raccoon | bf836fa08f437e98267a44e0d4aaec5cafb62bc72b5f6c9d8f7a643ce0e5e885

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
Size

2.4MB
MD5

4d9abf7905ad423200a067568f45a2e6
SHA1

a19937f1b03ccd9575478369a5666c04080241dd
SHA256

972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de
SHA512

10db66702b4c8fd375957cda8b9657bf9a5bd184c9b9b232b6e2ade62d841dd9fcac91cb1d88819ef23b6b680f946a72951a6099d9718e72e1993059b5994ba7
SSDEEP

49152:pAI+dQBXsC8nktLjj+ywO/5ZKHUnkYw3FwOc+8+ytLsyBpzp2zASOFVS:pAI+UXs96j+Ly3KHUnneFTcFNBpzcUSB

Score

10^/10

raccoon redline vidar 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer stealer

Malware Config

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

rc4.plain

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.84

Attributes

user_agent
mozzzzzzzzzzz

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral1/memory/2880-281-0x0000000000400000-0x000000000062B000-memory.dmp	family_raccoon_v2
behavioral1/memory/1516-309-0x0000000000400000-0x00000000004B5000-memory.dmp	family_raccoon_v2

Raccoon family
raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000500000001950f-56.dat	family_redline
behavioral1/files/0x0005000000019547-73.dat	family_redline
behavioral1/memory/2792-91-0x0000000000890000-0x00000000008D4000-memory.dmp	family_redline
behavioral1/memory/1348-89-0x0000000000F10000-0x0000000000F30000-memory.dmp	family_redline
behavioral1/memory/2088-88-0x0000000000CE0000-0x0000000000D24000-memory.dmp	family_redline
behavioral1/files/0x000500000001957c-87.dat	family_redline

Redline family
redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0005000000019515-61.dat	family_vidar
behavioral1/files/0x00050000000195ad-81.dat	family_vidar

Executes dropped EXE 7 IoCs

pid	Process
2880	F0geI.exe
1516	kukurzka9000.exe
2792	namdoitntn.exe
1108	real.exe
2088	safert44.exe
1016	EU1.exe
1348	tag.exe

Loads dropped DLL 11 IoCs

pid	Process
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
27	iplogger.org
23	iplogger.org
30	iplogger.org
31	iplogger.org
28	iplogger.org
21	iplogger.org
26	iplogger.org
29	iplogger.org
20	iplogger.org
18	iplogger.org
19	iplogger.org
22	iplogger.org
24	iplogger.org
25	iplogger.org
3	iplogger.org

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\WW1.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cryptoleek.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kukurzka9000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namdoitntn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EU1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safert44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E32D7511-9C18-11EF-B985-56CF32F83AF3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3408011-9C18-11EF-B985-56CF32F83AF3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000f19cb4f8e987f221ba39523e103aa74ef5893fda40ce37e28d863e9c0e2eea1e000000000e80000000020000200000000384dde29907e3bbd89d368144e7ffff81b6b70026bb06c4bc275c01b47ad1ed200000008bad102a7b3df3400c82fb2d7d173a1295a6ab27225a623230c51f8f82a9e48540000000b75e3884ab32c2c8e06092c8bee97677316c6ed380a412be58257dabe51d916ab81c2e3f0511a0d8c5bee320be708d779b1d8327a95d400dbf97a77abf484b29	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000fd4053c002d658134f460a2e43edac72ab73e3c9fba30b7013d02169cea05b1f000000000e8000000002000020000000debbb59d2963790c680fa2bf77814c6ba101076aedf02a1ecda131d329df33f9900000005f0b9cc73336c8e582c7671af15be9f21056f00a965899dac2887b34cac3b60c7789b5b661e0eb6a790d8585cbde5859a7d2d5e6fed09042c95a472fe274836bb8b5a8f9c2db32bd31aca61e52947f1deec3a9a28d64f9bc4a79e5c81c8e5ef236b502ea2108a1fde9b70a39ef5d70c95300575d608e9b23a49b9663b6db237870655fa5bb4142e8d0d937e1e50477ac40000000d20c17fc9817af3c3a4ad1be72a529c117310efef4ec610c6d30bdf7799eb22c49c66b61b995796dfb13561edb483656ba7ae872e2a28e15d95855cf2f9b1235	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2312	iexplore.exe
2920	iexplore.exe
3048	iexplore.exe
3016	iexplore.exe
2252	iexplore.exe
2960	iexplore.exe
2180	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2312	iexplore.exe
2312	iexplore.exe
2960	iexplore.exe
2960	iexplore.exe
3048	iexplore.exe
3048	iexplore.exe
2920	iexplore.exe
2920	iexplore.exe
2252	iexplore.exe
2252	iexplore.exe
2180	iexplore.exe
2180	iexplore.exe
3016	iexplore.exe
3016	iexplore.exe
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2960	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	30
PID 1688 wrote to memory of 2960	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	30
PID 1688 wrote to memory of 2960	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	30
PID 1688 wrote to memory of 2960	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	30
PID 1688 wrote to memory of 2312	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	31
PID 1688 wrote to memory of 2312	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	31
PID 1688 wrote to memory of 2312	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	31
PID 1688 wrote to memory of 2312	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	31
PID 1688 wrote to memory of 3048	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	32
PID 1688 wrote to memory of 3048	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	32
PID 1688 wrote to memory of 3048	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	32
PID 1688 wrote to memory of 3048	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	32
PID 1688 wrote to memory of 2180	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	33
PID 1688 wrote to memory of 2180	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	33
PID 1688 wrote to memory of 2180	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	33
PID 1688 wrote to memory of 2180	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	33
PID 1688 wrote to memory of 3016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	34
PID 1688 wrote to memory of 3016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	34
PID 1688 wrote to memory of 3016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	34
PID 1688 wrote to memory of 3016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	34
PID 1688 wrote to memory of 2252	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	35
PID 1688 wrote to memory of 2252	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	35
PID 1688 wrote to memory of 2252	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	35
PID 1688 wrote to memory of 2252	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	35
PID 1688 wrote to memory of 2920	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	36
PID 1688 wrote to memory of 2920	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	36
PID 1688 wrote to memory of 2920	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	36
PID 1688 wrote to memory of 2920	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	36
PID 1688 wrote to memory of 2880	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	37
PID 1688 wrote to memory of 2880	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	37
PID 1688 wrote to memory of 2880	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	37
PID 1688 wrote to memory of 2880	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	37
PID 2312 wrote to memory of 2984	2312	iexplore.exe	38
PID 2312 wrote to memory of 2984	2312	iexplore.exe	38
PID 2312 wrote to memory of 2984	2312	iexplore.exe	38
PID 2312 wrote to memory of 2984	2312	iexplore.exe	38
PID 1688 wrote to memory of 1516	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	39
PID 1688 wrote to memory of 1516	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	39
PID 1688 wrote to memory of 1516	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	39
PID 1688 wrote to memory of 1516	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	39
PID 1688 wrote to memory of 2792	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	40
PID 1688 wrote to memory of 2792	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	40
PID 1688 wrote to memory of 2792	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	40
PID 1688 wrote to memory of 2792	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	40
PID 1688 wrote to memory of 1108	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	41
PID 1688 wrote to memory of 1108	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	41
PID 1688 wrote to memory of 1108	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	41
PID 1688 wrote to memory of 1108	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	41
PID 1688 wrote to memory of 2088	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	42
PID 1688 wrote to memory of 2088	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	42
PID 1688 wrote to memory of 2088	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	42
PID 1688 wrote to memory of 2088	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	42
PID 1688 wrote to memory of 1348	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	43
PID 1688 wrote to memory of 1348	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	43
PID 1688 wrote to memory of 1348	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	43
PID 1688 wrote to memory of 1348	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	43
PID 1688 wrote to memory of 1016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	44
PID 1688 wrote to memory of 1016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	44
PID 1688 wrote to memory of 1016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	44
PID 1688 wrote to memory of 1016	1688	972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe	44
PID 2960 wrote to memory of 2244	2960	iexplore.exe	45
PID 2960 wrote to memory of 2244	2960	iexplore.exe	45
PID 2960 wrote to memory of 2244	2960	iexplore.exe	45
PID 2960 wrote to memory of 2244	2960	iexplore.exe	45

C:\Users\Admin\AppData\Local\Temp\972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe
"C:\Users\Admin\AppData\Local\Temp\972b7053006775f8a9144e8be644443c2750ac2737978c7d975d675c9e23d8de.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A3PL4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2244
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1n7LH4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2984
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3048
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1960
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2180
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1680
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3016
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1572
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2252
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1080
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RfaV4
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2920
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2408
- C:\Program Files (x86)\Company\NewProduct\F0geI.exe
  "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
  "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
  "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Program Files (x86)\Company\NewProduct\real.exe
  "C:\Program Files (x86)\Company\NewProduct\real.exe"
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Program Files (x86)\Company\NewProduct\safert44.exe
  "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Program Files (x86)\Company\NewProduct\tag.exe
  "C:\Program Files (x86)\Company\NewProduct\tag.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\Program Files (x86)\Company\NewProduct\EU1.exe
  "C:\Program Files (x86)\Company\NewProduct\EU1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe

Filesize
289KB

MD5
61f51370de492e1b8fd565c68aa3141d

SHA1
89da629358f5e7fd4da717a15fd72b74869af631

SHA256
19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

SHA512
8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe

Filesize
699KB

MD5
591fe3c4a7613d32309af09848c88233

SHA1
8170fce4ede2b4769fad1bec999db5d6a138fbb1

SHA256
9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

SHA512
e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe

Filesize
245KB

MD5
b16134159e66a72fb36d93bc703b4188

SHA1
e869e91a2b0f77e7ac817e0b30a9a23d537b3001

SHA256
b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

SHA512
3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe

Filesize
289KB

MD5
c334f2f742fc8f7c13dfa2a01da3f46a

SHA1
d020819927da87bc5499df52e12dc5211a09ef61

SHA256
92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

SHA512
43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe

Filesize
244KB

MD5
dbe947674ea388b565ae135a09cc6638

SHA1
ae8e1c69bd1035a92b7e06baad5e387de3a70572

SHA256
86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

SHA512
67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe

Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
617c07b655e3bd44823e51dfcff623c2

SHA1
fd98b84bc27ae05860f80fad7b843e976062ad79

SHA256
6e7b3fbbfd591a2ffd05a5c169b92c7681c67cf452001cc9ba0a9bae3e5a147f

SHA512
abbad2c477c568631dc56fe23acf8780c275c9b9df6a3d95d2d413a050cea9d9dc0cdf48d1e36a9f32d4e180aa741dde2e3c3bfccd1f656799eff8236c934139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
c387c7cdce2b56dda7b017fbec4be940

SHA1
28ebd48d628412076ed23a1eea0e06ba57e0369b

SHA256
c4e454080b5c289053d900a77c9d39ac6d109750c45e3b1d9ae9704bf7e8c641

SHA512
8631c8c92bce6f23d063b3e1bf2595066336fe19e72492fc7f035ae9895e8289616234ebe6333d8327b334bc27f2c3c695db2a23213a98efd3024c8abf1e6124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3ed79fd5dad58ab583f9d2c6cf8f6c2a

SHA1
1ba81b7ef6fce117a318faafc1f15adda1a0217f

SHA256
da1a2a89821df28037940095f61fcfdfbfab74d525679fc613fad1f285cea080

SHA512
9b184967f6bc050986de7aba337edd6d59d110538fc0d3986aaabda1c432aa158c009a0f1180e120016b867b8b4720752d99f749a6b86d3ebaae719d5050c348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
52f4c17af517aa96d7b0df392e99d282

SHA1
1621f6dc1dd1ba5fa163ce9e810c67a757f51c1b

SHA256
f4fe6cbeb0eb2c7386b748ac0e1ae14c1d49cc331290d3bbed0c9151f65d472b

SHA512
5529da8314b4f1cebfbf6407df6a36513e0f4c1b830d7f5d8a87db73f4d419f95f41dedd383d637c56c0832f084c889fbb6a7534d58d85af57cb25b0c0d5fae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
97a1627bf16c275122b6a953e3195075

SHA1
0e18c49855d554a2c37c2ed77383ca27477971fd

SHA256
7a77cf055eeca0387824460ada087ec18bb6c143174b8f3430f5c1926e4b4ff9

SHA512
eafb53695b3fb2f6e55a780a7ae0eaa0221662662e53f4fb1af226bd5cc7d3fbe2c68b33911d452d53e1c603632359b5f2b1df9b2565aafebf6939b56f2378d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
30731304ce2aa34133221360fda229bd

SHA1
b60a3f5d3e283cfc4192c7d6a20ff639b5e31805

SHA256
a027bd7ff8f2c7fa581985d2fb0fea62e9917f2ac65488dffe46c5cfe0778205

SHA512
3b9e48fa38e0eb9181df8a0111f4fe91f454426795aacab598a3ea09b0e06afae0d24af02f29a3e16c8e595f4e3f68576e9846dbb69c4674f72e8900ca8fc2d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3379f344678964652b8c55466bd648a5

SHA1
f7d04b155697e4f11eddbb30316aa5231a43a7c6

SHA256
62ecde3fe6fe61d827d656b20b5fd07ea210279d3a6ae93ed8e8ad367b80cf8e

SHA512
e052526c5b7c3de0c88bf9f83c30b1ac8e1e0bb5c7521be2cba7d482cfeee595f91c9755c9879b6bbd5d20c3f3c03bb4437192e48a562e2528c9f8bf0b22e710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fab226b16f7469179f8bd89de3565cd

SHA1
4f3d0a685041fa38c826d162a5e91eebd4589185

SHA256
07c46307c321ea88c7be8d035c4257d6199a6bc2e1c5c309a81a78021a5954d6

SHA512
96478ad94d2cfd63dbed8999d1df8c95f74460b611f081516ce0ba02d906d56c80cc51512a43c5e8741f573d841a7fed1c1da4e7defefe2c8cc60e7b0a886024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91016dc91a6815c97666571f143a4d47

SHA1
24027ba276c0d4f8769cba9879559daf57a2f6f6

SHA256
59ded0c092b5858bd41a5d7f21fe431db0993b7cb8de747712432ddc33757969

SHA512
b3ddfbedabf4f5c8a9fb73c313604704580427b3522e4a456228477f9ac2a26023d98f908a6a5fe3040e1e39678314a0cd32d581b95f71f2cb113efd4ad57f2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bcc9fc4a3b6e509be8ced0913f288a7

SHA1
aa3fca04f136e0699fd4f5a64df560946430fe36

SHA256
d4ae80dfac4735c691e0e84e4a6c2f42de8a73e93da42d725611a4d707ba83c4

SHA512
8fa58dac6900e50454c88820f8dc601845f82694eff42e14b1ed29f57a16dd2a8a86c19459ddc9e56c9aa05fca36558321084e767ec46199db06ea5c9c4bc937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f09b9631126f8ad7f0eb957e0cbf9a4

SHA1
bd80ba52b6ee1f9f5df959c1b9eb9d67f451a432

SHA256
7076543b5b98740abe9bb197fab24fcdfaa824b14fdf17326447f90ddaea646d

SHA512
476654d84baafef7a7bd32b8b547018c7a36008bb8ec406e573b5fbadb4c9b6844fbbf006302a2c343e2be2103dcd08e93fc711df5e42a08967f89377ea45da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc5bfbec8bb370b96402fdc43aeb839e

SHA1
f8a7bf14d67e1d262b886b2c403d5ddba9e11b65

SHA256
2d966062fb4f0b75441b50a5957b2b69bc213de0b5db391ccfad528f12224eab

SHA512
9a5500f33f371166843b7483d7091c4a98082ff19ee212e43d0eebe8240a9d36facd20e1de4c164e58c5fcc2ec08d428dc90a4b86d1cda599492f9505c50cc8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
865a1697764295c64f2e32d35350005d

SHA1
92b77f46df6b043c3f39d8e272a921e27ed7d865

SHA256
c5f22d25be41374d8e92e056ea44b97db13edd31aca6f6fb0c790fb395304168

SHA512
66a98623deb1b672537646692a871afc213631be0d39b5f1457a8d045995c118e2ec712c124ad08eecedde71507baa2459fd7543cf2bd08f5c84882136543318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1afe05f8697eb2a2c15d511176598583

SHA1
1971f5221140a3272be353552d465a3aa41f1aff

SHA256
b2ceacc3fb462aaf2093e90af43ac988387c95fe6a09aaff7470b8d967a38609

SHA512
cffbffce137a03dbbe36c3f257ad5b21b4040ab9d6c8a7877109c744f2166ff1fcf8a33fc6f35cc6508a906ffe4d572e23d8c2f89da60a7897b947a7db5c20d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979c930a6fa51b660692062f1218fd89

SHA1
7ec691afbfff79e7bc406d902ab748b8129b91e6

SHA256
7720fb1370e4e7569c89e8e14ebded2266548f3166d9646c1e34e7a63093ef1c

SHA512
2d701ed3f1f6614a07de52df3f687e88449f31c4c010415ff823a30d2f80d029dc9b887b08fce0ea62c37faf868bdae4db5d4bd064d2aeaf1182b672133ee2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94c359f2720ee13821245198906eea97

SHA1
f2f2bf87666584acfdac70c687a5e4254071f2ed

SHA256
5a3efe4ded92160b1650fc0b45f2c1064e75016247f81881c83f5cde609a7dc4

SHA512
a83fb5c8218136f40c143af67d199869779faf668e0b5142be331fbeff4a934df0b054efb45fcae42f78eddf0f715b174fc553d3657f1b648c7129cf9443f095

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09c1cb35275ee77b43121ba8f416b58

SHA1
5a13b13e9844f29bfd1cce97397aa5b1bdf9fa45

SHA256
7c1f62604818b8d54d4a6477266951f1c67e00fc4ef29ed8945e8ce919c3e739

SHA512
b58b88eafd9dbf699db7ecef183da71087e162496267b29914a3ba2c29f2d56318527350f8dc961baae83da4f0ff70e5a250809825f1cec5d6e51dcf04c5da77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9998533015a338beb804ae76860b2ccb

SHA1
03c957e16e81ad7c2d49738e72e1e5bf5a5b77b0

SHA256
b4e95c073d1800961ddf72f513c26715512cc6729db5bfe6debf27816fdc65af

SHA512
7498940605f256635f039ece1427e6d32483baa7115d28074a1506c93474b6321f3f7f9c6c95d56ad64997fffeecf6cb40bbbdbda7079d93d1a9c5aafdaa2120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73628d067ad30f8cb5a364592a14b5a7

SHA1
8435798988d1ae04c3a38a1b441525b0e86263f4

SHA256
17b5d7ba12ec516c1a0b8d8933406ad9f406e80cdb5d25249103a331840977a4

SHA512
5ca9219be3edf08f2a43c6989d00d68938f50929e97f49c3d9fe209587476fef00a6de917016c230d6b085212837ea0fb84979ae49504094edede2717ba76239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b74e031f046c8f6bb78882bffc2b68d

SHA1
819624f6b5ddf571300671e31943cf9e77eb3808

SHA256
4692a6fd2e658576f407f3cb00994bc21892dbd0c41a454a3e13e8ca7fb56d70

SHA512
0339259064f46a9e6b3d3057abbc57849ca17ab24d4ac66fb04bcc58a7997f6ce695c325c605cef81ed20104708b999d2b9b63222c5ba0e0a2285c7b81bba88e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8fe1a194f8e721d996e58ee768426bb

SHA1
0930d805836e01e007e86b32d2211271e1030280

SHA256
a592615d708e8d9d03442e8d974aa454b3c065a7888042ed090867d8bfbd309e

SHA512
39447b2bda944e76e8912b1f0f206b4f14d0de974488049ed49849c483860b7e90a274a985a0aba339270e7aabf8ca27d207a695e5a62fa21a4200784e79c05f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f79a4a1ab7d4a0228adb57b680f709ac

SHA1
dbf0069d7bc92883ad780c4cc81ff436adcd5e5f

SHA256
2e92b049381e12de5e1b5642a8891528572bece8089b47e62d1e550504eaef34

SHA512
e58317b34c9822774d1dc281130433c60d8e3ad0540fbf508770f8748bc1f2fe12006606a266c0eeca89ede276253ef9243bb7009cdb4eb95dca2ec123a9e6a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d383dcfb25bece234d0eace60294b768

SHA1
87fd3f8881711e5b69ad0e36104f23846229c294

SHA256
8c5bec5277c02fc281c7284a2ad89a697fd7b3fca2d4c7c99182c6df467fadd0

SHA512
8c6d768667c8f137429f778ed8e47cbe1fd9f704b4200437415fc4a1ac418f22f77fab5091cb002094085534fc05cd07ea9307e66e82e352b64eef5ecf1798b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c2ca939a394ec67b03ae236a850095a

SHA1
ccf974c77cf32c42d7ceb45dbdb7c13f667c7d6a

SHA256
c38cf111eb731e05779b523a6f5fabd7b7babec4fd09afe0462099d24acdded5

SHA512
e22db8e952308a07a9f42e653065944eebf8c28bbf072bf51a11a4f31c38dfec86f924c00a8263c94ff9d644a04b316693e356c39fddd971776015b4d214d188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e400a14c036a8bd32a07ecdc39473cf

SHA1
cc4caf53a48ee2dd5d73ddcc3f8fda99d8e3fd80

SHA256
0426cebf05262608ddb625075b49a2b9a35ec9d853826db3dbac4d6a2b24f800

SHA512
4a58fd8398f16ce1d42c9a100ab85953673c72b9a02ac4c9a1298e37c75bff31e29716b856d6f7668689b0f338095caa4953f578272f9c1af27cea857e853975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7487164ce52ceeeec9827cfcec9781b

SHA1
b6875fc40b25073f0cb0d145362639fdddbfd734

SHA256
ccd97d29e97d44c4acfe9bd0d8043e2e98fce7f16b4dac5d145196b7f22ea507

SHA512
54c9d9d01d81a1f9e488b9c4c2f2c4c0357d417902538ffe6bd47be5a1c3749973720690ac03b8e0e2fc455aa0b45c7f9bdeb37132ac79184a8bf2a76f6de2ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a3ee0600eac5865fe48f43f1b5629bd9

SHA1
8afbc0763b06790da12370491bd63c23e86f28d1

SHA256
1368fabb1b6a880ff410e4d209c9470f5853457886f55ab01d3332d4fce91a46

SHA512
b2974a275327ddc5f0c31e9326e7e4f8e9b152493d6c434ebe6af8574b7624c2aab80a3a4b39aacfa7dcceba4a92aade9f120d9fddd86d063ff3bdb1336c312b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
eb1948f26d5213840f827689619411fc

SHA1
0d02ec80aedd890ead82809ccb4e48a448b26222

SHA256
22912bb056df9ef607545becf4ac47c445596a70aae4854814f1eaba7a58dbd3

SHA512
fa66c9b745af0b53915734585f7b6ea6a4183de2d1672a540181be6f9f6fd3297ab1e3c8351f14c60804bb87767aa963d15f379ac39b81226b9ba8710fb34db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
db8c4bf02b6e2b2963b32b0b73d73b5f

SHA1
e852827aba0ef0dd2751abdf9b43366b8d7a2797

SHA256
18ab0dbf3dcad2d9cc4a552eaa50c93fc6b873209d7c2b0381c9e563f3dc8864

SHA512
d6becec14250ffcbf4484cda44a875c60cdd525cff941f5dfcb48ee049d0d6e9e824d5479b039a56fd7edc657571fbf106c71cbf164a3860d84e1aca72b8035a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E328B251-9C18-11EF-B985-56CF32F83AF3}.dat

Filesize
5KB

MD5
1e2f2e283b1170eff10df27ee81e178a

SHA1
003d9f292c3820346047f0b1a50dc6bb7a81b3a1

SHA256
e2a9e05e2a95c1050f2376f256188bde08efa84ab426fdebf4d4391db89c963e

SHA512
e33a8505451c5f58e6ab2e2c0b1c6fd39f6f4d21bfff17e2d8cb1f8e30024685f10a23007d3818d5c33ebe8043c6d360cdb6ef9b2da6680504a15a3fca3337a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E32FD671-9C18-11EF-B985-56CF32F83AF3}.dat

Filesize
5KB

MD5
2f6d18dbdfadafc1b15acdef742009cd

SHA1
a701433c9377ec9081948afcca4adb756d39c464

SHA256
76c594d410784bfd8e195f69955525b9489c6a704505c815777533b9d2249a81

SHA512
8376bb9670a2587a8a10f94016bb28fc3f59939da03be2dfbd03356b5a49c6c1eef083a4b2c1888c0bb445d463168b368c809a5f7259db02a3bcd3f54b19e8f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E336FA91-9C18-11EF-B985-56CF32F83AF3}.dat

Filesize
3KB

MD5
474fa479e1b826eec194bed9740b8bfb

SHA1
feba7bd9c26254e440a0ee053ff77982d94f66d1

SHA256
05c2768079c2c98938e14692b585bab76055a2df08173d601868d0066dc141ea

SHA512
8ac1737d941f1f378cb4988fd9247d48c819e4457ee2c940a3e7705a01f1fd7333a4beba1f20721eb14135ea0866cae474708cfd968b274c9c9f8901455d8c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E33BBD51-9C18-11EF-B985-56CF32F83AF3}.dat

Filesize
5KB

MD5
025cbb366bb9392ba9734fabcfd71fbd

SHA1
83788743002568458f43c7e45295544e00c2565f

SHA256
8882174ed2d482bbfcb5f91f1a006b0be05e8f69820bfe03d6396845a4096abc

SHA512
701094996f710d7d6e62f9e9238af1897703af25076f0f5267c535b6aae27c87142c283b7931cd6cf0054c11992ba30de20dede0d74afa285fed417b2347c5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3408011-9C18-11EF-B985-56CF32F83AF3}.dat

Filesize
5KB

MD5
93186f2d629537ae27b42f3aa82a6232

SHA1
dd5c11cc74fc83dfde2b9889ea4defc7efa304ff

SHA256
8762075e118433896d4bc19fbbfb122e8e7d2d08031d6ed0f8e15c0be618475f

SHA512
ddc449d8ebf93bb7e1ebe58dba0e078689721061775181b01c0edc5beb12db0d5cbeb37966074a5118bd77909a78399b122bede2f086400d2de5d7bd3c796cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\1A3PL4[1].png

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[3].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB00D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB02E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe

Filesize
178KB

MD5
8d24da259cd54db3ede2745724dbedab

SHA1
96f51cc49e1a6989dea96f382f2a958f488662a9

SHA256
42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

SHA512
ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

Download Submit
memory/1348-89-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/1516-309-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1688-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-92-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2088-88-0x0000000000CE0000-0x0000000000D24000-memory.dmp

Filesize
272KB

Download
memory/2792-93-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/2792-91-0x0000000000890000-0x00000000008D4000-memory.dmp

Filesize
272KB

Download
memory/2880-281-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads