Malware Analysis Report

2025-01-02 10:23

Sample ID 210920-fl8j4sfedp
Target 66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00
SHA256 66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00
Tags
raccoon redline smokeloader new777 udp backdoor discovery evasion infostealer spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00

Threat Level: Known bad

The file 66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00 was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader new777 udp backdoor discovery evasion infostealer spyware stealer themida trojan

RedLine

RedLine Payload

SmokeLoader

Raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Downloads MZ/PE file

Reads user/profile data of web browsers

Deletes itself

Themida packer

Loads dropped DLL

Reads user/profile data of local email clients

Checks BIOS information in registry

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-20 04:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-20 04:58

Reported

2021-09-20 05:01

Platform

win10v20210408

Max time kernel

151s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BE59.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BE59.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\C782.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\C782.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\BE59.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\C782.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C782.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\dtcvist N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\dtcvist N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\dtcvist N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dtcvist N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BE59.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C782.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CCF2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D800.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe
PID 636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe
PID 636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe
PID 636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe
PID 636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe
PID 636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe
PID 3052 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE59.exe
PID 3052 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE59.exe
PID 3052 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE59.exe
PID 3052 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\C782.exe
PID 3052 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\C782.exe
PID 3052 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\C782.exe
PID 3052 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCF2.exe
PID 3052 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCF2.exe
PID 3052 wrote to memory of 2392 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCF2.exe
PID 3052 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\D30D.exe
PID 3052 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\D30D.exe
PID 3052 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\D30D.exe
PID 3052 wrote to memory of 724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 3052 wrote to memory of 724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 3052 wrote to memory of 724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 724 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 724 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5BC.exe
PID 3052 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5BC.exe
PID 3052 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5BC.exe
PID 2748 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\D30D.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\D30D.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\D30D.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4288 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4288 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 724 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 724 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\D800.exe C:\Users\Admin\AppData\Local\Temp\D800.exe
PID 4952 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\dtcvist C:\Users\Admin\AppData\Roaming\dtcvist
PID 4952 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\dtcvist C:\Users\Admin\AppData\Roaming\dtcvist
PID 4952 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\dtcvist C:\Users\Admin\AppData\Roaming\dtcvist
PID 4952 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\dtcvist C:\Users\Admin\AppData\Roaming\dtcvist
PID 4952 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\dtcvist C:\Users\Admin\AppData\Roaming\dtcvist
PID 4952 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\dtcvist C:\Users\Admin\AppData\Roaming\dtcvist

Processes

C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe

"C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe"

C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe

"C:\Users\Admin\AppData\Local\Temp\66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00.exe"

C:\Users\Admin\AppData\Local\Temp\BE59.exe

C:\Users\Admin\AppData\Local\Temp\BE59.exe

C:\Users\Admin\AppData\Local\Temp\C782.exe

C:\Users\Admin\AppData\Local\Temp\C782.exe

C:\Users\Admin\AppData\Local\Temp\CCF2.exe

C:\Users\Admin\AppData\Local\Temp\CCF2.exe

C:\Users\Admin\AppData\Local\Temp\D30D.exe

C:\Users\Admin\AppData\Local\Temp\D30D.exe

C:\Users\Admin\AppData\Local\Temp\D800.exe

C:\Users\Admin\AppData\Local\Temp\D800.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\E5BC.exe

C:\Users\Admin\AppData\Local\Temp\E5BC.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D30D.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\D800.exe

C:\Users\Admin\AppData\Local\Temp\D800.exe

C:\Users\Admin\AppData\Local\Temp\D800.exe

C:\Users\Admin\AppData\Local\Temp\D800.exe

C:\Users\Admin\AppData\Roaming\dtcvist

C:\Users\Admin\AppData\Roaming\dtcvist

C:\Users\Admin\AppData\Roaming\dtcvist

C:\Users\Admin\AppData\Roaming\dtcvist

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 190.2.145.108:12608 tcp
US 8.8.8.8:53 iryarahara.xyz udp
RU 77.246.145.4:80 iryarahara.xyz tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
RU 45.9.20.20:13441 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
DE 74.119.192.122:80 74.119.192.122 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
NL 45.67.231.145:10991 tcp
US 104.26.12.31:443 api.ip.sb tcp

Files

memory/824-114-0x0000000000400000-0x0000000000408000-memory.dmp

memory/824-115-0x0000000000402DCE-mapping.dmp

memory/636-116-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3052-117-0x00000000004D0000-0x00000000004E5000-memory.dmp

memory/736-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BE59.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

C:\Users\Admin\AppData\Local\Temp\BE59.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

memory/736-122-0x0000000077C10000-0x0000000077D9E000-memory.dmp

memory/736-123-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/736-125-0x00000000059C0000-0x00000000059C1000-memory.dmp

memory/1536-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C782.exe

MD5 2276594f6417179702443734cc89341a
SHA1 2afd398c0408c5c41062a5ca0d43528e9a510ddf
SHA256 4c9c430cdca2a818a7c532a1ba924670bdd01e61f4e7d574123daab677e4c76e
SHA512 cb023e562b73a297eb3f2c1f6577fb33635af0da31d1264a60a664dc59bbce84d723a498dba54be34adffece90aa76ac4e269a3aad50559424b3dfe6ba0bbf85

memory/736-128-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/736-129-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/1536-131-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/736-135-0x0000000005330000-0x0000000005331000-memory.dmp

memory/1536-139-0x0000000077C10000-0x0000000077D9E000-memory.dmp

memory/736-138-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/1536-140-0x0000000005C30000-0x0000000006236000-memory.dmp

memory/2392-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CCF2.exe

MD5 6633b22ce7b8d409eb8182dedb23f7e5
SHA1 f7b8025329d2c2b751e19e8dbae75697562808e5
SHA256 b1a669d65e7b71816391d6ba9dc45ecae35592c88fd5977fff37e247d1cbbb6a
SHA512 39aa09296520dffad448529f8374a2e14c9c93c5459c232367df7040b0b1d4dadfc8a2f89f0493bb04b023e62e2319dd9b2a11cb17d9a220b057e50f2e690a1a

C:\Users\Admin\AppData\Local\Temp\CCF2.exe

MD5 6633b22ce7b8d409eb8182dedb23f7e5
SHA1 f7b8025329d2c2b751e19e8dbae75697562808e5
SHA256 b1a669d65e7b71816391d6ba9dc45ecae35592c88fd5977fff37e247d1cbbb6a
SHA512 39aa09296520dffad448529f8374a2e14c9c93c5459c232367df7040b0b1d4dadfc8a2f89f0493bb04b023e62e2319dd9b2a11cb17d9a220b057e50f2e690a1a

memory/736-144-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/2748-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D30D.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

C:\Users\Admin\AppData\Local\Temp\D30D.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

memory/2392-149-0x00000000008F0000-0x000000000090F000-memory.dmp

memory/2392-151-0x00000000004B0000-0x00000000005FA000-memory.dmp

memory/724-152-0x0000000000000000-mapping.dmp

memory/2392-150-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2392-157-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/2748-159-0x0000000000AA0000-0x0000000000B72000-memory.dmp

memory/724-160-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2392-156-0x0000000002320000-0x000000000233E000-memory.dmp

memory/2392-165-0x00000000022D3000-0x00000000022D4000-memory.dmp

memory/2392-162-0x00000000022D2000-0x00000000022D3000-memory.dmp

memory/724-167-0x0000000004F40000-0x0000000004F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D800.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/2392-153-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D800.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/724-170-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/2748-173-0x0000000000400000-0x0000000000563000-memory.dmp

memory/724-172-0x0000000004EA0000-0x000000000539E000-memory.dmp

memory/2392-171-0x00000000022D4000-0x00000000022D6000-memory.dmp

memory/640-174-0x0000000000000000-mapping.dmp

memory/640-177-0x0000000006D10000-0x0000000006D11000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/640-179-0x0000000007380000-0x0000000007381000-memory.dmp

memory/1484-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E5BC.exe

MD5 2eb8d558cadb3af8207aa1efb94158b2
SHA1 6390f07272cac9c0567a5a5b9b3749384c557934
SHA256 99c784beb7e2f090eeb58a15ad708d0eeb7dcb44996f836206fc8f0ca5e7a151
SHA512 53d9dc2bf9db3ed2b3c57329e499eaee20ed4b5ce3b992ad95905d2a4024cd6b468472d1965f02487b26bc6149c100430ebfb6514550dbebe3b8385ad3bbd675

C:\Users\Admin\AppData\Local\Temp\E5BC.exe

MD5 2eb8d558cadb3af8207aa1efb94158b2
SHA1 6390f07272cac9c0567a5a5b9b3749384c557934
SHA256 99c784beb7e2f090eeb58a15ad708d0eeb7dcb44996f836206fc8f0ca5e7a151
SHA512 53d9dc2bf9db3ed2b3c57329e499eaee20ed4b5ce3b992ad95905d2a4024cd6b468472d1965f02487b26bc6149c100430ebfb6514550dbebe3b8385ad3bbd675

memory/640-183-0x00000000072D0000-0x00000000072D1000-memory.dmp

memory/640-184-0x00000000079B0000-0x00000000079B1000-memory.dmp

memory/640-185-0x0000000004800000-0x0000000004801000-memory.dmp

memory/640-186-0x0000000004802000-0x0000000004803000-memory.dmp

memory/640-187-0x0000000007B20000-0x0000000007B21000-memory.dmp

memory/640-188-0x0000000007D20000-0x0000000007D21000-memory.dmp

memory/640-189-0x0000000008070000-0x0000000008071000-memory.dmp

memory/640-191-0x00000000084B0000-0x00000000084B1000-memory.dmp

memory/1484-192-0x0000000000930000-0x00000000009C0000-memory.dmp

memory/1484-193-0x0000000000400000-0x0000000000493000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

memory/736-198-0x0000000006D10000-0x0000000006D11000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

memory/1536-201-0x0000000007910000-0x0000000007911000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/640-214-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

memory/2392-215-0x0000000007300000-0x0000000007301000-memory.dmp

memory/640-216-0x0000000009190000-0x0000000009191000-memory.dmp

memory/736-224-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

memory/4288-226-0x0000000000000000-mapping.dmp

memory/4324-227-0x0000000000000000-mapping.dmp

memory/3052-229-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-228-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3052-230-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3052-231-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-233-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-232-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-235-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-234-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-236-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/3052-239-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-237-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-240-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-238-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/3052-241-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-243-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-242-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-245-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-244-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-247-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-246-0x0000000002980000-0x0000000002990000-memory.dmp

memory/724-249-0x00000000051A0000-0x00000000051D4000-memory.dmp

memory/724-250-0x0000000006A10000-0x0000000006A29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D800.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/4720-252-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4720-253-0x000000000041C5E2-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D800.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/640-255-0x0000000004803000-0x0000000004804000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\D800.exe.log

MD5 9e7845217df4a635ec4341c3d52ed685
SHA1 d65cb39d37392975b038ce503a585adadb805da5
SHA256 d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

memory/4720-264-0x0000000004EE0000-0x00000000054E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\dtcvist

MD5 8872a0810f84b22f76e9c01e4b8d19c7
SHA1 cd5c3b7ae7c1343d3b896e56db32085b9140f7bc
SHA256 66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00
SHA512 4b5e962a3403cd6f871e083a7910e48a9a3e0682068be7b5536a842f5cf54ba7e6393e277d1041b66fd284fd052eedc7f28e728f8f62e72ea334198a5dca6a0f

C:\Users\Admin\AppData\Roaming\dtcvist

MD5 8872a0810f84b22f76e9c01e4b8d19c7
SHA1 cd5c3b7ae7c1343d3b896e56db32085b9140f7bc
SHA256 66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00
SHA512 4b5e962a3403cd6f871e083a7910e48a9a3e0682068be7b5536a842f5cf54ba7e6393e277d1041b66fd284fd052eedc7f28e728f8f62e72ea334198a5dca6a0f

memory/4976-275-0x0000000000402DCE-mapping.dmp

C:\Users\Admin\AppData\Roaming\dtcvist

MD5 8872a0810f84b22f76e9c01e4b8d19c7
SHA1 cd5c3b7ae7c1343d3b896e56db32085b9140f7bc
SHA256 66c921db2c6fdcd4a1e1fb49e8aee7a7f519ba35e3d9c0594aa2ae7a130b5f00
SHA512 4b5e962a3403cd6f871e083a7910e48a9a3e0682068be7b5536a842f5cf54ba7e6393e277d1041b66fd284fd052eedc7f28e728f8f62e72ea334198a5dca6a0f

memory/3052-277-0x00000000047D0000-0x00000000047E5000-memory.dmp

memory/3052-279-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-278-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3052-281-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-280-0x0000000004830000-0x0000000004840000-memory.dmp

memory/3052-282-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-283-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-285-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-284-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-287-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-286-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-288-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-289-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-292-0x0000000004830000-0x0000000004840000-memory.dmp

memory/3052-291-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-290-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-294-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-293-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-296-0x0000000002980000-0x0000000002990000-memory.dmp

memory/3052-295-0x0000000002980000-0x0000000002990000-memory.dmp