raccoon | hxxp://bit[.]ly/3zwAkmo

Analysis

max time kernel
720s
max time network
727s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bit.ly/3zwAkmo

Score

10^/10

raccoon cf04f679bf9a1869b01a60f4bfd23737 discovery evasion stealer themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

cf04f679bf9a1869b01a60f4bfd23737

http://88.119.169.120/

Attributes

user_agent
20112211

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/1528-2100-0x0000000000400000-0x0000000000412000-memory.dmp	family_raccoon_v2
behavioral1/memory/1528-2102-0x0000000000400000-0x0000000000412000-memory.dmp	family_raccoon_v2

Raccoon family
raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RDR Mod Menu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RDR Mod Menu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RDR Mod Menu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RDR Mod Menu.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RDR Mod Menu.exe

Executes dropped EXE 4 IoCs

pid	Process
3644	RDR Mod Menu.exe
3656	RDR Mod Menu.exe
2084	RDR Mod Menu.exe
2432	RDR Mod Menu.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3644-2097-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/3644-2098-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/3644-2104-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/3656-2112-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/3656-2113-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/3656-2117-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/2084-2136-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/2084-2137-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/2432-2139-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/2432-2140-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/2084-2148-0x0000000000960000-0x00000000011B8000-memory.dmp	themida
behavioral1/memory/2432-2152-0x0000000000960000-0x00000000011B8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDR Mod Menu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDR Mod Menu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
17	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3644	RDR Mod Menu.exe
3656	RDR Mod Menu.exe
2084	RDR Mod Menu.exe
2432	RDR Mod Menu.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3644 set thread context of 1528	3644	RDR Mod Menu.exe	138
PID 3656 set thread context of 5224	3656	RDR Mod Menu.exe	146
PID 2084 set thread context of 5352	2084	RDR Mod Menu.exe	150
PID 2432 set thread context of 6064	2432	RDR Mod Menu.exe	151

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4124	msedge.exe
4124	msedge.exe
4020	msedge.exe
4020	msedge.exe
2212	identity_helper.exe
2212	identity_helper.exe
5652	msedge.exe
5652	msedge.exe
3644	RDR Mod Menu.exe
3644	RDR Mod Menu.exe
3656	RDR Mod Menu.exe
3656	RDR Mod Menu.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2084	RDR Mod Menu.exe
2084	RDR Mod Menu.exe
2084	RDR Mod Menu.exe
2084	RDR Mod Menu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	5992	7zG.exe
Token: 35	5992	7zG.exe
Token: SeSecurityPrivilege	5992	7zG.exe
Token: SeSecurityPrivilege	5992	7zG.exe
Token: SeRestorePrivilege	3652	7zG.exe
Token: 35	3652	7zG.exe
Token: SeSecurityPrivilege	3652	7zG.exe
Token: SeSecurityPrivilege	3652	7zG.exe
Token: SeDebugPrivilege	3644	RDR Mod Menu.exe
Token: SeDebugPrivilege	3656	RDR Mod Menu.exe
Token: SeDebugPrivilege	2084	RDR Mod Menu.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
5992	7zG.exe
3652	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4068	4020	msedge.exe	84
PID 4020 wrote to memory of 4068	4020	msedge.exe	84
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4076	4020	msedge.exe	85
PID 4020 wrote to memory of 4124	4020	msedge.exe	86
PID 4020 wrote to memory of 4124	4020	msedge.exe	86
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87
PID 4020 wrote to memory of 2292	4020	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://bit.ly/3zwAkmo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b4718
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,3984822379644311069,1960959242053706445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5560 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5820

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6590:86:7zEvent26975
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5992

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RDR Mod Menu\" -spe -an -ai#7zMap19245:86:7zEvent2223
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3652

C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe
"C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:3332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528

C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe
"C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:5292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:5224

C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe
"C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:5952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:5956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:5352

C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe
"C:\Users\Admin\Downloads\RDR Mod Menu\RDR Mod Menu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RDR Mod Menu.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
52260deea464e936684319f4f19d20e2

SHA1
612157d0f628ce3e82a4bc92e2cd1ab5da575bfc

SHA256
3e7d373e8eb698a511901ff6a53e502e84721a87bed1b9b241f0bc2423a05e33

SHA512
81e66175c6a3765aaf9051e419c8c1c2520d3ca6f6c111e6162b04b715e8526cd321de743127f988b4c07dab61c3ea0fa70390f6a7b6f7c458c905525561bdc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e5dcd25ed5db09215eb577a383639997

SHA1
981bacf9ba297c70378b28dfdb8ffb3aabc7fbff

SHA256
ddc45943c64293496090b503496ea5d143fb4d1a903b66d8e7d869212a0b3ac3

SHA512
1e2ea3ae8bce4e6a07b8f8ee1bbe92b8e4b004b6f541e3ca47a5fa5def7c945363a655dc58405441cb56d5c639da355c2e4d48117e8a197db17882127bfa04db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c50cf17f06d5c129390451fbab2c7932

SHA1
2c235f6fa4761d1989999ea92c4bf0e84e148f75

SHA256
5fa0901fbec89f0c6ddbb0c0d14b2e4baa2181112dd11e123f369f1f119034e5

SHA512
fb1a93678dcfa67d57c52970836a72c58388cc29c540addba13b15688c0403d4a9bd7de7b14728ed0842d3b8b63ee8283ef970de7d1493c779527000ebe87a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b402b5d883bf945c8dba6b754fba40c0

SHA1
b7932fa061bbaa3b01fa483b16eabd4e48683b39

SHA256
51ff113fdc8743d1230efec30a745e7aff4c80d49fc3704958dac5847fa295f4

SHA512
81fb97e1d0f025e75bec9a360a3f30dd84a149104828cef9a83accf94342bcd03cf5886eedc8d12bc1d24bc71e42ebfd8607053e967e1154d0063b01fc5eab91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f07521b679c08d2a9bd67ba728ab56b1

SHA1
cf45adcc841ec49644fae61e66cd9325f0c6fc29

SHA256
5c64ddb0e61381f292546f7ccde7fa4eb9f2bb4c4ed8fdd72fba07289e0b3161

SHA512
53add699d6ba10e95d25864823f445e9e7c4bfc319fada955da4ef957d71f1012b90207b05bc5c2393013f788483f10fc2bbd10c7edb14312f631c20612c8e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eee90b71f975fd646f1eae74a8d9054b

SHA1
525355a6db5fb2a649ceba58332c1840d2a9fc99

SHA256
5f4e84597fe7fd047564025451a2a31eb2e05b180842deba7da99e2c0a74b549

SHA512
d3752667158e0dd1a3bf8b32d31355cd031758feb0dda7b3f398bb6a5e243be26fc5981e45c7fee4f0ddb0aef4fd0d8640a70ecf3774dc532469bb4e88e5d2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31309f731ba85d7df62ec8b734b94bdb

SHA1
b910f2b221b63ec23baa53357faaace39eb1c3fc

SHA256
aa104da4ac7a1b4153c5e686dbc7a8e88c6683c96f67e99041caebd5dd0e3787

SHA512
356372855d4c927bca77392401968c11be424a8d338cd31702086ad3f37f2d7aeaa2a31a47b382b21687a7c8470f36b0f563f780abab8bcc37f965e92ce337b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
666ea0d6f1ea1e1a471c4cc21288b8c7

SHA1
68a1a2cc6b3b3da0d65cb9d1dca97b2112cf9270

SHA256
f4a8b1f044e371bebc57f35e0ca77a3df6ee4ba0dced0018e242badd66c9fb4f

SHA512
24cdfd4954f49f333dec7052e059de3bea346b4b3e80c2d997aafaa40c84cf11b4259f9818456273975872edb2a272b7d965af2f199fe49f1df593af53b9b39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
863534a230d6abdb3fde6d0a7e0ec15c

SHA1
cbe48b7fc034ea6eedffe4f45097825f62185ff0

SHA256
2638615c592fd5c8fbc2e6a5a0fbd6feb9f9e6122a1f0fce303333914d0c3f9a

SHA512
77af1dffbf95c73006a68bafc04afbc0ab867339f78764ac2be6d84b3a0e39868bd5063764ad594425cf7cdfc0e77a6ba0e78a6c4b871dbb76a80af6d06da54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45f276ac3bde9d0d0403b80a693de28d

SHA1
60938839ccc05d7116f160ea4ab2a2137ffe79f5

SHA256
55a2b428c8c018cb8bc0f873d05be8ef01d70f8bb38916a19cc011bda6bae4d6

SHA512
d8309a84ef9ab7c493cab925df417741ce7b19e305329f87949a2db74fb6ab41c8d0b75167dbda5cea4da00d3db007c3dc0a5478d7b4a726b8913de97041195c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 25756.crdownload

Filesize
12.9MB

MD5
ceaa8ab1053e9a820356210f0c57750a

SHA1
fe54964aae12c1e7c9dac77c8b1a6eadd4caec53

SHA256
e57f84231a2def02863568c680af67b084b2490de9ab72180d39ce291beec5bb

SHA512
b0f1884a86c29077591b17e6687f8cf1a7e21dc59f90ec010c18da0f21ba79705c5d33156ec3bf6e50ce6683a97a8c21b5c777ffd676a01776c1d253e13c1ead

Download Submit
memory/1528-2100-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1528-2102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2084-2118-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2084-2137-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2084-2136-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2084-2106-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2084-2148-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2432-2124-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2432-2152-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2432-2109-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2432-2139-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/2432-2140-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3644-2092-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3644-2097-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3644-2096-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3644-2099-0x000002A281910000-0x000002A281962000-memory.dmp

Filesize
328KB

Download
memory/3644-2104-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3644-2098-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3656-2108-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3656-2117-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3656-2113-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3656-2095-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download
memory/3656-2112-0x0000000000960000-0x00000000011B8000-memory.dmp

Filesize
8.3MB

Download