raccoon | 8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
11-11-2021 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
Size

333KB
MD5

30c80cb45ba547299105bfdf0479df71
SHA1

f9ba8aac7cee949d9bfa6785c5201a81fe395ffa
SHA256

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385
SHA512

9e119ac83f934abf64551d15cd98ca77cfa6082c6b3c4cbb2792e599c4c7d09ec47827076656a531980f09a71d5bb12995fb38393225b67e91465be31d243bc5

Score

10^/10

raccoon redline smokeloader 1935572286d6def51667b444fcf1aa8f5b634154 777666777 8dec62c1db2959619dca43e02fa46ad7bd606400 ss1 superstar backdoor discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

redline

Botnet

777666777

93.115.20.139:28978

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

1935572286d6def51667b444fcf1aa8f5b634154

Attributes

url4cnc
http://91.219.236.162/ilovedurov
http://185.163.47.176/ilovedurov
http://193.38.54.238/ilovedurov
http://74.119.192.122/ilovedurov
http://91.219.236.240/ilovedurov
https://t.me/ilovedurov

rc4.plain

Extracted

Family

redline

Botnet

ss1

86.107.197.248:56626

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/508-130-0x0000000002670000-0x000000000268B000-memory.dmp	family_redline
behavioral1/memory/408-165-0x0000000002120000-0x000000000213C000-memory.dmp	family_redline
behavioral1/memory/408-170-0x0000000002400000-0x000000000241B000-memory.dmp	family_redline
behavioral1/memory/2168-256-0x0000000000600000-0x0000000000620000-memory.dmp	family_redline
behavioral1/memory/2168-261-0x0000000000618EFA-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 772 created 2084	772	WerFault.exe	8010.exe
PID 900 created 1376	900	WerFault.exe	5833.exe
PID 1580 created 2300	1580	WerFault.exe	48D1.exe

suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

2026.exe2690.exe29FC.exe2026.exe4034.exe48D1.exe4034.exe5833.exe48D1.exe7AC0.exe8010.exe

pid process

1916 2026.exe
508 2690.exe
896 29FC.exe
1288 2026.exe
596 4034.exe
3620 48D1.exe
408 4034.exe
1376 5833.exe
2300 48D1.exe
1960 7AC0.exe
2084 8010.exe

pid	process
1916	2026.exe
508	2690.exe
896	29FC.exe
1288	2026.exe
596	4034.exe
3620	48D1.exe
408	4034.exe
1376	5833.exe
2300	48D1.exe
1960	7AC0.exe
2084	8010.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8010.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8010.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8010.exe

Deletes itself 1 IoCs

Processes:

pid process

3020
Loads dropped DLL 1 IoCs

Processes:

29FC.exe

pid process

896 29FC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

8010.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8010.exe

pid	process
3020

pid	process
896	29FC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8010.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe2026.exe4034.exe48D1.exe8010.exe

description	pid	process	target process
PID 2648 set thread context of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 1916 set thread context of 1288	1916	2026.exe	2026.exe
PID 596 set thread context of 408	596	4034.exe	4034.exe
PID 3620 set thread context of 2300	3620	48D1.exe	48D1.exe
PID 2084 set thread context of 2168	2084	8010.exe	AppLaunch.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

772 2084 WerFault.exe 8010.exe
900 1376 WerFault.exe 5833.exe
1580 2300 WerFault.exe 48D1.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
772	2084	WerFault.exe	8010.exe
900	1376	WerFault.exe	5833.exe
1580	2300	WerFault.exe	48D1.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe29FC.exe2026.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29FC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2026.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2026.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2026.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29FC.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	29FC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe

pid	process
3492	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
3492	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe29FC.exe2026.exe

pid process

3492 8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
896 29FC.exe
1288 2026.exe

pid	process
3020

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

2690.exeWerFault.exeWerFault.exeAppLaunch.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	508	2690.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeRestorePrivilege	772	WerFault.exe
Token: SeBackupPrivilege	772	WerFault.exe
Token: SeRestorePrivilege	900	WerFault.exe
Token: SeBackupPrivilege	900	WerFault.exe
Token: SeBackupPrivilege	900	WerFault.exe
Token: SeDebugPrivilege	772	WerFault.exe
Token: SeDebugPrivilege	900	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	2168	AppLaunch.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	1580	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe2026.exe4034.exe48D1.exe8010.exe

description	pid	process	target process
PID 2648 wrote to memory of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 2648 wrote to memory of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 2648 wrote to memory of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 2648 wrote to memory of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 2648 wrote to memory of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 2648 wrote to memory of 3492	2648	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe	8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
PID 3020 wrote to memory of 1916	3020		2026.exe
PID 3020 wrote to memory of 1916	3020		2026.exe
PID 3020 wrote to memory of 1916	3020		2026.exe
PID 3020 wrote to memory of 508	3020		2690.exe
PID 3020 wrote to memory of 508	3020		2690.exe
PID 3020 wrote to memory of 896	3020		29FC.exe
PID 3020 wrote to memory of 896	3020		29FC.exe
PID 3020 wrote to memory of 896	3020		29FC.exe
PID 1916 wrote to memory of 1288	1916	2026.exe	2026.exe
PID 1916 wrote to memory of 1288	1916	2026.exe	2026.exe
PID 1916 wrote to memory of 1288	1916	2026.exe	2026.exe
PID 1916 wrote to memory of 1288	1916	2026.exe	2026.exe
PID 1916 wrote to memory of 1288	1916	2026.exe	2026.exe
PID 1916 wrote to memory of 1288	1916	2026.exe	2026.exe
PID 3020 wrote to memory of 596	3020		4034.exe
PID 3020 wrote to memory of 596	3020		4034.exe
PID 3020 wrote to memory of 596	3020		4034.exe
PID 3020 wrote to memory of 3620	3020		48D1.exe
PID 3020 wrote to memory of 3620	3020		48D1.exe
PID 3020 wrote to memory of 3620	3020		48D1.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 596 wrote to memory of 408	596	4034.exe	4034.exe
PID 3020 wrote to memory of 1376	3020		5833.exe
PID 3020 wrote to memory of 1376	3020		5833.exe
PID 3020 wrote to memory of 1376	3020		5833.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3620 wrote to memory of 2300	3620	48D1.exe	48D1.exe
PID 3020 wrote to memory of 1960	3020		7AC0.exe
PID 3020 wrote to memory of 1960	3020		7AC0.exe
PID 3020 wrote to memory of 1960	3020		7AC0.exe
PID 3020 wrote to memory of 2084	3020		8010.exe
PID 3020 wrote to memory of 2084	3020		8010.exe
PID 3020 wrote to memory of 2084	3020		8010.exe
PID 2084 wrote to memory of 2168	2084	8010.exe	AppLaunch.exe
PID 2084 wrote to memory of 2168	2084	8010.exe	AppLaunch.exe
PID 2084 wrote to memory of 2168	2084	8010.exe	AppLaunch.exe
PID 2084 wrote to memory of 2168	2084	8010.exe	AppLaunch.exe
PID 2084 wrote to memory of 2168	2084	8010.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
"C:\Users\Admin\AppData\Local\Temp\8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe
"C:\Users\Admin\AppData\Local\Temp\8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3492

C:\Users\Admin\AppData\Local\Temp\2026.exe
C:\Users\Admin\AppData\Local\Temp\2026.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\2026.exe
C:\Users\Admin\AppData\Local\Temp\2026.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1288

C:\Users\Admin\AppData\Local\Temp\2690.exe
C:\Users\Admin\AppData\Local\Temp\2690.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Users\Admin\AppData\Local\Temp\29FC.exe
C:\Users\Admin\AppData\Local\Temp\29FC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:896

C:\Users\Admin\AppData\Local\Temp\4034.exe
C:\Users\Admin\AppData\Local\Temp\4034.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\4034.exe
C:\Users\Admin\AppData\Local\Temp\4034.exe
2⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\Temp\48D1.exe
C:\Users\Admin\AppData\Local\Temp\48D1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\48D1.exe
C:\Users\Admin\AppData\Local\Temp\48D1.exe
2⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1012
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\5833.exe
C:\Users\Admin\AppData\Local\Temp\5833.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 896
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\7AC0.exe
C:\Users\Admin\AppData\Local\Temp\7AC0.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\8010.exe
C:\Users\Admin\AppData\Local\Temp\8010.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 576
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9883.tmp.WERInternalMetadata.xml
MD5
904d465aadfc9f4c1563fe2e15ff5e96

SHA1
16e737fb4a003b08c9a93df419263bc0f8dc0b29

SHA256
916ac82066dd7d3dd04d94aff40a1a071c4d228bb11f7666e43f0ba490182bee

SHA512
0d4ffdb902ca372bf1f12ff7ee4824f8d5b3786ad8dc8b7ddb5405f421eb8e8e116f68fa128f0fef7f32136c21a618eb9192438569e75906d165b1026dc12eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2026.exe
MD5
30c80cb45ba547299105bfdf0479df71

SHA1
f9ba8aac7cee949d9bfa6785c5201a81fe395ffa

SHA256
8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385

SHA512
9e119ac83f934abf64551d15cd98ca77cfa6082c6b3c4cbb2792e599c4c7d09ec47827076656a531980f09a71d5bb12995fb38393225b67e91465be31d243bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2026.exe
MD5
30c80cb45ba547299105bfdf0479df71

SHA1
f9ba8aac7cee949d9bfa6785c5201a81fe395ffa

SHA256
8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385

SHA512
9e119ac83f934abf64551d15cd98ca77cfa6082c6b3c4cbb2792e599c4c7d09ec47827076656a531980f09a71d5bb12995fb38393225b67e91465be31d243bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2026.exe
MD5
30c80cb45ba547299105bfdf0479df71

SHA1
f9ba8aac7cee949d9bfa6785c5201a81fe395ffa

SHA256
8babdcbc5b6a2b3f53256809bf75026529ba681e991a7e95bb7c853da80bb385

SHA512
9e119ac83f934abf64551d15cd98ca77cfa6082c6b3c4cbb2792e599c4c7d09ec47827076656a531980f09a71d5bb12995fb38393225b67e91465be31d243bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2690.exe
MD5
605ade73eb76236d94daaea50024fe68

SHA1
b8f50f7fb8d667535d13c6209c4c7b0931ac910f

SHA256
b0a234a0ddd049c4ae39faf49146ae213163e1d930327b98f1521117f12e3022

SHA512
ea6611e9accf6323d6337292cbfa6edc4d08d7c0ed58b41d5a6274b2487ba34d6f80a6b931befb924cfdf22acde223a5a777142146c6001c6179e7a98bcf3926

Download Submit
C:\Users\Admin\AppData\Local\Temp\2690.exe
MD5
605ade73eb76236d94daaea50024fe68

SHA1
b8f50f7fb8d667535d13c6209c4c7b0931ac910f

SHA256
b0a234a0ddd049c4ae39faf49146ae213163e1d930327b98f1521117f12e3022

SHA512
ea6611e9accf6323d6337292cbfa6edc4d08d7c0ed58b41d5a6274b2487ba34d6f80a6b931befb924cfdf22acde223a5a777142146c6001c6179e7a98bcf3926

Download Submit
C:\Users\Admin\AppData\Local\Temp\29FC.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\29FC.exe
MD5
435b9c498c170c228aaa2006c59e91d0

SHA1
49a3706be6ce2bf71fa72402243737a8c2700396

SHA256
1dd7a2de3a100eb6258ba36d8714ab63494934bea8a7ec3756ef40c6655e155a

SHA512
2b3659d67c2e6e004378d539199d10c77ed6be6dd0ab9e71f8accc975d3fbf5cf7476cda5eb5e6bbcdeeb844f5c69d3b73223e8d35d4d334ade630244e185734

Download Submit
C:\Users\Admin\AppData\Local\Temp\4034.exe
MD5
7e56064ec1a5bd369945d167152c99ff

SHA1
3cc6506d14af2007355dc943517e6dd75c3ec289

SHA256
b2e199d426160394ccfcb6cc5312e34bc707973961591c0adb01f478b38f0e30

SHA512
aa68cc849657b4b2a324844b1b08a8691f9249172edabf535bd27b2dcb4ee3237548f01cc0a10cb241ffb8b38bdc001f0fb01e86d4523ca1ea01180aad79391f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4034.exe
MD5
7e56064ec1a5bd369945d167152c99ff

SHA1
3cc6506d14af2007355dc943517e6dd75c3ec289

SHA256
b2e199d426160394ccfcb6cc5312e34bc707973961591c0adb01f478b38f0e30

SHA512
aa68cc849657b4b2a324844b1b08a8691f9249172edabf535bd27b2dcb4ee3237548f01cc0a10cb241ffb8b38bdc001f0fb01e86d4523ca1ea01180aad79391f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4034.exe
MD5
7e56064ec1a5bd369945d167152c99ff

SHA1
3cc6506d14af2007355dc943517e6dd75c3ec289

SHA256
b2e199d426160394ccfcb6cc5312e34bc707973961591c0adb01f478b38f0e30

SHA512
aa68cc849657b4b2a324844b1b08a8691f9249172edabf535bd27b2dcb4ee3237548f01cc0a10cb241ffb8b38bdc001f0fb01e86d4523ca1ea01180aad79391f

Download Submit
C:\Users\Admin\AppData\Local\Temp\48D1.exe
MD5
84dd06d1e6237944e337d213947e1949

SHA1
ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5

SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SHA512
13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\48D1.exe
MD5
84dd06d1e6237944e337d213947e1949

SHA1
ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5

SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SHA512
13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\48D1.exe
MD5
84dd06d1e6237944e337d213947e1949

SHA1
ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5

SHA256
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SHA512
13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5833.exe
MD5
94dc7a5ea5046ba1b27325ac050d47b7

SHA1
548839616eb8b5d8b72759cc92ac0a5e533688c1

SHA256
05c8227856ad34a0f13f11cb0b6baf4500e9a7774c58ebd19468bdd823829fe3

SHA512
10fef4e0e86275cdf631f18e719f70038aa21d7d2e457199657160bb87e9b1e694d3f91336f00c484892fdfec20c454feabbfed50093d5a889ed7aef9af1ec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5833.exe
MD5
94dc7a5ea5046ba1b27325ac050d47b7

SHA1
548839616eb8b5d8b72759cc92ac0a5e533688c1

SHA256
05c8227856ad34a0f13f11cb0b6baf4500e9a7774c58ebd19468bdd823829fe3

SHA512
10fef4e0e86275cdf631f18e719f70038aa21d7d2e457199657160bb87e9b1e694d3f91336f00c484892fdfec20c454feabbfed50093d5a889ed7aef9af1ec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AC0.exe
MD5
5b237bab80312a453ef696c9f8ad4e0b

SHA1
6b9061c03f1c4890ab735604e20e5f8e7d71f123

SHA256
77f738f6c8ca5b2a8933735ea0f53bce44e714a8c55336b7242f0ad1e6ceba4a

SHA512
3175f6330bd47eee8627dbe22b94eee209b13a403f94aa09a4ef198d162292ffab908662d9da63c05cbbd0222b1d1100c5d219688633ade811d7e11ee971ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AC0.exe
MD5
5b237bab80312a453ef696c9f8ad4e0b

SHA1
6b9061c03f1c4890ab735604e20e5f8e7d71f123

SHA256
77f738f6c8ca5b2a8933735ea0f53bce44e714a8c55336b7242f0ad1e6ceba4a

SHA512
3175f6330bd47eee8627dbe22b94eee209b13a403f94aa09a4ef198d162292ffab908662d9da63c05cbbd0222b1d1100c5d219688633ade811d7e11ee971ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8010.exe
MD5
e0a7b683039209275c83affc28b69b9c

SHA1
fcfe89ff43cb4572b918f38be37bb335fc0131e2

SHA256
41d64240beae2d1348d23ddfe04388fc4db386d2ce5995b907605c5aa19c9691

SHA512
b0505121f4263208dd4bef7874f3ddb0ab31fe57b8beadafec39c18082382a37e199849e63dbf8be6e072e0b3fa10efd3d6bef5b7b4a648a94ea1f6f6e363400

Download Submit
C:\Users\Admin\AppData\Local\Temp\8010.exe
MD5
e0a7b683039209275c83affc28b69b9c

SHA1
fcfe89ff43cb4572b918f38be37bb335fc0131e2

SHA256
41d64240beae2d1348d23ddfe04388fc4db386d2ce5995b907605c5aa19c9691

SHA512
b0505121f4263208dd4bef7874f3ddb0ab31fe57b8beadafec39c18082382a37e199849e63dbf8be6e072e0b3fa10efd3d6bef5b7b4a648a94ea1f6f6e363400

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/408-170-0x0000000002400000-0x000000000241B000-memory.dmp

Filesize
108KB

Download
memory/408-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-179-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/408-178-0x0000000004984000-0x0000000004986000-memory.dmp

Filesize
8KB

Download
memory/408-177-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/408-176-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/408-173-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/408-171-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/408-169-0x0000000004983000-0x0000000004984000-memory.dmp

Filesize
4KB

Download
memory/408-168-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/408-167-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/408-166-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/408-165-0x0000000002120000-0x000000000213C000-memory.dmp

Filesize
112KB

Download
memory/408-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-159-0x000000000040CD2F-mapping.dmp

Download
memory/508-149-0x000000001C080000-0x000000001C081000-memory.dmp

Filesize
4KB

Download
memory/508-136-0x000000001B1F0000-0x000000001B1F1000-memory.dmp

Filesize
4KB

Download
memory/508-123-0x0000000000000000-mapping.dmp

Download
memory/508-130-0x0000000002670000-0x000000000268B000-memory.dmp

Filesize
108KB

Download
memory/508-152-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/508-187-0x000000001D6E0000-0x000000001D6E1000-memory.dmp

Filesize
4KB

Download
memory/508-135-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/508-129-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

Filesize
8KB

Download
memory/508-126-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/508-128-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/508-186-0x000000001C5D0000-0x000000001C5D1000-memory.dmp

Filesize
4KB

Download
memory/508-134-0x000000001BEF0000-0x000000001BEF1000-memory.dmp

Filesize
4KB

Download
memory/596-146-0x0000000000000000-mapping.dmp

Download
memory/596-162-0x0000000002B70000-0x0000000002BA0000-memory.dmp

Filesize
192KB

Download
memory/896-142-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/896-143-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/896-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-131-0x0000000000000000-mapping.dmp

Download
memory/1288-140-0x0000000000402DC6-mapping.dmp

Download
memory/1376-193-0x0000000002C20000-0x0000000002D6A000-memory.dmp

Filesize
1.3MB

Download
memory/1376-172-0x0000000000000000-mapping.dmp

Download
memory/1376-194-0x0000000000400000-0x0000000002B8A000-memory.dmp

Filesize
39.5MB

Download
memory/1376-189-0x0000000002DF6000-0x0000000002E46000-memory.dmp

Filesize
320KB

Download
memory/1916-138-0x0000000002DE6000-0x0000000002DF7000-memory.dmp

Filesize
68KB

Download
memory/1916-145-0x0000000002C80000-0x0000000002DCA000-memory.dmp

Filesize
1.3MB

Download
memory/1916-120-0x0000000000000000-mapping.dmp

Download
memory/1960-195-0x0000000000000000-mapping.dmp

Download
memory/1960-254-0x0000000002CE6000-0x0000000002D36000-memory.dmp

Filesize
320KB

Download
memory/2084-222-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2084-220-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2084-236-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-242-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2084-241-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2084-240-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2084-239-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-238-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-237-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-235-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-234-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2084-233-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2084-231-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2084-232-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2084-230-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2084-198-0x0000000000000000-mapping.dmp

Download
memory/2084-228-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2084-229-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2084-201-0x0000000002310000-0x0000000002370000-memory.dmp

Filesize
384KB

Download
memory/2084-202-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2084-204-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2084-203-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2084-206-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2084-208-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2084-207-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2084-209-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2084-211-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2084-212-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2084-210-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2084-205-0x0000000000400000-0x00000000007AF000-memory.dmp

Filesize
3.7MB

Download
memory/2084-213-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2084-215-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/2084-216-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-217-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-214-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2084-219-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-218-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-227-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-226-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2084-221-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2084-224-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2084-223-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2084-225-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/2168-256-0x0000000000600000-0x0000000000620000-memory.dmp

Filesize
128KB

Download
memory/2168-285-0x00000000099E0000-0x00000000099E1000-memory.dmp

Filesize
4KB

Download
memory/2168-282-0x0000000009830000-0x0000000009831000-memory.dmp

Filesize
4KB

Download
memory/2168-280-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/2168-279-0x0000000008EA0000-0x0000000008EA1000-memory.dmp

Filesize
4KB

Download
memory/2168-274-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2168-265-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2168-264-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2168-263-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2168-262-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2168-261-0x0000000000618EFA-mapping.dmp

Download
memory/2300-182-0x0000000000402998-mapping.dmp

Download
memory/2300-192-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2300-188-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2300-185-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2300-180-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2300-190-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/2300-191-0x0000000000780000-0x000000000080E000-memory.dmp

Filesize
568KB

Download
memory/2648-115-0x0000000002E76000-0x0000000002E87000-memory.dmp

Filesize
68KB

Download
memory/2648-118-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

Filesize
36KB

Download
memory/3020-150-0x0000000002000000-0x0000000002016000-memory.dmp

Filesize
88KB

Download
memory/3020-151-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/3020-119-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/3492-117-0x0000000000402DC6-mapping.dmp

Download
memory/3492-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3620-163-0x0000000000400000-0x0000000002BB3000-memory.dmp

Filesize
39.7MB

Download
memory/3620-161-0x0000000004820000-0x00000000048A3000-memory.dmp

Filesize
524KB

Download
memory/3620-153-0x0000000000000000-mapping.dmp

Download
memory/3620-181-0x00000000048B0000-0x0000000004913000-memory.dmp

Filesize
396KB

Download
memory/3620-183-0x0000000004980000-0x00000000049F0000-memory.dmp

Filesize
448KB

Download