Malware Analysis Report

2025-06-16 03:22

Sample ID 220508-hchcnscecj
Target 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca

Threat Level: Known bad

The file 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT Payload

BitRAT

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-08 06:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-08 06:35

Reported

2022-05-08 09:24

Platform

win7-20220414-en

Max time kernel

169s

Max time network

201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"

Signatures

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ojtkmq = "C:\\Users\\Admin\\AppData\\Roaming\\Fehulu\\Ojtkmq.url" C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2032 set thread context of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 set thread context of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 1004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 1004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 1004 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 2032 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 2032 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 2032 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe

"C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
DE 79.134.225.99:4898 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.59.81:443 myexternalip.com tcp
DE 79.134.225.99:4898 tcp
US 34.117.59.81:443 myexternalip.com tcp

Files

memory/1004-54-0x0000000000C10000-0x0000000000E3A000-memory.dmp

memory/1004-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

memory/1004-56-0x0000000000950000-0x000000000095A000-memory.dmp

memory/1004-57-0x0000000004630000-0x0000000004696000-memory.dmp

\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

memory/2032-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

memory/2032-62-0x0000000000AB0000-0x0000000000CDA000-memory.dmp

memory/2032-64-0x00000000022E0000-0x0000000002346000-memory.dmp

memory/1920-65-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1920-66-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1920-68-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1920-69-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1920-70-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1920-71-0x000000000040DA1E-mapping.dmp

memory/1920-73-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1920-75-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

memory/1920-78-0x0000000000200000-0x000000000020A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Ojtkmq.url

MD5 1745f298ce618adb5c667e42b2e1b5c9
SHA1 66ab7e9f4dc3780fcc0b6d0ee31cb0259f2d2060
SHA256 9bcd11157e69126e6b191cfaee6e51104b364347fe6a20dcb64bce8bc47a1b74
SHA512 13bf2e06b196eb914c693ee28b9d7c03932026760f163248ca129f30178b1054d1bc6e99294e180d1b7ae1656f062a5ebaca6ef10ce8f189d8afb8dc67df094c

memory/1156-80-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-81-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-83-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-85-0x0000000000805D30-mapping.dmp

memory/1156-84-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-87-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-86-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-90-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-91-0x0000000000400000-0x0000000000807000-memory.dmp

memory/1156-92-0x0000000000400000-0x0000000000807000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-08 06:35

Reported

2022-05-08 09:23

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"

Signatures

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ojtkmq = "C:\\Users\\Admin\\AppData\\Roaming\\Fehulu\\Ojtkmq.url" C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 1316 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 1316 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3676 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe

"C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 20.189.173.10:443 tcp
US 52.109.8.21:443 tcp
DE 67.24.27.254:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
DE 79.134.225.99:4898 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.59.81:443 myexternalip.com tcp
DE 79.134.225.99:4898 tcp
US 34.117.59.81:443 myexternalip.com tcp

Files

memory/1316-130-0x0000000000CD0000-0x0000000000EFA000-memory.dmp

memory/1316-131-0x0000000005FB0000-0x0000000006554000-memory.dmp

memory/1316-132-0x0000000005910000-0x00000000059A2000-memory.dmp

memory/1316-133-0x00000000058B0000-0x00000000058BA000-memory.dmp

memory/3676-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

memory/3044-137-0x0000000000000000-mapping.dmp

memory/1772-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

memory/2952-140-0x0000000000000000-mapping.dmp

memory/4596-141-0x0000000000000000-mapping.dmp

memory/4596-142-0x0000000000400000-0x0000000000412000-memory.dmp

memory/396-143-0x0000000000000000-mapping.dmp

memory/4864-144-0x0000000000000000-mapping.dmp

memory/4864-147-0x0000000000400000-0x0000000000807000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

MD5 b2feac6aa6a89365b3f010a0cd34147d
SHA1 2faf499f54dbeb1dd46ab018b9f31b566711c432
SHA256 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512 d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

memory/4864-145-0x0000000000400000-0x0000000000807000-memory.dmp

memory/4864-148-0x0000000000400000-0x0000000000807000-memory.dmp

memory/4864-149-0x0000000000400000-0x0000000000807000-memory.dmp

memory/4864-150-0x0000000000400000-0x0000000000807000-memory.dmp

memory/4132-151-0x0000000000000000-mapping.dmp

memory/1396-153-0x0000000000000000-mapping.dmp

memory/4788-154-0x0000000000000000-mapping.dmp

memory/548-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Fehulu\Ojtkmq.url

MD5 1745f298ce618adb5c667e42b2e1b5c9
SHA1 66ab7e9f4dc3780fcc0b6d0ee31cb0259f2d2060
SHA256 9bcd11157e69126e6b191cfaee6e51104b364347fe6a20dcb64bce8bc47a1b74
SHA512 13bf2e06b196eb914c693ee28b9d7c03932026760f163248ca129f30178b1054d1bc6e99294e180d1b7ae1656f062a5ebaca6ef10ce8f189d8afb8dc67df094c