Analysis Overview
SHA256
ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
Threat Level: Known bad
The file ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
Raccoon family
Raccoon Stealer V2 payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-18 08:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-18 08:39
Reported
2025-03-18 08:44
Platform
win7-20241010-en
Max time kernel
240s
Max time network
245s
Command Line
Signatures
Raccoon
Raccoon Stealer V2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2800 created 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2800 set thread context of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
"C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Latter Latter.bat & Latter.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 3446
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Prev + Objectives + Publishing + Planning + Eight 3446\Victoria.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Designation + Chorus + Place 3446\B
C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
3446\Victoria.pif 3446\B
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | EDLqDEKyDDmwTX.EDLqDEKyDDmwTX | udp |
| RU | 82.146.45.177:80 | 82.146.45.177 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Latter
| MD5 | 202cd0ed4d5a42ef36c223e2e041bae9 |
| SHA1 | 814d8e675a6c57811052f1f116e51605f11c5c7a |
| SHA256 | dfab3a6b7e63339e8a23e9270cbbd49fa5d9efe42512339e1a7a915bd04d7b10 |
| SHA512 | e66ab9d35dbc6cb593f90b31d739fd361bb2426f8137121b6f297663b970ba8e2ffd0e53e72d3137ce705ebee3f254646fc6d350b0fcb432276761b664f7cb60 |
C:\Users\Admin\AppData\Local\Temp\Eight
| MD5 | 521f2aed387524bdd7052bb4f23c0018 |
| SHA1 | 7c57b9c934705f1ba9418840afef2f0af8e69168 |
| SHA256 | d38464b74940765c78bf06478029f2366bfbca7c9b965c164efb2886e98c3d6a |
| SHA512 | 73366414419bb41c192a74f56a94c867d50187c24e07cc9ac33f4dbab31ea756671dc879a9bf78735596f8c96976fd595dd987702daadd9b8b25ea543a12c474 |
C:\Users\Admin\AppData\Local\Temp\Planning
| MD5 | 9bb02422262416ba9e804e520ab576be |
| SHA1 | 3d6b62a8f9d8d846c8e05495819b5320ada507c6 |
| SHA256 | fb7337b18c69464c4c84b9ecb69d62f6f693460c86d0e5ab3586c315c59cac97 |
| SHA512 | febc9d3221329aa1150dc3b1b81afe858634bb3a096939ae5cbef87d9c7dc3613265baf1e40befac34798ac186802d17437f04cadff4b3ade71332647ece10e9 |
C:\Users\Admin\AppData\Local\Temp\Designation
| MD5 | c1cc1aa18b9007c18d77d379897ca025 |
| SHA1 | 64c85a49243812f66e0dd819129cb99ee10ef763 |
| SHA256 | 5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc |
| SHA512 | 791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310 |
C:\Users\Admin\AppData\Local\Temp\Place
| MD5 | 9ea9a13f6966bda0647d6f83f6d257fb |
| SHA1 | 36d5c6d95368508c5878bf08e2a2bc753aaf7aec |
| SHA256 | 5db649df3c48e3e7e47f9bfa222fc229b4a000dadd9d12b83fde569ed2ee81a3 |
| SHA512 | 4c3a3359777a16c190973eefd001e166f76dee32482493b0da2c635b90a143aef35a36101ff66daa1b60eeaec945c3d93a8d82b51cc8a70e48bc6b9c3199db2a |
C:\Users\Admin\AppData\Local\Temp\Chorus
| MD5 | 6289f0044be469e5cc5d78425de1ecd2 |
| SHA1 | 1633cbe5c9c79ff74cef4ef8d44221d16dc7c674 |
| SHA256 | 68c92d709cd12a0decce387d841e41519f68979ff305aff68738a81e538c2434 |
| SHA512 | 256d3016d615d47f71f762b339ef842d1da613323aa8beb3b67afbb3271b5a5001e470d9331039fbf5600b87e49d40fe41af29dd96cdaef8af37dfee37c83f70 |
C:\Users\Admin\AppData\Local\Temp\Publishing
| MD5 | 5c3dd15e00b94c2d9b169d10e4f89144 |
| SHA1 | 32f0c00bcf18cc51ed0ff7bcab2cb6b62ff08620 |
| SHA256 | d2ad4b17ef916f37ba03c3a7f5c3e3733a7b63bc18eda759f0e8744d682af9c4 |
| SHA512 | 1f4c9bc47efe1c5644042daa5575dd2fbfc92de604b1af7c70fb77070f5b1d2928811d84e47ddabae08b4bf7248a23c66690413d6a75cb1b683e3c893068c4eb |
C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\3446\B
| MD5 | 2ea6936964f3396a440d6fcd1d0e6a40 |
| SHA1 | c1b605042274a26061f9b3acf6e3e3c84d0dd27d |
| SHA256 | ee33bc9748fc3f2799d43df04ead1df383764f6a00e85cb6865a456b1023bf27 |
| SHA512 | 8e3c462a5ab1f47e834ebbe64a320d68d7e98dc5a50a3d21127d9731c168dcd64a1ed77a33c514d2cbe56daa981073942eb878504e58cffd864f28c68facbba5 |
C:\Users\Admin\AppData\Local\Temp\Prev
| MD5 | 8d019b45973901b4854eec33096d05c0 |
| SHA1 | 1dfb37a78659ba3917c6479ead9c9f645bbb8331 |
| SHA256 | d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3 |
| SHA512 | 9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1 |
C:\Users\Admin\AppData\Local\Temp\Objectives
| MD5 | 93fc6d378cf9f3e4bd856b24e758032b |
| SHA1 | 23509fad0ad1dc5cead9b4f8e0efe2b1a52c2536 |
| SHA256 | 21cc51aee34eef0c66dbc4c633bedc390dba87482289b7a31e15806b9dfb60ad |
| SHA512 | e8304645ae862af43af2d8596626764420a4c6acaa4cb1a4a1eacab231a0351a04b1130609c34e8b2c58e13b97f048af5f97bcbcee8ace3eef9955228b57285e |
memory/916-25-0x0000000000400000-0x0000000000416000-memory.dmp
memory/916-26-0x0000000000400000-0x0000000000416000-memory.dmp
memory/916-28-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-18 08:39
Reported
2025-03-18 08:44
Platform
win10v2004-20250314-en
Max time kernel
105s
Max time network
215s
Command Line
Signatures
Raccoon
Raccoon Stealer V2 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2008 created 3480 | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2008 set thread context of 4048 | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
"C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Latter Latter.bat & Latter.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 3430
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Prev + Objectives + Publishing + Planning + Eight 3430\Victoria.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Designation + Chorus + Place 3430\B
C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif
3430\Victoria.pif 3430\B
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif
C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | EDLqDEKyDDmwTX.EDLqDEKyDDmwTX | udp |
| GB | 95.100.153.143:443 | www.bing.com | tcp |
| RU | 82.146.45.177:80 | 82.146.45.177 | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Latter
| MD5 | 202cd0ed4d5a42ef36c223e2e041bae9 |
| SHA1 | 814d8e675a6c57811052f1f116e51605f11c5c7a |
| SHA256 | dfab3a6b7e63339e8a23e9270cbbd49fa5d9efe42512339e1a7a915bd04d7b10 |
| SHA512 | e66ab9d35dbc6cb593f90b31d739fd361bb2426f8137121b6f297663b970ba8e2ffd0e53e72d3137ce705ebee3f254646fc6d350b0fcb432276761b664f7cb60 |
C:\Users\Admin\AppData\Local\Temp\Prev
| MD5 | 8d019b45973901b4854eec33096d05c0 |
| SHA1 | 1dfb37a78659ba3917c6479ead9c9f645bbb8331 |
| SHA256 | d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3 |
| SHA512 | 9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1 |
C:\Users\Admin\AppData\Local\Temp\Objectives
| MD5 | 93fc6d378cf9f3e4bd856b24e758032b |
| SHA1 | 23509fad0ad1dc5cead9b4f8e0efe2b1a52c2536 |
| SHA256 | 21cc51aee34eef0c66dbc4c633bedc390dba87482289b7a31e15806b9dfb60ad |
| SHA512 | e8304645ae862af43af2d8596626764420a4c6acaa4cb1a4a1eacab231a0351a04b1130609c34e8b2c58e13b97f048af5f97bcbcee8ace3eef9955228b57285e |
C:\Users\Admin\AppData\Local\Temp\Publishing
| MD5 | 5c3dd15e00b94c2d9b169d10e4f89144 |
| SHA1 | 32f0c00bcf18cc51ed0ff7bcab2cb6b62ff08620 |
| SHA256 | d2ad4b17ef916f37ba03c3a7f5c3e3733a7b63bc18eda759f0e8744d682af9c4 |
| SHA512 | 1f4c9bc47efe1c5644042daa5575dd2fbfc92de604b1af7c70fb77070f5b1d2928811d84e47ddabae08b4bf7248a23c66690413d6a75cb1b683e3c893068c4eb |
C:\Users\Admin\AppData\Local\Temp\Planning
| MD5 | 9bb02422262416ba9e804e520ab576be |
| SHA1 | 3d6b62a8f9d8d846c8e05495819b5320ada507c6 |
| SHA256 | fb7337b18c69464c4c84b9ecb69d62f6f693460c86d0e5ab3586c315c59cac97 |
| SHA512 | febc9d3221329aa1150dc3b1b81afe858634bb3a096939ae5cbef87d9c7dc3613265baf1e40befac34798ac186802d17437f04cadff4b3ade71332647ece10e9 |
C:\Users\Admin\AppData\Local\Temp\Eight
| MD5 | 521f2aed387524bdd7052bb4f23c0018 |
| SHA1 | 7c57b9c934705f1ba9418840afef2f0af8e69168 |
| SHA256 | d38464b74940765c78bf06478029f2366bfbca7c9b965c164efb2886e98c3d6a |
| SHA512 | 73366414419bb41c192a74f56a94c867d50187c24e07cc9ac33f4dbab31ea756671dc879a9bf78735596f8c96976fd595dd987702daadd9b8b25ea543a12c474 |
C:\Users\Admin\AppData\Local\Temp\Designation
| MD5 | c1cc1aa18b9007c18d77d379897ca025 |
| SHA1 | 64c85a49243812f66e0dd819129cb99ee10ef763 |
| SHA256 | 5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc |
| SHA512 | 791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310 |
C:\Users\Admin\AppData\Local\Temp\Place
| MD5 | 9ea9a13f6966bda0647d6f83f6d257fb |
| SHA1 | 36d5c6d95368508c5878bf08e2a2bc753aaf7aec |
| SHA256 | 5db649df3c48e3e7e47f9bfa222fc229b4a000dadd9d12b83fde569ed2ee81a3 |
| SHA512 | 4c3a3359777a16c190973eefd001e166f76dee32482493b0da2c635b90a143aef35a36101ff66daa1b60eeaec945c3d93a8d82b51cc8a70e48bc6b9c3199db2a |
C:\Users\Admin\AppData\Local\Temp\Chorus
| MD5 | 6289f0044be469e5cc5d78425de1ecd2 |
| SHA1 | 1633cbe5c9c79ff74cef4ef8d44221d16dc7c674 |
| SHA256 | 68c92d709cd12a0decce387d841e41519f68979ff305aff68738a81e538c2434 |
| SHA512 | 256d3016d615d47f71f762b339ef842d1da613323aa8beb3b67afbb3271b5a5001e470d9331039fbf5600b87e49d40fe41af29dd96cdaef8af37dfee37c83f70 |
C:\Users\Admin\AppData\Local\Temp\3430\Victoria.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\3430\B
| MD5 | 2ea6936964f3396a440d6fcd1d0e6a40 |
| SHA1 | c1b605042274a26061f9b3acf6e3e3c84d0dd27d |
| SHA256 | ee33bc9748fc3f2799d43df04ead1df383764f6a00e85cb6865a456b1023bf27 |
| SHA512 | 8e3c462a5ab1f47e834ebbe64a320d68d7e98dc5a50a3d21127d9731c168dcd64a1ed77a33c514d2cbe56daa981073942eb878504e58cffd864f28c68facbba5 |
memory/4048-24-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4048-25-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4048-27-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-18 08:39
Reported
2025-03-18 08:44
Platform
win7-20250207-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$TEMP\Designation.ps1
Network
Files
memory/1952-4-0x000007FEF5CBE000-0x000007FEF5CBF000-memory.dmp
memory/1952-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/1952-9-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp
memory/1952-11-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp
memory/1952-10-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp
memory/1952-8-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp
memory/1952-7-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp
memory/1952-6-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/1952-12-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-18 08:39
Reported
2025-03-18 08:44
Platform
win10v2004-20250314-en
Max time kernel
105s
Max time network
215s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$TEMP\Designation.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
Files
memory/1240-0-0x00007FFAEDDA3000-0x00007FFAEDDA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ualfa2tp.vr5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1240-6-0x000002147FAB0000-0x000002147FAD2000-memory.dmp
memory/1240-11-0x00007FFAEDDA0000-0x00007FFAEE861000-memory.dmp
memory/1240-12-0x00007FFAEDDA0000-0x00007FFAEE861000-memory.dmp
memory/1240-15-0x00007FFAEDDA0000-0x00007FFAEE861000-memory.dmp
memory/1240-16-0x00007FFAEDDA0000-0x00007FFAEE861000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-18 08:39
Reported
2025-03-18 08:39
Platform
win7-20240903-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-18 08:39
Reported
2025-03-18 08:39
Platform
win10v2004-20250314-en
Max time kernel
0s