Malware Analysis Report

2025-01-02 09:55

Sample ID 210919-t37wsscbg2
Target 07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096
SHA256 07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096
Tags
raccoon redline smokeloader udp backdoor discovery evasion infostealer persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096

Threat Level: Known bad

The file 07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096 was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader udp backdoor discovery evasion infostealer persistence spyware stealer themida trojan

RedLine Payload

Raccoon

RedLine

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Downloads MZ/PE file

Deletes itself

Reads user/profile data of local email clients

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-19 16:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-19 16:36

Reported

2021-09-19 16:38

Platform

win10-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\72BF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8772.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8772.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\561B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\561B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5FEF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5FEF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\72BF.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4B3C.exe" C:\Users\Admin\AppData\Local\Temp\4B3C.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\561B.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5FEF.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\72BF.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8772.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\561B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5FEF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8772.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B3C.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4B3C.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\561B.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5FEF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6465.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72BF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe
PID 2248 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe
PID 3048 wrote to memory of 3964 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B3C.exe
PID 3048 wrote to memory of 3964 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B3C.exe
PID 3048 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\561B.exe
PID 3048 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\561B.exe
PID 3048 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\561B.exe
PID 3048 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\Temp\5FEF.exe
PID 3048 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\Temp\5FEF.exe
PID 3048 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\Temp\5FEF.exe
PID 3048 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\6465.exe
PID 3048 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\6465.exe
PID 3048 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\6465.exe
PID 3048 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\6967.exe
PID 3048 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\6967.exe
PID 3048 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\Temp\6967.exe
PID 3048 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\72BF.exe
PID 3048 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\72BF.exe
PID 3048 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\72BF.exe
PID 3048 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\79F4.exe
PID 3048 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\79F4.exe
PID 3048 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\79F4.exe
PID 3048 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\8772.exe
PID 3048 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\8772.exe
PID 3048 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\8772.exe
PID 3048 wrote to memory of 4012 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 3048 wrote to memory of 4012 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 3048 wrote to memory of 4012 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 3048 wrote to memory of 4192 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F92.exe
PID 3048 wrote to memory of 4192 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F92.exe
PID 3048 wrote to memory of 4192 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F92.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe
PID 4012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\8B1C.exe C:\Users\Admin\AppData\Local\Temp\8B1C.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe

"C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe"

C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe

"C:\Users\Admin\AppData\Local\Temp\07ccec595a842376585d2134a4cb8cf8ce535023ca9367a6fcb23acdaa94a096.exe"

C:\Users\Admin\AppData\Local\Temp\4B3C.exe

C:\Users\Admin\AppData\Local\Temp\4B3C.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3964 -s 1588

C:\Users\Admin\AppData\Local\Temp\561B.exe

C:\Users\Admin\AppData\Local\Temp\561B.exe

C:\Users\Admin\AppData\Local\Temp\5FEF.exe

C:\Users\Admin\AppData\Local\Temp\5FEF.exe

C:\Users\Admin\AppData\Local\Temp\6465.exe

C:\Users\Admin\AppData\Local\Temp\6465.exe

C:\Users\Admin\AppData\Local\Temp\6967.exe

C:\Users\Admin\AppData\Local\Temp\6967.exe

C:\Users\Admin\AppData\Local\Temp\72BF.exe

C:\Users\Admin\AppData\Local\Temp\72BF.exe

C:\Users\Admin\AppData\Local\Temp\79F4.exe

C:\Users\Admin\AppData\Local\Temp\79F4.exe

C:\Users\Admin\AppData\Local\Temp\8772.exe

C:\Users\Admin\AppData\Local\Temp\8772.exe

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

C:\Users\Admin\AppData\Local\Temp\8F92.exe

C:\Users\Admin\AppData\Local\Temp\8F92.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 a.uguu.se udp
DE 144.76.201.136:443 a.uguu.se tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 190.2.145.108:12608 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 iryarahara.xyz udp
RU 77.246.145.4:80 iryarahara.xyz tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
NL 45.67.231.60:80 45.67.231.60 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
NL 190.2.145.156:80 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 45.67.231.145:10991 tcp
US 172.67.75.172:443 api.ip.sb tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 91.142.77.155:5469 tcp
US 34.210.194.227:80 tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp

Files

memory/2128-115-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2128-116-0x0000000000402DCE-mapping.dmp

memory/2248-117-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3048-118-0x0000000002CF0000-0x0000000002D05000-memory.dmp

memory/3964-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4B3C.exe

MD5 ee067e8213ac1840757a56959635c1a3
SHA1 e96cf55bf0bbba1a2b0c5ec98f949a02e4325ed8
SHA256 83b6ec39427a30d7b2e7002bce01b9f91596ed66a4151267311936e11e967776
SHA512 4d68db6471addf91b5ea07f285d71f569ddacb8d3715b3766194f1a6590f77de8d1f1d063ff3a587aa93d7778944912cc2e467c05dea9ea1b16bf291c05655e3

C:\Users\Admin\AppData\Local\Temp\4B3C.exe

MD5 ee067e8213ac1840757a56959635c1a3
SHA1 e96cf55bf0bbba1a2b0c5ec98f949a02e4325ed8
SHA256 83b6ec39427a30d7b2e7002bce01b9f91596ed66a4151267311936e11e967776
SHA512 4d68db6471addf91b5ea07f285d71f569ddacb8d3715b3766194f1a6590f77de8d1f1d063ff3a587aa93d7778944912cc2e467c05dea9ea1b16bf291c05655e3

memory/3964-122-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/3964-124-0x0000000000E30000-0x0000000000E32000-memory.dmp

memory/2248-125-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\561B.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

C:\Users\Admin\AppData\Local\Temp\561B.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

memory/2248-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/2248-130-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/2248-132-0x0000000005C20000-0x0000000005C21000-memory.dmp

memory/2248-133-0x0000000005560000-0x0000000005561000-memory.dmp

memory/2248-134-0x0000000005720000-0x0000000005721000-memory.dmp

memory/2248-135-0x00000000055C0000-0x00000000055C1000-memory.dmp

memory/2248-136-0x0000000005610000-0x0000000005611000-memory.dmp

memory/2248-137-0x0000000005600000-0x0000000005601000-memory.dmp

memory/948-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5FEF.exe

MD5 2276594f6417179702443734cc89341a
SHA1 2afd398c0408c5c41062a5ca0d43528e9a510ddf
SHA256 4c9c430cdca2a818a7c532a1ba924670bdd01e61f4e7d574123daab677e4c76e
SHA512 cb023e562b73a297eb3f2c1f6577fb33635af0da31d1264a60a664dc59bbce84d723a498dba54be34adffece90aa76ac4e269a3aad50559424b3dfe6ba0bbf85

memory/948-141-0x0000000000D50000-0x0000000000D51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6465.exe

MD5 4a93f552d9a2747b134be963c4d1b044
SHA1 7b96e56bc6b7df56ac4d0cda72dbc2d9be65f0e4
SHA256 33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275
SHA512 d10962a7c0027ca5dafda2e9ebc236b04284c4542f65e3cea9ec423b29012ed7fc111579e73f0b46d6e3be0ed020dc23c784c5f281abcf02071cfd904fdf1ab5

memory/1540-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6465.exe

MD5 4a93f552d9a2747b134be963c4d1b044
SHA1 7b96e56bc6b7df56ac4d0cda72dbc2d9be65f0e4
SHA256 33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275
SHA512 d10962a7c0027ca5dafda2e9ebc236b04284c4542f65e3cea9ec423b29012ed7fc111579e73f0b46d6e3be0ed020dc23c784c5f281abcf02071cfd904fdf1ab5

memory/948-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/948-152-0x00000000056C0000-0x0000000005CC6000-memory.dmp

memory/2056-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6967.exe

MD5 464c37ca126363e0251c8d7cbdadabaa
SHA1 8180531787c6ebc8a248c5f2274b96bf1f1c72e2
SHA256 fb4ee55f6d4868657b33a834fa135aa874b26d98e84398b7b8b72da06064e070
SHA512 e203d95b0d954dfb137b52e3b1d020cf07b35254ec542ff64426cbeb01f2a8c1c111f51829d6f560c4cc058c974efff10431f5b1999e890433314a6d787d61fa

C:\Users\Admin\AppData\Local\Temp\6967.exe

MD5 464c37ca126363e0251c8d7cbdadabaa
SHA1 8180531787c6ebc8a248c5f2274b96bf1f1c72e2
SHA256 fb4ee55f6d4868657b33a834fa135aa874b26d98e84398b7b8b72da06064e070
SHA512 e203d95b0d954dfb137b52e3b1d020cf07b35254ec542ff64426cbeb01f2a8c1c111f51829d6f560c4cc058c974efff10431f5b1999e890433314a6d787d61fa

memory/1540-156-0x00000000021B0000-0x00000000021CF000-memory.dmp

memory/1540-157-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/1540-158-0x0000000002480000-0x000000000249E000-memory.dmp

memory/1540-164-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/1540-165-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1540-166-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/2056-167-0x0000000000820000-0x00000000008B0000-memory.dmp

memory/2056-168-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1540-169-0x0000000004B02000-0x0000000004B03000-memory.dmp

memory/1540-171-0x0000000004B04000-0x0000000004B06000-memory.dmp

memory/1540-170-0x0000000004B03000-0x0000000004B04000-memory.dmp

memory/3068-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\72BF.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

C:\Users\Admin\AppData\Local\Temp\72BF.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/3068-177-0x0000000001010000-0x0000000001011000-memory.dmp

memory/3068-184-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/3068-185-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

memory/2248-186-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

memory/2248-187-0x00000000075B0000-0x00000000075B1000-memory.dmp

memory/2248-188-0x0000000006E30000-0x0000000006E31000-memory.dmp

memory/2248-189-0x0000000007200000-0x0000000007201000-memory.dmp

memory/1800-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\79F4.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

memory/2248-193-0x0000000007320000-0x0000000007321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79F4.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

memory/2248-195-0x00000000071E0000-0x00000000071E1000-memory.dmp

memory/2248-196-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1800-201-0x00000000026A0000-0x0000000002772000-memory.dmp

memory/1800-202-0x0000000000400000-0x0000000000563000-memory.dmp

memory/1584-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8772.exe

MD5 a8386e3c88de25a8f904fdfa69daac69
SHA1 017860c60d4ba68e2a16243804088f79d246055d
SHA256 09b828682642001d90e518edc46110245320f0e69c99a9e2733ca4818614b2d1
SHA512 68c77c76f61808fa2baa5f76f61315a12987bf7b277afc75f8d5dde0f4d315f524d1d157fd435fd24cb4d4fb050ce55947eca2696b4168c7340912b1c43d4b9c

memory/1584-219-0x0000000000090000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/4012-225-0x0000000000000000-mapping.dmp

memory/4012-229-0x0000000000630000-0x0000000000631000-memory.dmp

memory/1584-230-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/1584-232-0x0000000005370000-0x0000000005371000-memory.dmp

memory/4192-240-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8F92.exe

MD5 20e5f0cea84c5c3e17bebddecf04126d
SHA1 bd7153b8b6b7c02cd4b5750def0f7282a4cf91ec
SHA256 2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37
SHA512 7fb6c6f1cd2ff1cf08de1eb4e8f3bcf34fd0751ea97ab8c5885f5c82e3650897c5dc98a889d39b2a1b8b7c23115f391a2748c1fc08b04c9cf09975454e1ea330

C:\Users\Admin\AppData\Local\Temp\8F92.exe

MD5 20e5f0cea84c5c3e17bebddecf04126d
SHA1 bd7153b8b6b7c02cd4b5750def0f7282a4cf91ec
SHA256 2fd3207bf2afd0fcebb92faa05afe1d40f54a49f374bdfe84556e1c418d16e37
SHA512 7fb6c6f1cd2ff1cf08de1eb4e8f3bcf34fd0751ea97ab8c5885f5c82e3650897c5dc98a889d39b2a1b8b7c23115f391a2748c1fc08b04c9cf09975454e1ea330

memory/4012-244-0x0000000005090000-0x0000000005091000-memory.dmp

memory/4192-258-0x0000000000790000-0x00000000007C0000-memory.dmp

memory/4192-259-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4192-260-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4192-261-0x00000000022E2000-0x00000000022E3000-memory.dmp

memory/4192-263-0x00000000022E4000-0x00000000022E6000-memory.dmp

memory/4192-262-0x00000000022E3000-0x00000000022E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/4124-265-0x000000000041C606-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8B1C.exe.log

MD5 41fbed686f5700fc29aaccf83e8ba7fd
SHA1 5271bc29538f11e42a3b600c8dc727186e912456
SHA256 df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

memory/4124-277-0x0000000005610000-0x0000000005B0E000-memory.dmp