File name:	447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b.exe
Full analysis:	https://app.any.run/tasks/5c54b828-e0d3-40c0-bb4b-8c5855650e90
Verdict:	Malicious activity
Threats:	Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. Malware Trends Tracker >>>
Analysis date:	June 27, 2025, 09:24:41
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	raccoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:	E2ABF4955A35D2F6BFEB21200EA1F836
SHA1:	BE5D778D38688A5DB52A3D72ADF76A59433975CA
SHA256:	447C03CC63A420C07875132D35EF027ADEC98E7BD446CF4F7C9D45B6AF40EA2B
SSDEEP:	98304:56MXSVkxjzcqbsaZ8pAcYNgxUeqHVwfee6ryfwtJjMwdl5jx+wvhh33sYQqBfy69:MCe5e

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:01:22 18:52:30+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	140288
InitializedDataSize:	667136
UninitializedDataSize:	-
EntryPoint:	0x1000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Filename		Type
3656	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_447c03cc63a420c0_43bf1ff4ee796d12cb77b93e6f15923870a2eaa8_1bebdfed_0709f3c3-29cc-4eff-b865-d9ecf33aa49c\Report.wer		—
		MD5:—	SHA256:—
3656	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b.exe.6652.dmp		—
		MD5:—	SHA256:—
3656	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7030.tmp.xml		xml
		MD5:10499383DA950B26A20CF0229E978362	SHA256:295116F0142D962A8EC50621374E3BD07E38A5CD6DB133757B018A3D1B0C30A8
3656	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C37.tmp.dmp		binary
		MD5:67EFC90ABFB0765AFEFA9586D68AE47C	SHA256:E380A987D04D522BE32E1E4E29323B053B6804F904005CC7BBE4D841B3CE4D94
3656	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7010.tmp.WERInternalMetadata.xml		xml
		MD5:65F7EECC3F9B7934FC4C039EA5EE5FFA	SHA256:018B30961D16C75E04DE30F25F2DBB9A9B04915174BA5300ED55B9434CD5EF17
592	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\updater.log		text
		MD5:6E45D043B5D77A26481400593A61AF0C	SHA256:5A439A77B8BFF81C044BF5A7AAE8CBA434DE46987588AFBF275BA3D1205ECEC1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4500	AppLaunch.exe	GET	404	188.166.1.115:80	http://188.166.1.115/starmivoscloud	unknown	—	—	unknown
4500	AppLaunch.exe	GET	404	188.166.1.115:80	http://188.166.1.115/starmivoscloud	unknown	—	—	unknown
4500	AppLaunch.exe	GET	404	188.166.1.115:80	http://188.166.1.115/starmivoscloud	unknown	—	—	unknown
—	—	POST	200	20.190.160.64:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
4500	AppLaunch.exe	GET	404	188.166.1.115:80	http://188.166.1.115/starmivoscloud	unknown	—	—	unknown
—	—	POST	400	20.190.160.64:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
4500	AppLaunch.exe	GET	404	188.166.1.115:80	http://188.166.1.115/starmivoscloud	unknown	—	—	unknown
—	—	POST	400	20.190.160.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.14:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4512	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4500	AppLaunch.exe	188.166.1.115:80	—	DIGITALOCEAN-ASN	NL	unknown
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3656	WerFault.exe	104.208.16.94:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2764	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.184.238	whitelisted
watson.events.data.microsoft.com	104.208.16.94	whitelisted
login.live.com	20.190.159.73 20.190.159.130 20.190.159.75 20.190.159.68 40.126.31.73 20.190.159.4 40.126.31.131 20.190.159.0	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
img.vulpecular.icu	104.21.91.115 172.67.216.180	unknown
nexusrules.officeapps.live.com	52.111.243.30	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200	svchost.exe	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .icu Domain
4500	AppLaunch.exe	Potentially Bad Traffic	ET INFO Suspicious Domain (*.icu) in TLS SNI

General Info

447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b.exe

E2ABF4955A35D2F6BFEB21200EA1F836

BE5D778D38688A5DB52A3D72ADF76A59433975CA

447C03CC63A420C07875132D35EF027ADEC98E7BD446CF4F7C9D45B6AF40EA2B

98304:56MXSVkxjzcqbsaZ8pAcYNgxUeqHVwfee6ryfwtJjMwdl5jx+wvhh33sYQqBfy69:MCe5e

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

RACCOON has been detected (YARA)

SUSPICIOUS

Executes application which crashes

There is functionality for taking screenshot (YARA)

The process executes via Task Scheduler

Application launched itself

Connects to the server without a host name

INFO

Reads the computer name

Checks supported languages

Checks proxy server information

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Process checks whether UAC notifications are on

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings