Malware Analysis Report

2025-01-02 09:57

Sample ID 210919-se18nsegcp
Target 894e61c9670a43c03eae56cb8a54371c.exe
SHA256 16ea3c8232c0e41dd102a54e70a116f58b73c778390f563301f3d3f1685cc156
Tags
raccoon redline smokeloader udp backdoor discovery evasion infostealer spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16ea3c8232c0e41dd102a54e70a116f58b73c778390f563301f3d3f1685cc156

Threat Level: Known bad

The file 894e61c9670a43c03eae56cb8a54371c.exe was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader udp backdoor discovery evasion infostealer spyware stealer themida trojan

Raccoon

SmokeLoader

RedLine

RedLine Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Checks BIOS information in registry

Themida packer

Deletes itself

Reads user/profile data of local email clients

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies registry class

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-19 15:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-19 15:03

Reported

2021-09-19 15:05

Platform

win7-en-20210916

Max time kernel

150s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\18BF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\18BF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2B09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2B09.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\18BF.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2B09.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\943.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18BF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\service.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1076 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 1384 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\943.exe
PID 1384 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\943.exe
PID 1384 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\943.exe
PID 1384 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\943.exe
PID 1384 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB7.exe
PID 1384 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB7.exe
PID 1384 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB7.exe
PID 1384 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB7.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\18BF.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\18BF.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\18BF.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\18BF.exe
PID 1384 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\205E.exe
PID 1384 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\205E.exe
PID 1384 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\205E.exe
PID 1384 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\Temp\205E.exe
PID 1384 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe
PID 1384 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe
PID 1384 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe
PID 1384 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1612 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2B09.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 1640 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 668 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\service.exe
PID 1588 wrote to memory of 1284 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe

"C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe"

C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe

"C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe"

C:\Users\Admin\AppData\Local\Temp\943.exe

C:\Users\Admin\AppData\Local\Temp\943.exe

C:\Users\Admin\AppData\Local\Temp\DB7.exe

C:\Users\Admin\AppData\Local\Temp\DB7.exe

C:\Users\Admin\AppData\Local\Temp\18BF.exe

C:\Users\Admin\AppData\Local\Temp\18BF.exe

C:\Users\Admin\AppData\Local\Temp\205E.exe

C:\Users\Admin\AppData\Local\Temp\205E.exe

C:\Users\Admin\AppData\Local\Temp\2B09.exe

C:\Users\Admin\AppData\Local\Temp\2B09.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\install.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %TEMP%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Local\Temp\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

C:\Windows\system32\taskeng.exe

taskeng.exe {FAFB7C36-B37E-41B7-9F21-9B8F3F1EF4F2} S-1-5-21-2375386074-2889020035-839874990-1000:AFOWCZMM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\service.exe

C:\Users\Admin\AppData\Local\Temp\service.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\service.exe

C:\Users\Admin\AppData\Local\Temp\service.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %TEMP%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Local\Temp\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
NL 45.67.231.60:80 45.67.231.60 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 190.2.145.156:80 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 45.67.231.145:10991 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 renewal.fun udp
NL 45.147.197.110:80 renewal.fun tcp

Files

memory/600-54-0x0000000000402DCE-mapping.dmp

memory/600-53-0x0000000000400000-0x0000000000408000-memory.dmp

memory/600-55-0x0000000076851000-0x0000000076853000-memory.dmp

memory/1076-56-0x0000000000020000-0x0000000000029000-memory.dmp

memory/1384-57-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/928-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\943.exe

MD5 3d2efc44642922d224c3856d69822a4d
SHA1 acc34102a181dfbee7a037091a9ef5ab0b7cd827
SHA256 cec85b96bff70ce97cd617c02f61ba7a51066e29973200fb66ce56ad4a8462ec
SHA512 474f0d82e3a71f828cddc6fa107e090a4237a28af246a217d27eaa96d6c98c666a2f139a9eb5f6517147dfd590f2109125d85df308169db54df8630c9be14c48

memory/1660-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB7.exe

MD5 8a239544b610e435ace057a7c6d0879f
SHA1 ca97c116c92c19ea041828413809fbcaefa56e7e
SHA256 b748f1ca15e9949ef54c7211868381c4278ca96f2b255d04fea1d86b94d7680d
SHA512 70217d02bb7e857f7ee1932aa9ebc52cc772c4e83a897623e942996f8ef8b5dde9d462819a7817724f8b173cd1dafd6631a42710bff439708fd196fb8912444f

memory/928-62-0x00000000004E0000-0x00000000004FF000-memory.dmp

memory/928-63-0x0000000000220000-0x0000000000250000-memory.dmp

memory/928-64-0x0000000004882000-0x0000000004883000-memory.dmp

memory/928-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/928-68-0x0000000004881000-0x0000000004882000-memory.dmp

memory/928-67-0x0000000001E10000-0x0000000001E2E000-memory.dmp

memory/928-66-0x0000000004883000-0x0000000004884000-memory.dmp

memory/928-69-0x0000000004884000-0x0000000004886000-memory.dmp

memory/1660-71-0x00000000004A0000-0x0000000000530000-memory.dmp

memory/1784-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\18BF.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

memory/1660-75-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1784-77-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/1784-79-0x0000000002850000-0x0000000002851000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/1128-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\205E.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

memory/1128-84-0x0000000000570000-0x0000000000642000-memory.dmp

memory/1128-85-0x0000000000400000-0x0000000000563000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

C:\Users\Admin\AppData\Local\Temp\2B09.exe

MD5 a8386e3c88de25a8f904fdfa69daac69
SHA1 017860c60d4ba68e2a16243804088f79d246055d
SHA256 09b828682642001d90e518edc46110245320f0e69c99a9e2733ca4818614b2d1
SHA512 68c77c76f61808fa2baa5f76f61315a12987bf7b277afc75f8d5dde0f4d315f524d1d157fd435fd24cb4d4fb050ce55947eca2696b4168c7340912b1c43d4b9c

memory/1612-87-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

memory/1612-95-0x0000000000F70000-0x0000000000F71000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1612-98-0x0000000002A30000-0x0000000002A31000-memory.dmp

\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/1640-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/1640-103-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2044-105-0x0000000000000000-mapping.dmp

memory/1640-106-0x0000000001070000-0x0000000001071000-memory.dmp

memory/2044-109-0x0000000001D61000-0x0000000001D62000-memory.dmp

memory/2044-108-0x0000000001D60000-0x0000000001D61000-memory.dmp

memory/2044-110-0x0000000001D62000-0x0000000001D64000-memory.dmp

memory/1640-111-0x0000000000BB0000-0x0000000000BD9000-memory.dmp

memory/1640-112-0x0000000000AF0000-0x0000000000B00000-memory.dmp

\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/668-114-0x0000000000400000-0x000000000040E000-memory.dmp

memory/668-115-0x0000000000401300-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/668-118-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1032-119-0x0000000000000000-mapping.dmp

memory/1256-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\service.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

C:\Users\Admin\AppData\Local\Temp\service.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/1284-122-0x0000000000000000-mapping.dmp

memory/1284-124-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/1408-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 53f74827726b51898952153c0f48ad21
SHA1 f3406c061b6facbeb67677770774860c0672d173
SHA256 01ab7cbe4e0044ef15d6dbb3372d62cc134d219dc6924026db5f4026732bf97f
SHA512 b63b65e489656a6776535a4cff34286e895dc9051d5e0d77b6c6ca90facdcb15fb3c49c038daafbfc4e946944c955784515148c34129317a5247be5e8ad98be8

memory/1284-129-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1408-130-0x0000000002160000-0x0000000002161000-memory.dmp

memory/1408-131-0x0000000002161000-0x0000000002162000-memory.dmp

memory/1408-132-0x0000000002162000-0x0000000002164000-memory.dmp

\Users\Admin\AppData\Local\Temp\service.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/1488-137-0x0000000000401300-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\service.exe

MD5 b5e601b54b18fc928ba5d13120e0084c
SHA1 79372e30d8a44a3098656a99e8227d8f0e9cdd96
SHA256 9dca74f21bc546a737ec0d9b5ca1800fd9488294512e5646bcab411fd20be4fc
SHA512 8dc21b69d61934ce9c263c310e3fecb9476934f0dbe5c4d2fc698dbd1e2187811321154b08e5fe22763476c0d557c133a715aa3bdcc160d0668793245197c747

memory/1600-140-0x0000000000000000-mapping.dmp

memory/988-141-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-19 15:03

Reported

2021-09-19 15:05

Platform

win10v20210408

Max time kernel

153s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C918.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\C918.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\C918.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\C918.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C918.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 652 set thread context of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C918.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 652 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 652 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 652 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 652 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 652 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe
PID 2724 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe
PID 2724 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe
PID 2724 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe
PID 2724 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\C918.exe
PID 2724 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\C918.exe
PID 2724 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\C918.exe
PID 1028 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\B7E1.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3048 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3048 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe

"C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe"

C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe

"C:\Users\Admin\AppData\Local\Temp\894e61c9670a43c03eae56cb8a54371c.exe"

C:\Users\Admin\AppData\Local\Temp\B7E1.exe

C:\Users\Admin\AppData\Local\Temp\B7E1.exe

C:\Users\Admin\AppData\Local\Temp\C918.exe

C:\Users\Admin\AppData\Local\Temp\C918.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B7E1.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
NL 45.67.231.60:80 45.67.231.60 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 45.67.231.145:10991 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp

Files

memory/652-114-0x0000000000030000-0x0000000000039000-memory.dmp

memory/804-115-0x0000000000400000-0x0000000000408000-memory.dmp

memory/804-116-0x0000000000402DCE-mapping.dmp

memory/2724-117-0x0000000000D00000-0x0000000000D15000-memory.dmp

memory/1028-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B7E1.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

C:\Users\Admin\AppData\Local\Temp\B7E1.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

memory/1028-121-0x00000000021D0000-0x00000000022A2000-memory.dmp

memory/1028-122-0x0000000000400000-0x0000000000563000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/1476-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C918.exe

MD5 a8386e3c88de25a8f904fdfa69daac69
SHA1 017860c60d4ba68e2a16243804088f79d246055d
SHA256 09b828682642001d90e518edc46110245320f0e69c99a9e2733ca4818614b2d1
SHA512 68c77c76f61808fa2baa5f76f61315a12987bf7b277afc75f8d5dde0f4d315f524d1d157fd435fd24cb4d4fb050ce55947eca2696b4168c7340912b1c43d4b9c

memory/1476-126-0x0000000077CA0000-0x0000000077E2E000-memory.dmp

memory/1476-128-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/1476-130-0x0000000005700000-0x0000000005701000-memory.dmp

memory/1476-131-0x0000000005120000-0x0000000005121000-memory.dmp

memory/1476-132-0x0000000005250000-0x0000000005251000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

memory/1476-134-0x00000000050E0000-0x00000000050E1000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

memory/1476-136-0x0000000005180000-0x0000000005181000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1476-139-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/3048-140-0x0000000000000000-mapping.dmp

memory/3864-141-0x0000000000000000-mapping.dmp

memory/1476-142-0x0000000006810000-0x0000000006811000-memory.dmp

memory/1476-143-0x0000000006F10000-0x0000000006F11000-memory.dmp

memory/1476-144-0x0000000006A90000-0x0000000006A91000-memory.dmp

memory/1476-145-0x0000000006C80000-0x0000000006C81000-memory.dmp

memory/1476-146-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

memory/1476-147-0x0000000007940000-0x0000000007941000-memory.dmp

memory/1476-148-0x0000000006D60000-0x0000000006D61000-memory.dmp

memory/2724-160-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-159-0x0000000000D60000-0x0000000000D70000-memory.dmp

memory/2724-162-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-161-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

memory/2724-163-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-164-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-165-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-166-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-167-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/2724-168-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-170-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-169-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/2724-171-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-174-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-172-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-173-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-176-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-175-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-177-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/2724-178-0x0000000000DA0000-0x0000000000DB0000-memory.dmp