Analysis Overview
SHA256
58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42
Threat Level: Known bad
The file 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42 was found to be: Known bad.
Malicious Activity Summary
Raccoon
RedLine Payload
RedLine
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Themida packer
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of local email clients
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-20 06:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-20 06:18
Reported
2021-09-20 06:20
Platform
win10v20210408
Max time kernel
151s
Max time network
100s
Command Line
Signatures
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D944.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E54B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EF8D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F4CE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wisbiwi | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wisbiwi | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\EF8D.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\E54B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\E54B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\EF8D.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D944.exe" | C:\Users\Admin\AppData\Local\Temp\D944.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\E54B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\EF8D.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E54B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EF8D.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 632 set thread context of 804 | N/A | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe |
| PID 1500 set thread context of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\C60.exe | C:\Users\Admin\AppData\Local\Temp\C60.exe |
| PID 908 set thread context of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\FB76.exe | C:\Users\Admin\AppData\Local\Temp\FB76.exe |
| PID 4288 set thread context of 4392 | N/A | C:\Users\Admin\AppData\Roaming\wisbiwi | C:\Users\Admin\AppData\Roaming\wisbiwi |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D944.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wisbiwi | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wisbiwi | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wisbiwi | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wisbiwi | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D944.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E54B.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EF8D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F4CE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
"C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe"
C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
"C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe"
C:\Users\Admin\AppData\Local\Temp\D944.exe
C:\Users\Admin\AppData\Local\Temp\D944.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2052 -s 1604
C:\Users\Admin\AppData\Local\Temp\E54B.exe
C:\Users\Admin\AppData\Local\Temp\E54B.exe
C:\Users\Admin\AppData\Local\Temp\EF8D.exe
C:\Users\Admin\AppData\Local\Temp\EF8D.exe
C:\Users\Admin\AppData\Local\Temp\F4CE.exe
C:\Users\Admin\AppData\Local\Temp\F4CE.exe
C:\Users\Admin\AppData\Local\Temp\FB76.exe
C:\Users\Admin\AppData\Local\Temp\FB76.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\700.exe
C:\Users\Admin\AppData\Local\Temp\700.exe
C:\Users\Admin\AppData\Local\Temp\C60.exe
C:\Users\Admin\AppData\Local\Temp\C60.exe
C:\Users\Admin\AppData\Local\Temp\C60.exe
C:\Users\Admin\AppData\Local\Temp\C60.exe
C:\Users\Admin\AppData\Local\Temp\FB76.exe
C:\Users\Admin\AppData\Local\Temp\FB76.exe
C:\Users\Admin\AppData\Local\Temp\FB76.exe
C:\Users\Admin\AppData\Local\Temp\FB76.exe
C:\Users\Admin\AppData\Roaming\wisbiwi
C:\Users\Admin\AppData\Roaming\wisbiwi
C:\Users\Admin\AppData\Roaming\wisbiwi
C:\Users\Admin\AppData\Roaming\wisbiwi
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | venerynnet1.top | udp |
| US | 8.8.8.8:53 | kevonahira2.top | udp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 8.8.8.8:53 | a.uguu.se | udp |
| DE | 144.76.201.136:443 | a.uguu.se | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 193.56.146.36:80 | 193.56.146.36 | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 190.2.145.108:12608 | tcp | |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 8.8.8.8:53 | iryarahara.xyz | udp |
| RU | 77.246.145.4:80 | iryarahara.xyz | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.9.20.20:13441 | tcp | |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 195.201.225.248:443 | telete.in | tcp |
| DE | 74.119.192.122:80 | 74.119.192.122 | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| DE | 78.46.130.193:39470 | tcp | |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| NL | 45.67.231.145:10991 | tcp | |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
Files
memory/632-114-0x0000000000030000-0x0000000000039000-memory.dmp
memory/804-116-0x0000000000402DCE-mapping.dmp
memory/804-115-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2428-117-0x0000000000410000-0x0000000000425000-memory.dmp
memory/2052-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D944.exe
| MD5 | ee067e8213ac1840757a56959635c1a3 |
| SHA1 | e96cf55bf0bbba1a2b0c5ec98f949a02e4325ed8 |
| SHA256 | 83b6ec39427a30d7b2e7002bce01b9f91596ed66a4151267311936e11e967776 |
| SHA512 | 4d68db6471addf91b5ea07f285d71f569ddacb8d3715b3766194f1a6590f77de8d1f1d063ff3a587aa93d7778944912cc2e467c05dea9ea1b16bf291c05655e3 |
C:\Users\Admin\AppData\Local\Temp\D944.exe
| MD5 | ee067e8213ac1840757a56959635c1a3 |
| SHA1 | e96cf55bf0bbba1a2b0c5ec98f949a02e4325ed8 |
| SHA256 | 83b6ec39427a30d7b2e7002bce01b9f91596ed66a4151267311936e11e967776 |
| SHA512 | 4d68db6471addf91b5ea07f285d71f569ddacb8d3715b3766194f1a6590f77de8d1f1d063ff3a587aa93d7778944912cc2e467c05dea9ea1b16bf291c05655e3 |
memory/2052-121-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/2052-123-0x0000000000EB0000-0x0000000000EB2000-memory.dmp
memory/3920-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E54B.exe
| MD5 | 9b739fca61cbe5a22bfe0b77cce75697 |
| SHA1 | 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd |
| SHA256 | c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201 |
| SHA512 | 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc |
C:\Users\Admin\AppData\Local\Temp\E54B.exe
| MD5 | 9b739fca61cbe5a22bfe0b77cce75697 |
| SHA1 | 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd |
| SHA256 | c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201 |
| SHA512 | 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc |
memory/3920-128-0x00000000779F0000-0x0000000077B7E000-memory.dmp
memory/3920-129-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/3920-131-0x0000000005F30000-0x0000000005F31000-memory.dmp
memory/3920-132-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/3200-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EF8D.exe
| MD5 | 2276594f6417179702443734cc89341a |
| SHA1 | 2afd398c0408c5c41062a5ca0d43528e9a510ddf |
| SHA256 | 4c9c430cdca2a818a7c532a1ba924670bdd01e61f4e7d574123daab677e4c76e |
| SHA512 | cb023e562b73a297eb3f2c1f6577fb33635af0da31d1264a60a664dc59bbce84d723a498dba54be34adffece90aa76ac4e269a3aad50559424b3dfe6ba0bbf85 |
memory/3920-135-0x0000000005A30000-0x0000000005A31000-memory.dmp
memory/3920-137-0x0000000005920000-0x0000000005921000-memory.dmp
memory/3200-138-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/3920-144-0x0000000005910000-0x0000000005911000-memory.dmp
memory/3200-145-0x00000000779F0000-0x0000000077B7E000-memory.dmp
memory/3200-146-0x0000000005440000-0x0000000005A46000-memory.dmp
memory/2252-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F4CE.exe
| MD5 | dbb8cc09c83fb1c86f5c69a556377dfd |
| SHA1 | 5fe4d2c759bafa0b1327a173b675ca819b617f8f |
| SHA256 | a801c172436a41b7f91b86d202cce42cb78630f254a8f034d264abf61ab0e92d |
| SHA512 | e11d01a6cf1936fe18bc4313cf67d264d69c2e8ce8952c1abfb3a2068146cc60310a9dd05163f8650619ebfcd957faee27ace942d5795797fe6248e06bf2d5ac |
C:\Users\Admin\AppData\Local\Temp\F4CE.exe
| MD5 | dbb8cc09c83fb1c86f5c69a556377dfd |
| SHA1 | 5fe4d2c759bafa0b1327a173b675ca819b617f8f |
| SHA256 | a801c172436a41b7f91b86d202cce42cb78630f254a8f034d264abf61ab0e92d |
| SHA512 | e11d01a6cf1936fe18bc4313cf67d264d69c2e8ce8952c1abfb3a2068146cc60310a9dd05163f8650619ebfcd957faee27ace942d5795797fe6248e06bf2d5ac |
memory/3200-150-0x0000000005530000-0x0000000005531000-memory.dmp
memory/908-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB76.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
C:\Users\Admin\AppData\Local\Temp\FB76.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
memory/908-155-0x0000000000260000-0x0000000000261000-memory.dmp
memory/908-157-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/2252-158-0x0000000000970000-0x000000000098F000-memory.dmp
memory/908-159-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/2252-161-0x0000000002310000-0x000000000232E000-memory.dmp
memory/908-167-0x0000000004C50000-0x0000000004C51000-memory.dmp
memory/2252-168-0x0000000000460000-0x00000000005AA000-memory.dmp
memory/2252-169-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2252-170-0x0000000004C40000-0x0000000004C41000-memory.dmp
memory/2252-171-0x0000000004C42000-0x0000000004C43000-memory.dmp
memory/2252-172-0x0000000004C43000-0x0000000004C44000-memory.dmp
memory/908-173-0x0000000004AF0000-0x0000000004FEE000-memory.dmp
memory/2252-174-0x0000000004C44000-0x0000000004C46000-memory.dmp
memory/3832-175-0x0000000000000000-mapping.dmp
memory/2736-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\700.exe
| MD5 | 35ec99acde872d7b87a2a4a10bdfcc27 |
| SHA1 | b0a909f253d034603e39c976931ab5dd05a69962 |
| SHA256 | 846d07502acbd6b4000bc3f9ac071439ce82c1c5f5180f07bf754c71a06dd677 |
| SHA512 | fc1676c322a7e29962698c645188699df3980fc52a90fbef06ff67f404e35dc61a7850673a932e1d7e946889c99bd41dc267781b73332017ba0f1f725b52af7c |
C:\Users\Admin\AppData\Local\Temp\700.exe
| MD5 | 35ec99acde872d7b87a2a4a10bdfcc27 |
| SHA1 | b0a909f253d034603e39c976931ab5dd05a69962 |
| SHA256 | 846d07502acbd6b4000bc3f9ac071439ce82c1c5f5180f07bf754c71a06dd677 |
| SHA512 | fc1676c322a7e29962698c645188699df3980fc52a90fbef06ff67f404e35dc61a7850673a932e1d7e946889c99bd41dc267781b73332017ba0f1f725b52af7c |
memory/3832-181-0x0000000004720000-0x0000000004721000-memory.dmp
memory/3832-182-0x0000000007290000-0x0000000007291000-memory.dmp
memory/3832-183-0x0000000006C50000-0x0000000006C51000-memory.dmp
memory/3832-184-0x0000000006C52000-0x0000000006C53000-memory.dmp
memory/3832-185-0x0000000007180000-0x0000000007181000-memory.dmp
memory/3832-186-0x0000000007220000-0x0000000007221000-memory.dmp
memory/3832-187-0x0000000007AA0000-0x0000000007AA1000-memory.dmp
memory/3832-188-0x0000000007B30000-0x0000000007B31000-memory.dmp
memory/1500-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C60.exe
| MD5 | 5fa1534cbc496093aa856dde4c536f3c |
| SHA1 | 5d9c144f207aa9680b01171bcc6163df35812ae3 |
| SHA256 | 1547b2363fee87cc5751482fb001074b071fcf3d172181d78787dbb2ee75883f |
| SHA512 | 0ef9610d5376d6f3ef9a4a655ff28651b9b2d44beb8f1afb4ffbadfe9cdcc5f80d200be623b01cce66c45ca8f0e71f2751c881c31c48324060f938cfdebf101a |
C:\Users\Admin\AppData\Local\Temp\C60.exe
| MD5 | 5fa1534cbc496093aa856dde4c536f3c |
| SHA1 | 5d9c144f207aa9680b01171bcc6163df35812ae3 |
| SHA256 | 1547b2363fee87cc5751482fb001074b071fcf3d172181d78787dbb2ee75883f |
| SHA512 | 0ef9610d5376d6f3ef9a4a655ff28651b9b2d44beb8f1afb4ffbadfe9cdcc5f80d200be623b01cce66c45ca8f0e71f2751c881c31c48324060f938cfdebf101a |
memory/1500-192-0x0000000000E30000-0x0000000000E31000-memory.dmp
memory/1500-194-0x00000000056A0000-0x00000000056A1000-memory.dmp
memory/1500-195-0x0000000005620000-0x0000000005621000-memory.dmp
memory/3832-196-0x0000000007980000-0x0000000007981000-memory.dmp
memory/1500-199-0x0000000005910000-0x0000000005911000-memory.dmp
memory/2736-200-0x0000000000980000-0x0000000000A10000-memory.dmp
memory/2736-201-0x0000000000400000-0x0000000000493000-memory.dmp
memory/3920-203-0x00000000071D0000-0x00000000071D1000-memory.dmp
memory/3920-204-0x00000000078D0000-0x00000000078D1000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
memory/2352-230-0x000000000041C606-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C60.exe
| MD5 | 5fa1534cbc496093aa856dde4c536f3c |
| SHA1 | 5d9c144f207aa9680b01171bcc6163df35812ae3 |
| SHA256 | 1547b2363fee87cc5751482fb001074b071fcf3d172181d78787dbb2ee75883f |
| SHA512 | 0ef9610d5376d6f3ef9a4a655ff28651b9b2d44beb8f1afb4ffbadfe9cdcc5f80d200be623b01cce66c45ca8f0e71f2751c881c31c48324060f938cfdebf101a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C60.exe.log
| MD5 | 41fbed686f5700fc29aaccf83e8ba7fd |
| SHA1 | 5271bc29538f11e42a3b600c8dc727186e912456 |
| SHA256 | df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437 |
| SHA512 | 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034 |
memory/2352-241-0x0000000005270000-0x0000000005876000-memory.dmp
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/3832-259-0x0000000006C53000-0x0000000006C54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FB76.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
memory/4980-262-0x000000000041C5E2-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB76.exe
| MD5 | 6f89f4c0727ee98f5056839c492fc13f |
| SHA1 | bab3223bc4eda781998e4f7ce27f5e21aec6ab8b |
| SHA256 | eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a |
| SHA512 | 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FB76.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
memory/4980-272-0x0000000005070000-0x0000000005676000-memory.dmp
C:\Users\Admin\AppData\Roaming\wisbiwi
| MD5 | de94928c74b7e4f60a9a87c304b6fc0a |
| SHA1 | 30a9fbd7a2e091b3432559f386b90fd43e25a14b |
| SHA256 | 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42 |
| SHA512 | eef781466990de6ab6248e8558718e86b20b96a5f11ebd2f6c5fb49585da5889be5284877be9e2762f2e99855b27d48ba8074e6856d4f9162a7c64294d4cfe81 |
C:\Users\Admin\AppData\Roaming\wisbiwi
| MD5 | de94928c74b7e4f60a9a87c304b6fc0a |
| SHA1 | 30a9fbd7a2e091b3432559f386b90fd43e25a14b |
| SHA256 | 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42 |
| SHA512 | eef781466990de6ab6248e8558718e86b20b96a5f11ebd2f6c5fb49585da5889be5284877be9e2762f2e99855b27d48ba8074e6856d4f9162a7c64294d4cfe81 |
memory/4392-283-0x0000000000402DCE-mapping.dmp
C:\Users\Admin\AppData\Roaming\wisbiwi
| MD5 | de94928c74b7e4f60a9a87c304b6fc0a |
| SHA1 | 30a9fbd7a2e091b3432559f386b90fd43e25a14b |
| SHA256 | 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42 |
| SHA512 | eef781466990de6ab6248e8558718e86b20b96a5f11ebd2f6c5fb49585da5889be5284877be9e2762f2e99855b27d48ba8074e6856d4f9162a7c64294d4cfe81 |
memory/2428-285-0x0000000000490000-0x00000000004A5000-memory.dmp