Malware Analysis Report

2025-01-02 09:57

Sample ID 210919-rd8exsegam
Target bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170
SHA256 bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170
Tags
raccoon redline smokeloader superstarlogs udp backdoor discovery evasion infostealer spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170

Threat Level: Known bad

The file bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170 was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader superstarlogs udp backdoor discovery evasion infostealer spyware stealer themida trojan

RedLine

SmokeLoader

Raccoon

RedLine Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks BIOS information in registry

Reads user/profile data of local email clients

Themida packer

Loads dropped DLL

Deletes itself

Checks whether UAC is enabled

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-19 14:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-19 14:05

Reported

2021-09-19 14:08

Platform

win10-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3DE3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3DE3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3DE3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1D28.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe
PID 1824 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe
PID 1824 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe
PID 1824 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe
PID 1824 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe
PID 1824 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe
PID 2304 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D28.exe
PID 2304 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D28.exe
PID 2304 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D28.exe
PID 2304 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\2278.exe
PID 2304 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\2278.exe
PID 2304 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\2278.exe
PID 2304 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2304 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2304 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2304 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\33C0.exe
PID 2304 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\33C0.exe
PID 2304 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\33C0.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2140 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2C8B.exe C:\Users\Admin\AppData\Local\Temp\2C8B.exe
PID 2304 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe
PID 2304 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe
PID 2304 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe
PID 1412 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1412 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1412 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\3DE3.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3080 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 3852 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe

"C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe"

C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe

"C:\Users\Admin\AppData\Local\Temp\bbe7258c4eb656efd2244721f54648655b7044501b934d1bc91e820a9d18f170.exe"

C:\Users\Admin\AppData\Local\Temp\1D28.exe

C:\Users\Admin\AppData\Local\Temp\1D28.exe

C:\Users\Admin\AppData\Local\Temp\2278.exe

C:\Users\Admin\AppData\Local\Temp\2278.exe

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

C:\Users\Admin\AppData\Local\Temp\33C0.exe

C:\Users\Admin\AppData\Local\Temp\33C0.exe

C:\Users\Admin\AppData\Local\Temp\3DE3.exe

C:\Users\Admin\AppData\Local\Temp\3DE3.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\install.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %TEMP%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Local\Temp\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
NL 45.67.231.60:80 45.67.231.60 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 94.26.249.88:32478 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
NL 45.67.231.145:10991 tcp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 renewal.fun udp
NL 45.147.197.110:80 renewal.fun tcp

Files

memory/1824-115-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3968-117-0x0000000000402DCE-mapping.dmp

memory/3968-116-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2304-118-0x0000000002E20000-0x0000000002E35000-memory.dmp

memory/3652-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1D28.exe

MD5 302160df32351cbfdb25d7de735b0b78
SHA1 45de3cd046ecaf384f22afb4c5cfe9650868e9f5
SHA256 319bc85c37456c6d019954ed188e67101898019f101d24a0b22abb757ba7c02d
SHA512 4665ceefe501f4a6d4e56cc21073182faeb7b52f57163afcbda28c2eb08992cc298b3a2103eb751f02539f7b7481fb221e6bbe1d8e39f9296d8e3f94e391cb12

C:\Users\Admin\AppData\Local\Temp\1D28.exe

MD5 302160df32351cbfdb25d7de735b0b78
SHA1 45de3cd046ecaf384f22afb4c5cfe9650868e9f5
SHA256 319bc85c37456c6d019954ed188e67101898019f101d24a0b22abb757ba7c02d
SHA512 4665ceefe501f4a6d4e56cc21073182faeb7b52f57163afcbda28c2eb08992cc298b3a2103eb751f02539f7b7481fb221e6bbe1d8e39f9296d8e3f94e391cb12

memory/2832-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2278.exe

MD5 ac2a48d1b957d1a2311af942d8515ea1
SHA1 f7a1d5f4c7f3321667ed046c23f91cc00e66bf2a
SHA256 c267bc20726b190fd76ca6ec87ef7ad3dfb282ef402b347661f03bb6e465f51e
SHA512 1b6d2a57351a725f306a51d0a3b666c9e1e8a6ca726a4ca18ac619f31f477c5f6ac5194884db8224c976e94053283de6bdf5b3e9e7bb4997380ec5e8466aa9d0

C:\Users\Admin\AppData\Local\Temp\2278.exe

MD5 ac2a48d1b957d1a2311af942d8515ea1
SHA1 f7a1d5f4c7f3321667ed046c23f91cc00e66bf2a
SHA256 c267bc20726b190fd76ca6ec87ef7ad3dfb282ef402b347661f03bb6e465f51e
SHA512 1b6d2a57351a725f306a51d0a3b666c9e1e8a6ca726a4ca18ac619f31f477c5f6ac5194884db8224c976e94053283de6bdf5b3e9e7bb4997380ec5e8466aa9d0

memory/3652-125-0x00000000009F0000-0x0000000000A0F000-memory.dmp

memory/3652-126-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/3652-127-0x0000000002340000-0x000000000235E000-memory.dmp

memory/3652-128-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

memory/3652-129-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/3652-130-0x00000000055F0000-0x00000000055F1000-memory.dmp

memory/3652-131-0x0000000000460000-0x000000000050E000-memory.dmp

memory/3652-134-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/3652-135-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/3652-133-0x0000000004AD4000-0x0000000004AD6000-memory.dmp

memory/3652-132-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3652-136-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

memory/3652-137-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

memory/3652-138-0x0000000005710000-0x0000000005711000-memory.dmp

memory/2832-139-0x00000000004F0000-0x000000000059E000-memory.dmp

memory/2832-140-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2140-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

MD5 12a8db630a7d6526cc881098b5c26e41
SHA1 0df827ffe1e319d7eda724b308ab59cca972f027
SHA256 fa18435d07eda41f5aa568cee624b0dfb2eb5239cc0640808dd82514c85700b7
SHA512 c90879ca7f67d012e50812793bd8c95dd7edeee7448893191c7f98ec383991fd75b4ddd9bea51fe5e8fa9b723615b7c4220082b12371a6bf16d03aad9dcc1573

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

MD5 12a8db630a7d6526cc881098b5c26e41
SHA1 0df827ffe1e319d7eda724b308ab59cca972f027
SHA256 fa18435d07eda41f5aa568cee624b0dfb2eb5239cc0640808dd82514c85700b7
SHA512 c90879ca7f67d012e50812793bd8c95dd7edeee7448893191c7f98ec383991fd75b4ddd9bea51fe5e8fa9b723615b7c4220082b12371a6bf16d03aad9dcc1573

memory/2140-144-0x0000000000750000-0x0000000000751000-memory.dmp

memory/2140-146-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2140-147-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2140-149-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/656-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\33C0.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

C:\Users\Admin\AppData\Local\Temp\33C0.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/656-154-0x0000000002740000-0x0000000002812000-memory.dmp

memory/520-155-0x0000000000400000-0x0000000000422000-memory.dmp

memory/520-156-0x000000000041C5EA-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2C8B.exe

MD5 12a8db630a7d6526cc881098b5c26e41
SHA1 0df827ffe1e319d7eda724b308ab59cca972f027
SHA256 fa18435d07eda41f5aa568cee624b0dfb2eb5239cc0640808dd82514c85700b7
SHA512 c90879ca7f67d012e50812793bd8c95dd7edeee7448893191c7f98ec383991fd75b4ddd9bea51fe5e8fa9b723615b7c4220082b12371a6bf16d03aad9dcc1573

memory/656-158-0x0000000000400000-0x0000000000563000-memory.dmp

memory/1412-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3DE3.exe

MD5 a8386e3c88de25a8f904fdfa69daac69
SHA1 017860c60d4ba68e2a16243804088f79d246055d
SHA256 09b828682642001d90e518edc46110245320f0e69c99a9e2733ca4818614b2d1
SHA512 68c77c76f61808fa2baa5f76f61315a12987bf7b277afc75f8d5dde0f4d315f524d1d157fd435fd24cb4d4fb050ce55947eca2696b4168c7340912b1c43d4b9c

memory/520-168-0x0000000005410000-0x0000000005A16000-memory.dmp

memory/1412-170-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

memory/1412-179-0x0000000077000000-0x000000007718E000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1412-180-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

memory/3652-183-0x0000000006930000-0x0000000006931000-memory.dmp

memory/3652-184-0x0000000006B00000-0x0000000006B01000-memory.dmp

memory/3652-186-0x00000000071F0000-0x00000000071F1000-memory.dmp

memory/3652-188-0x0000000005E90000-0x0000000005E91000-memory.dmp

memory/520-196-0x0000000007B50000-0x0000000007B51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/3080-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/3080-207-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/3080-211-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/3080-212-0x0000000005400000-0x0000000005401000-memory.dmp

memory/2188-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2C8B.exe.log

MD5 41fbed686f5700fc29aaccf83e8ba7fd
SHA1 5271bc29538f11e42a3b600c8dc727186e912456
SHA256 df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

memory/2188-217-0x0000000006D00000-0x0000000006D01000-memory.dmp

memory/2188-218-0x00000000074B0000-0x00000000074B1000-memory.dmp

memory/2188-219-0x0000000007420000-0x0000000007421000-memory.dmp

memory/2188-220-0x0000000007B50000-0x0000000007B51000-memory.dmp

memory/2188-222-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

memory/2188-223-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

memory/2188-224-0x0000000008540000-0x0000000008541000-memory.dmp

memory/2188-225-0x0000000006E70000-0x0000000006E71000-memory.dmp

memory/2188-226-0x0000000006E72000-0x0000000006E73000-memory.dmp

memory/3852-238-0x0000000000401300-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/2828-240-0x0000000000000000-mapping.dmp

memory/3660-241-0x0000000000000000-mapping.dmp

memory/3852-243-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2188-242-0x0000000006E73000-0x0000000006E74000-memory.dmp

memory/2304-255-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-254-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/2304-257-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-258-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-259-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-261-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-260-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-262-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/2304-264-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/2304-265-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-267-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-268-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-266-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-270-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-269-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-271-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-263-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-256-0x0000000003070000-0x0000000003080000-memory.dmp

memory/2304-272-0x0000000003060000-0x0000000003070000-memory.dmp

memory/2304-273-0x0000000003060000-0x0000000003070000-memory.dmp