Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-t6xj8sbb2x
Target 83bf9f0a603b75b975defd92d7221dde78809b5a40e3f191b95d6a22abe2c004
SHA256 83bf9f0a603b75b975defd92d7221dde78809b5a40e3f191b95d6a22abe2c004
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83bf9f0a603b75b975defd92d7221dde78809b5a40e3f191b95d6a22abe2c004

Threat Level: Known bad

The file 83bf9f0a603b75b975defd92d7221dde78809b5a40e3f191b95d6a22abe2c004 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

XtremeRAT

Detect XtremeRAT payload

Executes dropped EXE

Modifies Installed Components in the registry

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 16:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 16:40

Reported

2022-11-23 18:12

Platform

win7-20220901-en

Max time kernel

152s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\722lif3 muaway 2014³.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1760 set thread context of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\722lif3 muaway 2014³.exe.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A
File created C:\Windows\722lif3 muaway 2014³.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A
File opened for modification C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\svchost\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1760 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 1860 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 1860 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 1860 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 1860 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 1860 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 1860 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 1860 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 1860 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 1860 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 1860 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 1860 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe
PID 1860 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe
PID 1860 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe
PID 1860 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe

"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"

C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe

"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\722lif3 muaway 2014³.exe

"C:\Windows\722lif3 muaway 2014³.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp

Files

memory/1860-56-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-57-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-59-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-60-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-61-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-63-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-62-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-66-0x000000001000D0F4-mapping.dmp

memory/1860-65-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-68-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

memory/1860-69-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-67-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1860-70-0x0000000010000000-0x0000000010065000-memory.dmp

memory/276-73-0x0000000000000000-mapping.dmp

memory/360-77-0x0000000000000000-mapping.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/1860-82-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1036-80-0x0000000000000000-mapping.dmp

memory/360-79-0x0000000074031000-0x0000000074033000-memory.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/360-84-0x0000000010000000-0x0000000010065000-memory.dmp

memory/276-85-0x0000000010000000-0x0000000010065000-memory.dmp

memory/1036-86-0x00000000002A0000-0x00000000002C2000-memory.dmp

C:\Windows\svchost\svchost.exe

MD5 18ec82e6803a882e6409399d5fefb810
SHA1 b1a9b23927bc033f7df59a93349fce0416ad3f5a
SHA256 f4606574e0be172e8b43d7d4a31fd8d33bca5e8e596cbbf183b7136ff44c1471
SHA512 f9b29cb3a4a9412322b5e19939372d74578c1764288a2caf439340feabc3f74dc248d728722c10739db860cfb1e35d0064a25ce294474e0e7cb044b443b3a0d6

memory/1036-89-0x0000000001FF5000-0x0000000002006000-memory.dmp

memory/360-90-0x0000000010000000-0x0000000010065000-memory.dmp

memory/276-91-0x0000000010000000-0x0000000010065000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 16:40

Reported

2022-11-23 18:13

Platform

win10v2004-20221111-en

Max time kernel

192s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\722lif3 muaway 2014³.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0074FVOW-61BJ-0354-VGS5-6T5UGR12XOYX}\StubPath = "C:\\Windows\\svchost\\svchost.exe restart" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\svchost\\svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\722lif3 muaway 2014³.exe.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A
File created C:\Windows\722lif3 muaway 2014³.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A
File opened for modification C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\svchost\svchost.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\svchost\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2712 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe
PID 2344 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 2344 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 2344 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 2344 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\SysWOW64\explorer.exe
PID 2344 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe
PID 2344 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe
PID 2344 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe C:\Windows\722lif3 muaway 2014³.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe

"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"

C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe

"C:\Users\Admin\AppData\Local\Temp\LIF3 Muaway.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3468 -ip 3468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3468 -ip 3468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 488

C:\Windows\722lif3 muaway 2014³.exe

"C:\Windows\722lif3 muaway 2014³.exe"

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 93.184.221.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.91.29:80 tcp
N/A 51.11.192.48:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp
N/A 8.8.8.8:53 muawayhue2.no-ip.org udp

Files

memory/2344-134-0x0000000000000000-mapping.dmp

memory/2344-135-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2344-136-0x0000000010000000-0x0000000010065000-memory.dmp

memory/2344-137-0x0000000010000000-0x0000000010065000-memory.dmp

memory/3468-138-0x0000000000000000-mapping.dmp

memory/3628-139-0x0000000000000000-mapping.dmp

memory/2344-140-0x0000000010000000-0x0000000010065000-memory.dmp

memory/3468-141-0x0000000010000000-0x0000000010065000-memory.dmp

memory/3264-142-0x0000000000000000-mapping.dmp

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

C:\Windows\722lif3 muaway 2014³.exe

MD5 37060ad5f5fa42f17c9171c74d85a11c
SHA1 69a548f7a1f222efbb5883b88b07d165dee5b5a7
SHA256 c2799c3284ef8e00b407fd3b36395f12709434e1f09dddb0b246218f733aaa44
SHA512 b895a14a405c685ada82e5eeee993d0992edad75aa6051abca8b982466a1ac80c85d68f13a52e43a257235d46a23fb02e65aab4d96022d38ed58bd036932e77b

memory/2344-145-0x0000000010000000-0x0000000010065000-memory.dmp

memory/3264-146-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/3264-147-0x00000000056B0000-0x000000000574C000-memory.dmp

memory/3628-148-0x0000000010000000-0x0000000010065000-memory.dmp

memory/3264-149-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/3264-150-0x0000000005750000-0x00000000057E2000-memory.dmp

memory/3264-151-0x0000000005650000-0x000000000565A000-memory.dmp

memory/3264-152-0x0000000005990000-0x00000000059E6000-memory.dmp