Malware Analysis Report

2024-11-15 08:41

Sample ID 220712-p889labcbq
Target 4a833b842da4b80715e9b02dc862fc3fd5fcda28a0e559e982876d024262b7f7
SHA256 4a833b842da4b80715e9b02dc862fc3fd5fcda28a0e559e982876d024262b7f7
Tags
betabot backdoor botnet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a833b842da4b80715e9b02dc862fc3fd5fcda28a0e559e982876d024262b7f7

Threat Level: Known bad

The file 4a833b842da4b80715e9b02dc862fc3fd5fcda28a0e559e982876d024262b7f7 was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan

Modifies firewall policy service

BetaBot

Executes dropped EXE

Sets file execution options in registry

Loads dropped DLL

Checks BIOS information in registry

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer Protected Mode Banner

Modifies Internet Explorer Protected Mode

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-12 13:01

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-07-12 13:01

Reported

2022-07-12 18:13

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Command Line

[./ioncube_loader_lin_5.4.so]

Signatures

N/A

Processes

./ioncube_loader_lin_5.4.so

[./ioncube_loader_lin_5.4.so]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 13:01

Reported

2022-07-12 18:15

Platform

win7-20220414-en

Max time kernel

44s

Max time network

48s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1

Network

N/A

Files

memory/908-54-0x0000000000000000-mapping.dmp

memory/908-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

memory/908-56-0x00000000001A1000-0x00000000001AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 13:01

Reported

2022-07-12 18:16

Platform

win10v2004-20220414-en

Max time kernel

93s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1

Network

Country Destination Domain Proto
NL 20.50.201.200:443 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp

Files

memory/5080-130-0x0000000000000000-mapping.dmp

memory/5080-131-0x0000000000720000-0x0000000000737000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-12 13:01

Reported

2022-07-12 18:16

Platform

win7-20220414-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\773souaea9m37u.exe C:\Users\Admin\AppData\Roaming\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\773souaea9m37u.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Roaming\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "sxq.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\betab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\betab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\773souaea9m37u.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\773souaea9m37u.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\1.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Explorer.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1932 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1932 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1932 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1124 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1932 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 1932 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 1932 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 1932 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 1096 wrote to memory of 1268 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1096 wrote to memory of 1268 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1096 wrote to memory of 1268 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1096 wrote to memory of 1268 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1096 wrote to memory of 1268 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1096 wrote to memory of 1268 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1096 wrote to memory of 1320 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1096 wrote to memory of 1320 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1096 wrote to memory of 1320 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1096 wrote to memory of 1320 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1096 wrote to memory of 1320 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1096 wrote to memory of 1320 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1096 wrote to memory of 1916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1096 wrote to memory of 1916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1096 wrote to memory of 1916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1096 wrote to memory of 1916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1096 wrote to memory of 1916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1096 wrote to memory of 1916 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\betab.exe

"C:\Users\Admin\AppData\Local\Temp\betab.exe"

C:\Users\Admin\AppData\Roaming\2.exe

"C:\Users\Admin\AppData\Roaming\2.exe"

C:\Users\Admin\AppData\Roaming\1.exe

"C:\Users\Admin\AppData\Roaming\1.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
NL 142.250.179.142:80 tcp
NL 142.250.179.142:80 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
RU 80.87.198.206:43548 tcp
RU 194.58.92.63:43548 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 20.109.209.108:80 update.microsoft.com tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
NL 185.212.128.200:80 tcp
NL 185.212.128.200:80 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
NL 142.250.179.142:80 tcp
NL 142.250.179.142:80 tcp
NL 185.212.128.200:80 tcp

Files

memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

\Users\Admin\AppData\Roaming\2.exe

MD5 5adfa47d7c60b040350f0030c73e4a8f
SHA1 cd396b9c81718a20f34413f73082690051a708e3
SHA256 e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512 ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a

memory/1124-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\2.exe

MD5 5adfa47d7c60b040350f0030c73e4a8f
SHA1 cd396b9c81718a20f34413f73082690051a708e3
SHA256 e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512 ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a

memory/1320-59-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-60-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-62-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-63-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-64-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-65-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-66-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-67-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1320-69-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1124-70-0x0000000000400000-0x0000000000426000-memory.dmp

\Users\Admin\AppData\Roaming\1.exe

MD5 9c94decb82adea9cf528ddb56ff5fef1
SHA1 d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA256 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA512 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c

memory/948-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\1.exe

MD5 9c94decb82adea9cf528ddb56ff5fef1
SHA1 d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA256 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA512 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c

memory/948-76-0x0000000001B70000-0x0000000001BD6000-memory.dmp

memory/948-78-0x0000000000400000-0x0000000000443000-memory.dmp

memory/948-80-0x0000000001B70000-0x0000000001BD6000-memory.dmp

memory/948-81-0x00000000003C0000-0x00000000003CD000-memory.dmp

memory/1320-79-0x0000000002220000-0x0000000002235000-memory.dmp

memory/948-82-0x0000000002270000-0x000000000227C000-memory.dmp

C:\Users\Admin\AppData\Roaming\2.exe

MD5 5adfa47d7c60b040350f0030c73e4a8f
SHA1 cd396b9c81718a20f34413f73082690051a708e3
SHA256 e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512 ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a

C:\Users\Admin\AppData\Roaming\1.exe

MD5 9c94decb82adea9cf528ddb56ff5fef1
SHA1 d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA256 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA512 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c

memory/1096-85-0x0000000000000000-mapping.dmp

memory/1096-87-0x0000000073E91000-0x0000000073E93000-memory.dmp

memory/948-88-0x0000000000400000-0x0000000000435000-memory.dmp

memory/948-89-0x0000000001B70000-0x0000000001BD6000-memory.dmp

memory/1096-90-0x0000000076F10000-0x0000000077090000-memory.dmp

memory/1096-91-0x0000000000110000-0x00000000001B9000-memory.dmp

memory/1096-92-0x00000000008F0000-0x00000000008FC000-memory.dmp

memory/1320-93-0x0000000002210000-0x0000000002216000-memory.dmp

memory/1320-94-0x0000000002220000-0x0000000002235000-memory.dmp

memory/1096-95-0x0000000076F10000-0x0000000077090000-memory.dmp

memory/1096-96-0x0000000000110000-0x00000000001B9000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-07-12 13:01

Reported

2022-07-12 18:16

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

144s

Command Line

C:\Windows\Explorer.EXE

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\51g7s9suk35k.exe C:\Users\Admin\AppData\Roaming\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\51g7s9suk35k.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Roaming\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "jzgyjwump.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\51g7s9suk35k.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\51g7s9suk35k.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Explorer.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\1.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1348 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1348 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 1348 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 1348 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 1348 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\betab.exe C:\Users\Admin\AppData\Roaming\1.exe
PID 2576 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 2576 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe
PID 2576 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\1.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\betab.exe

"C:\Users\Admin\AppData\Local\Temp\betab.exe"

C:\Users\Admin\AppData\Roaming\2.exe

"C:\Users\Admin\AppData\Roaming\2.exe"

C:\Users\Admin\AppData\Roaming\1.exe

"C:\Users\Admin\AppData\Roaming\1.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2088 -ip 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1064

Network

Country Destination Domain Proto
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
RU 80.87.198.206:43548 tcp
RU 194.58.92.63:43548 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 20.44.10.122:443 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 93.184.220.29:80 tcp
FR 2.22.147.96:80 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp
US 8.8.8.8:53 google-public-dns-a.google.com udp

Files

memory/4376-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\2.exe

MD5 5adfa47d7c60b040350f0030c73e4a8f
SHA1 cd396b9c81718a20f34413f73082690051a708e3
SHA256 e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512 ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a

memory/4376-132-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2576-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\1.exe

MD5 9c94decb82adea9cf528ddb56ff5fef1
SHA1 d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA256 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA512 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c

memory/2576-136-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3032-137-0x0000000001450000-0x0000000001465000-memory.dmp

memory/2576-138-0x00000000022F0000-0x0000000002356000-memory.dmp

memory/2576-139-0x00000000022F0000-0x0000000002356000-memory.dmp

memory/2576-141-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Roaming\2.exe

MD5 5adfa47d7c60b040350f0030c73e4a8f
SHA1 cd396b9c81718a20f34413f73082690051a708e3
SHA256 e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512 ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a

C:\Users\Admin\AppData\Roaming\1.exe

MD5 9c94decb82adea9cf528ddb56ff5fef1
SHA1 d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA256 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA512 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c

memory/2088-144-0x0000000000000000-mapping.dmp

memory/2576-145-0x00000000027F0000-0x00000000027FC000-memory.dmp

memory/2576-146-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2576-147-0x00000000022F0000-0x0000000002356000-memory.dmp

memory/2088-148-0x0000000000AE0000-0x0000000000F13000-memory.dmp

memory/2088-149-0x0000000001220000-0x00000000012C9000-memory.dmp

memory/2088-150-0x0000000001680000-0x000000000168D000-memory.dmp

memory/2088-151-0x0000000001220000-0x00000000012C9000-memory.dmp

memory/3032-152-0x0000000001450000-0x0000000001465000-memory.dmp