bda3a97066e77e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBE0.exe

MD5
59c6c2a65e5c2a40244e4393e0cbbc7a

SHA1
9f9509d244397848c883edb56a3001c876d582d4

SHA256
2d985aaa24899cdc55eb605a7518caf8cb3cc27c2b808c73318c9c5102121a3b

SHA512
4ef5164b75f1a81df38af9fc5899b1325d998df32bc19fe770ed6d4c79062a047da68420c8e33f606f1e88dfd69cc2b13ce23501b4966f1dea8576c7f2ba337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBE0.exe

MD5
59c6c2a65e5c2a40244e4393e0cbbc7a

SHA1
9f9509d244397848c883edb56a3001c876d582d4

SHA256
2d985aaa24899cdc55eb605a7518caf8cb3cc27c2b808c73318c9c5102121a3b

SHA512
4ef5164b75f1a81df38af9fc5899b1325d998df32bc19fe770ed6d4c79062a047da68420c8e33f606f1e88dfd69cc2b13ce23501b4966f1dea8576c7f2ba337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E084.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\E084.exe

MD5
f5c4d463115dc020d5ec1756da0258a0

SHA1
b66eb6992d7c0191d1255ae0ada35b6403221425

SHA256
fa0bcd10cdc9df5fe9806e16a933d71d49c93fb6b21e75e2215bb728212b570e

SHA512
854bbe52abf339b75e68c20aef0b905fb29c4c2580a44b957b6d6b02889b78a44f6605a2e45f61f358b7b63d3530b61f6bad513f0672bcef06268d9ea1c55350

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19C.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19C.exe

MD5
2686d02fd6a82432c2bbfccdf7f334de

SHA1
75c80a6877c6e0724d19de0f5149bed186760e27

SHA256
35270b20b568beb5f844e1b8c9bfe53498cfbac02633a9cb3ca5927a2cba4e4d

SHA512
22333918e2fed9e39c967313f77844b6bc4f3a2dbfe97223c08def7b80057b7c89f5b75460575172e99c11ee2b824c66e4417588a12ae6a314968c2a34d01698

Download Submit
C:\Users\Admin\AppData\Local\Temp\F576.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\F576.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\F576.exe

MD5
3de1b117e92c82530bb90a01b5d5d51e

SHA1
8aec1842e379c1c6d9be27e5f144f037fed18432

SHA256
789f7812529efd3dbc528dedb06fa088e4243e6ffb7acc9eaaa54416130e0996

SHA512
ae015b693734f245df616bcbd51ad73047c6ee87235e82414ef461b13271361272fa3d70a63fef5d1f18311169b60f6a297aa91c740f03d90075862dd074f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES442E.tmp

MD5
fca41e96af8d18460c0f5436b8111dd2

SHA1
33c130ed063e7fd86215ce7f1f4e87349a90beb5

SHA256
c31436a35e6c7e83714abededb591bc03f6a653eb4ef00a116b725c608bef612

SHA512
47e5d6be63622f5d0a5a5a088f346f48de88adb91a65ec92c81f4a59c300192176a557183f213bf87cbd9a410b5c2e1c7d274b9f59a5d3894163dc0fd46a2be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
794bf0ae26a7efb0c516cf4a7692c501

SHA1
c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

SHA256
97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

SHA512
20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqmznkhv\tqmznkhv.dll

MD5
17e2e5cc36de6a1b1b6a0dd4f88b09dc

SHA1
ce7967a7079b1896ccfa4fa38743fa575a05259b

SHA256
92525aa40fa1b14082ba6cc013712f12ce3a7708ce6ec782ab9e23fe7517a3ea

SHA512
3ce709bc4ba0684bae3892ff783f6d56300e4c639936f28b753237eb93c6a0984f22353a1a8e1d69f5c6ec8983f9019fd72adcb0be6d81b7d162ccf71d316cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tqmznkhv\CSCC964AAB5C2D5489489626116283E7EDB.TMP

MD5
6547ab6cbd9c4324d2324d9d36a24549

SHA1
042569cf94dee37f2c76c75709cad6732a581b41

SHA256
bd2cbe85877c4c65222cac53fdd1b53f61c161eda9e6bb35f9b17d9f87f30b07

SHA512
0ee518e450789ff6b805b2201042c663590f17b874f00732efcb1a57d34f24ecc959ab8615ef0832244396aed9c11f9970cdfdcf9e35754e6bfd9b5332436d14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tqmznkhv\tqmznkhv.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tqmznkhv\tqmznkhv.cmdline

MD5
b913e3b393ace09c128ab35181fa16ff

SHA1
0453660400ba51e916b82832a4e9633122863051

SHA256
22dd893d6bb73445f15c9aeb0c525ddbc60261517fb0722e89738e91e1fe6b93

SHA512
d26e75b0b65d617a02d59cf5084780167e2c0d553f6fac443304662665a3ddf7b6685d8d626347c1704c9c71ddd5c371d9434910faf53dc0684627a4a813d4e6

Download Submit
memory/360-787-0x0000000004AC2000-0x0000000004AC3000-memory.dmp

Filesize
4KB

Download
memory/360-771-0x0000000000000000-mapping.dmp

Download
memory/360-786-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/360-811-0x000000007F030000-0x000000007F031000-memory.dmp

Filesize
4KB

Download
memory/496-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/496-116-0x0000000000402DF8-mapping.dmp

Download
memory/672-1128-0x0000000000000000-mapping.dmp

Download
memory/764-117-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/776-1052-0x0000000000000000-mapping.dmp

Download
memory/1056-1093-0x0000000000000000-mapping.dmp

Download
memory/1144-1099-0x0000000000000000-mapping.dmp

Download
memory/1160-1090-0x0000000000000000-mapping.dmp

Download
memory/1316-229-0x0000000000000000-mapping.dmp

Download
memory/1708-160-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1708-162-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1708-161-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1708-159-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1708-157-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1708-154-0x0000000000000000-mapping.dmp

Download
memory/1724-1096-0x0000000000000000-mapping.dmp

Download
memory/1900-1050-0x0000000000000000-mapping.dmp

Download
memory/1996-1051-0x0000000000000000-mapping.dmp

Download
memory/2124-1098-0x0000000000000000-mapping.dmp

Download
memory/2240-226-0x0000000000000000-mapping.dmp

Download
memory/2256-138-0x0000000000400000-0x0000000004CBB000-memory.dmp

Filesize
72.7MB

Download
memory/2256-128-0x0000000006AB0000-0x000000000B30B000-memory.dmp

Filesize
72.4MB

Download
memory/2256-119-0x0000000000000000-mapping.dmp

Download
memory/2352-195-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2352-194-0x00000000006E0000-0x000000000076E000-memory.dmp

Filesize
568KB

Download
memory/2352-166-0x0000000000511000-0x0000000000560000-memory.dmp

Filesize
316KB

Download
memory/2352-163-0x0000000000000000-mapping.dmp

Download
memory/2528-1095-0x0000000000000000-mapping.dmp

Download
memory/2536-118-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/2592-1094-0x0000000000000000-mapping.dmp

Download
memory/2632-122-0x0000000000000000-mapping.dmp

Download
memory/2632-125-0x00000000025B0000-0x0000000002641000-memory.dmp

Filesize
580KB

Download
memory/2864-532-0x0000000005302000-0x0000000005303000-memory.dmp

Filesize
4KB

Download
memory/2864-520-0x0000000000000000-mapping.dmp

Download
memory/2864-531-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2864-624-0x000000007E5B0000-0x000000007E5B1000-memory.dmp

Filesize
4KB

Download
memory/3048-1127-0x0000000000000000-mapping.dmp

Download
memory/3048-193-0x0000000005740000-0x0000000005D46000-memory.dmp

Filesize
6.0MB

Download
memory/3048-178-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3048-179-0x000000000041B25E-mapping.dmp

Download
memory/3132-295-0x000000007F0A0000-0x000000007F0A1000-memory.dmp

Filesize
4KB

Download
memory/3132-267-0x0000000005272000-0x0000000005273000-memory.dmp

Filesize
4KB

Download
memory/3132-266-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3132-257-0x0000000000000000-mapping.dmp

Download
memory/3136-1100-0x0000000000000000-mapping.dmp

Download
memory/3164-207-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3164-204-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3164-215-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/3164-216-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/3164-198-0x0000000000000000-mapping.dmp

Download
memory/3164-220-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3164-224-0x0000000009B20000-0x0000000009B21000-memory.dmp

Filesize
4KB

Download
memory/3164-225-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/3164-213-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/3164-1199-0x000000007F4F0000-0x000000007F4F1000-memory.dmp

Filesize
4KB

Download
memory/3164-205-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3164-209-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/3164-210-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3164-212-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

Filesize
4KB

Download
memory/3164-211-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/3164-233-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/3164-235-0x0000000006FE3000-0x0000000006FE4000-memory.dmp

Filesize
4KB

Download
memory/3176-1097-0x0000000000000000-mapping.dmp

Download
memory/3516-177-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/3516-167-0x0000000005A10000-0x0000000005E0F000-memory.dmp

Filesize
4.0MB

Download
memory/3516-171-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/3516-172-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/3516-173-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3516-150-0x0000000000000000-mapping.dmp

Download
memory/3516-184-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/3516-174-0x00000000055F2000-0x00000000055F3000-memory.dmp

Filesize
4KB

Download
memory/3516-170-0x0000000000E80000-0x0000000001282000-memory.dmp

Filesize
4.0MB

Download
memory/3516-175-0x00000000055F4000-0x00000000055F5000-memory.dmp

Filesize
4KB

Download
memory/3516-153-0x0000000000A76000-0x0000000000E7C000-memory.dmp

Filesize
4.0MB

Download
memory/3516-176-0x00000000055F3000-0x00000000055F4000-memory.dmp

Filesize
4KB

Download
memory/3540-1089-0x0000000000000000-mapping.dmp

Download
memory/3616-140-0x0000000002850000-0x000000000286C000-memory.dmp

Filesize
112KB

Download
memory/3616-129-0x0000000000000000-mapping.dmp

Download
memory/3616-142-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3616-144-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3616-145-0x0000000002962000-0x0000000002963000-memory.dmp

Filesize
4KB

Download
memory/3616-139-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3616-133-0x0000000000740000-0x0000000000771000-memory.dmp

Filesize
196KB

Download
memory/3616-196-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/3616-146-0x0000000002963000-0x0000000002964000-memory.dmp

Filesize
4KB

Download
memory/3616-143-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/3616-147-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3616-148-0x0000000002964000-0x0000000002965000-memory.dmp

Filesize
4KB

Download
memory/3616-197-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/3616-149-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3868-201-0x00000000006D0000-0x000000000075E000-memory.dmp

Filesize
568KB

Download
memory/3868-202-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3868-188-0x0000000000000000-mapping.dmp

Download