Malware Analysis Report

2025-06-16 01:04

Sample ID 221123-t6ttcaga99
Target f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
SHA256 f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471

Threat Level: Known bad

The file f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Executes dropped EXE

Modifies Installed Components in the registry

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 16:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 16:40

Reported

2022-11-23 18:23

Platform

win7-20220812-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\722lif3 muaway 2014³.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\722lif3 muaway 2014³.exe.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A
File created C:\Windows\722lif3 muaway 2014³.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A
File opened for modification C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\svchost\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 560 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 1356 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 1356 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 1356 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 1356 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 1356 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 1356 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 1356 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 1356 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 1356 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 1356 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 1356 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe
PID 1356 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe
PID 1356 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe
PID 1356 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe

"C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe"

C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe

"C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\722lif3 muaway 2014³.exe

"C:\Windows\722lif3 muaway 2014³.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp

Files

memory/1356-56-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-57-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-59-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-60-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-61-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-62-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-63-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-66-0x000000001000D0F4-mapping.dmp

memory/1356-65-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-67-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-68-0x0000000076041000-0x0000000076043000-memory.dmp

memory/1356-69-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1356-70-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1664-73-0x0000000000000000-mapping.dmp

memory/1664-75-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1504-78-0x0000000000000000-mapping.dmp

memory/1356-82-0x0000000010000000-0x0000000010065000-memory.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/1184-80-0x0000000000000000-mapping.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/1504-84-0x00000000743B1000-0x00000000743B3000-memory.dmp

memory/1184-85-0x0000000000CC0000-0x0000000000CE2000-memory.dmp

memory/1504-87-0x0000000010000000-0x0000000010065000-memory.dmp

C:\Windows\svchost\svchost.exe

MD5 18ec82e6803a882e6409399d5fefb810
SHA1 b1a9b23927bc033f7df59a93349fce0416ad3f5a
SHA256 f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
SHA512 f9b29cb3a4a9412322b5e19939372d74578c1764288a2caf439340feabc3f74dc248d728722c10739db860cfb1e35d0064a25ce294474e0e7cb044b443b3a0d6

memory/1184-89-0x0000000004BC5000-0x0000000004BD6000-memory.dmp

memory/1664-90-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1504-91-0x0000000010000000-0x0000000010065000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 16:40

Reported

2022-11-23 18:23

Platform

win10v2004-20220812-en

Max time kernel

157s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\722lif3 muaway 2014³.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\722lif3 muaway 2014³.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A
File opened for modification C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\svchost\ C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\722lif3 muaway 2014³.exe.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2804 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe
PID 2408 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe
PID 2408 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe
PID 2408 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe C:\Windows\722lif3 muaway 2014³.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe

"C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe"

C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe

"C:\Users\Admin\AppData\Local\Temp\f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 480

C:\Windows\722lif3 muaway 2014³.exe

"C:\Windows\722lif3 muaway 2014³.exe"

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 93.184.220.29:80 tcp
N/A 13.69.109.130:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp

Files

memory/2408-134-0x0000000000000000-mapping.dmp

memory/2408-135-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2408-136-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2408-137-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2312-138-0x0000000000000000-mapping.dmp

memory/8-139-0x0000000000000000-mapping.dmp

memory/2408-140-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2312-141-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2312-142-0x0000000010000000-0x0000000010065000-memory.dmp

memory/8-143-0x0000000010000000-0x0000000010065000-memory.dmp

memory/4580-144-0x0000000000000000-mapping.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/2408-146-0x0000000010000000-0x0000000010065000-memory.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/4580-148-0x0000000000A80000-0x0000000000AA2000-memory.dmp

memory/4580-149-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/4580-150-0x0000000005A60000-0x0000000006004000-memory.dmp

memory/4580-151-0x0000000005550000-0x00000000055E2000-memory.dmp

memory/4580-152-0x00000000054E0000-0x00000000054EA000-memory.dmp

memory/4580-153-0x00000000056E0000-0x0000000005736000-memory.dmp