raccoon | d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe
Size

662KB
MD5

f99b2b80dc83b0d952687d771833164c
SHA1

e872f0b4be582132c9486b0c5b86f56b12ed677e
SHA256

d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7
SHA512

8d3af87306d1196862d681c0ae20cba17606e3b1c3a7a441b9739cbd71417088622b977dae9e084a3feb589a73681a2763259f20e1901eaae332ce62c3549add
SSDEEP

12288:8bbrYKOCV65d6qGwqa2tqftXPoZe7YUWWd/v4ibj2xy/2+VDRceX+:8bfjOF76qGwbnVP7WWxv48j2xy/2+VH+

Score

10^/10

raccoon fda6c8debb0b6b5a1d9698b54b255a7d spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

fda6c8debb0b6b5a1d9698b54b255a7d

http://91.92.255.182:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-112-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/2420-113-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of NtCreateUserProcessOtherParentProcess 42 IoCs

Processes:

Charger.pif

description	pid	process	target process
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE
PID 2464 created 1212	2464	Charger.pif	Explorer.EXE

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

Processes:

Charger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pifCharger.pif

pid	process
2464	Charger.pif
1948	Charger.pif
2816	Charger.pif
2840	Charger.pif
2960	Charger.pif
2260	Charger.pif
2552	Charger.pif
556	Charger.pif
2748	Charger.pif
1152	Charger.pif
2344	Charger.pif
1824	Charger.pif
2544	Charger.pif
1928	Charger.pif
1448	Charger.pif
2524	Charger.pif
2772	Charger.pif
2808	Charger.pif
2696	Charger.pif
1528	Charger.pif
1324	Charger.pif
1672	Charger.pif
1652	Charger.pif
1724	Charger.pif
1256	Charger.pif
764	Charger.pif
1732	Charger.pif
2884	Charger.pif
2356	Charger.pif
2272	Charger.pif
1760	Charger.pif
324	Charger.pif
788	Charger.pif
1008	Charger.pif
1504	Charger.pif
928	Charger.pif
1116	Charger.pif
1648	Charger.pif
1832	Charger.pif
640	Charger.pif
2156	Charger.pif
824	Charger.pif

Loads dropped DLL 4 IoCs

Processes:

cmd.exeTapiUnattend.exe

pid process

2640 cmd.exe
2420 TapiUnattend.exe
2420 TapiUnattend.exe
2420 TapiUnattend.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

Charger.pif

description pid process target process

PID 2464 set thread context of 2420 2464 Charger.pif TapiUnattend.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

296 tasklist.exe
2580 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2508 PING.EXE

pid	process
2640	cmd.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe

description	pid	process	target process
PID 2464 set thread context of 2420	2464	Charger.pif	TapiUnattend.exe

pid	process
296	tasklist.exe
2580	tasklist.exe

pid	process
2508	PING.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

Charger.pifTapiUnattend.exe

pid	process
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2464	Charger.pif
2420	TapiUnattend.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe
2420	TapiUnattend.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 296 tasklist.exe
Token: SeDebugPrivilege 2580 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Charger.pif

pid process

2464 Charger.pif
2464 Charger.pif
2464 Charger.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Charger.pif

pid process

2464 Charger.pif
2464 Charger.pif
2464 Charger.pif

description	pid	process
Token: SeDebugPrivilege	296	tasklist.exe
Token: SeDebugPrivilege	2580	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.execmd.exeCharger.pif

description	pid	process	target process
PID 2928 wrote to memory of 2640	2928	d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe	cmd.exe
PID 2928 wrote to memory of 2640	2928	d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe	cmd.exe
PID 2928 wrote to memory of 2640	2928	d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe	cmd.exe
PID 2928 wrote to memory of 2640	2928	d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe	cmd.exe
PID 2640 wrote to memory of 296	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 296	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 296	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 296	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 3020	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 3020	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 3020	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 3020	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2580	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 2580	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 2580	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 2580	2640	cmd.exe	tasklist.exe
PID 2640 wrote to memory of 2564	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2564	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2564	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2564	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2460	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2460	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2460	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2460	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2080	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2080	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2080	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2080	2640	cmd.exe	findstr.exe
PID 2640 wrote to memory of 2476	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2476	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2476	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2476	2640	cmd.exe	cmd.exe
PID 2640 wrote to memory of 2464	2640	cmd.exe	Charger.pif
PID 2640 wrote to memory of 2464	2640	cmd.exe	Charger.pif
PID 2640 wrote to memory of 2464	2640	cmd.exe	Charger.pif
PID 2640 wrote to memory of 2464	2640	cmd.exe	Charger.pif
PID 2640 wrote to memory of 2508	2640	cmd.exe	PING.EXE
PID 2640 wrote to memory of 2508	2640	cmd.exe	PING.EXE
PID 2640 wrote to memory of 2508	2640	cmd.exe	PING.EXE
PID 2640 wrote to memory of 2508	2640	cmd.exe	PING.EXE
PID 2464 wrote to memory of 1948	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 1948	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 1948	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 1948	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2816	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2816	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2816	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2816	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2840	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2840	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2840	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2840	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2960	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2960	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2960	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2960	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2260	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2260	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2260	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2260	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2552	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2552	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2552	2464	Charger.pif	Charger.pif
PID 2464 wrote to memory of 2552	2464	Charger.pif	Charger.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe
  "C:\Users\Admin\AppData\Local\Temp\d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Emotions Emotions.bat && Emotions.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:296
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2580
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 597365
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "MasBathroomsCompoundInjection" Participants
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Backgrounds + Edges + Nickname 597365\M
      4⤵
      PID:2476
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
      597365\Charger.pif 597365\M
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2464
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2508
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif"
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\SysWOW64\TapiUnattend.exe
  C:\Windows\SysWOW64\TapiUnattend.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\53KqjCvwh89I

Filesize
92KB

MD5
bbe71b58e84c50336ee2d3bad3609c39

SHA1
bdd3227b48977e583127425cbc2f86ff4077ba10

SHA256
b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c

SHA512
07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\M

Filesize
519KB

MD5
7c5ed078b300bfd41c2f2be650f83e24

SHA1
09799ee052fa57c3333cc6f5c58788f0b884d86f

SHA256
d06eb6f7a46b61f804c21afb09a0db9b6306bd246d2c96573a392059d9e4071d

SHA512
aab8e4116d0a19f746fa6c86a6dd449dc9d6f1145411a87de5977811dd693c45c7155e35f014a9c5b0cc5fc42d26f000e8feaeb4d5041f70f111b07a3ec24c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Alot

Filesize
36KB

MD5
d9d6a3460990a42ade831c4f7f7437a6

SHA1
c2ab0df446c2c132102efabc609f3291a2715aa7

SHA256
9c324f460ef8700f418cce50ae0bbeb32dbc49ca777296e86c10a81d62fc9f45

SHA512
ca46b375389e911cca756db6daa175bfb1ca86ebe24b8874759d835a8cf757bb44f8f4883862058cfafea355c814ac19312fea5c652601d0a6474116b3e5e4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Backgrounds

Filesize
241KB

MD5
6bf1c1088a981a2555762644aceeb6a5

SHA1
d9f7d752cecc77055aabc70a47f14faba6ff9930

SHA256
2237b106c8d68de4e780b4d9a2dbdcaf4506fe20e8849771242385ccd5ccebf7

SHA512
c90a16b79e794f22bff35fe2053e568f8f8b973d920c0edcc155ecc4b98f8defeaea4bb17969b62bb7d8aef23f438de62aa5af63acb7d2ae5986224eb3ae3e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Edges

Filesize
238KB

MD5
c8dad0972e84ff06e30fa5f0b8fef14c

SHA1
c9d3639e1a944e4c1ecedb3eb354c1c4da620685

SHA256
e93ee562a4599496902b3cae11cbe66a3813129403ab65d5bbd7cfc8c86cecb9

SHA512
e6287b511382712021903d3a448e5c1bf7ab7da99f552049739f21cae1f9f344220a296407ada97fddf1914cee7b27f559df196d2cfe01d1392d12b139facaad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Emotions

Filesize
11KB

MD5
3f107a3b8e1d4b89f3e5c439a14203b7

SHA1
72e8db12eb6bec8540fb78dd78b2f456fd004f39

SHA256
0e393766f3291a44b595dc4054e651cd4fa6f1889a6258a064de4044ea71fb5d

SHA512
5599b71f4f3a2351454ab971477185d127efc2e9cce0ec74d85e8f62756345aa029dc8cc6544509057b57213b59491963339e7a4a0ae185f652a822cbfd0b60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fighter

Filesize
246KB

MD5
409a158f87de7837cec1180605037444

SHA1
23836475f5d95963b17af723cc1bd12de0953882

SHA256
eb862406e00e638fafd9da4e129600d4b991b4c503c7096cbf83e474cd87f3b2

SHA512
cb303fe7796ef470f347cfdc2af2878f3821a56ec4d70856c522587a1b275deb0200bb5486dba86ce9f887a06591025a3a03127a8d84b7aa41af62995e802ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Genre

Filesize
206KB

MD5
f1506cf5185cca69ed2ecd51d9fd32e4

SHA1
89a5857bfc4d86007f881939ee95993ae786983a

SHA256
c927373ba2ffeb419ee2d6eb3eaa5dc5d3b5fe88b28f2d349577ad55638aa9a0

SHA512
cda4645edabe6e666fc73f2400d7930080925bc675e5f3c9b8c2b6a33740048d89dc749df4c49c8e301f213f470769346623a98f9820208600548e0144b85837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nickname

Filesize
40KB

MD5
a674cbcb88ac4a8dea6950ac6f9a6181

SHA1
52d526ef0983ab4bf1225ca33caa03c04ace6545

SHA256
66653db2f26326c3ee4594cc1c91eea94903d21b9728449eb256b88d86158e51

SHA512
0c1c928d18598dbd2a0c0e6a6814d11031c173713dcaa96a3fa97a99b8bcb85d9cd6d84d5879c7f91e9e616e1e9fcab2bc7ee560206c222eef97dc226fcfec96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Participants

Filesize
227B

MD5
82a38745ff9cefa0859b47b8bd69f535

SHA1
6f97750b298ed3f3910e5aa4044b91e7409db9d2

SHA256
92f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470

SHA512
d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Richmond

Filesize
158KB

MD5
64e49019d7b6aa5eeadc5c16fab4ae67

SHA1
f17af83315cc069f579c489aa25af18c1d92c43d

SHA256
2c79488d71f17be266a4b5cd5f974f222f10949bfeed329a1e10cb5c362e40d7

SHA512
6711042eb60320517e3b486c3126a412e2c7ff298bd06fc07f08418c6921cbbdb2135511ee4d06779b7e0eb8adc3f77a72ea715501a7bba17e698fd3a0c46b18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Violence

Filesize
226KB

MD5
a0846c9713cba3474dadfde61236bcbd

SHA1
7c70d7322205b1f2af16fa877e3f59ff8b196d84

SHA256
28fc13233e87d8e4b95ce98a910c43c81f7b5d42cbf166bd85c54f9aaea44292

SHA512
c92655731ddb3254fdca98602c9f47a390bd191a9bf8cc0627fa17fb340d50d4221921bbc93ae5c409558d61e0d261e51c26e1d4046d8ef9e455ac721b140009

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\597365\Charger.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/2420-111-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2420-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2420-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download