Malware Analysis Report

2024-10-23 19:30

Sample ID 240312-b2dbpacc5s
Target c221a38ae1e20f3638560e3c08d707c8
SHA256 1f4cc0bfd86c2a57b6d65436dc6838cff48bb3333d12d5af631896871636095a
Tags
upx azorult netwire botnet infostealer rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f4cc0bfd86c2a57b6d65436dc6838cff48bb3333d12d5af631896871636095a

Threat Level: Known bad

The file c221a38ae1e20f3638560e3c08d707c8 was found to be: Known bad.

Malicious Activity Summary

upx azorult netwire botnet infostealer rat stealer trojan

Netwire

Azorult

NetWire RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 01:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 01:38

Reported

2024-03-12 01:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe"

Signatures

Azorult

trojan infostealer azorult

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2836 set thread context of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 set thread context of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1340 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2836 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2836 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2836 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2836 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2360 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2360 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2360 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe

"C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

Network

Country Destination Domain Proto
US 174.127.99.159:7882 tcp
US 8.8.8.8:53 gemateknindoperkasa.co.id udp
US 8.8.8.8:53 gemateknindoperkasa.co.id udp
US 174.127.99.159:7882 tcp

Files

memory/1816-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 27aaa82abc6fe13ec8b50c6eb79292da
SHA1 5e6d768b6c4e8a9c88cef933cfb4a206c90c36d0
SHA256 f4634b17aa232167376446fffdd8dd5cdda5e71a216f6a076b7cfef31330d47e
SHA512 2c4fe1931bbe02fbf3d01550eade8d7800d5b56672f61c331b760ef296ea4cdbe186270c74b3f47ed7365bb3a204b2b35f5f5d0524268bf7662d7cb656f084ad

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 183a3ef145ce1467113c314da7c0e04e
SHA1 aae4a0fabc2d4521206eb60c414230519a485056
SHA256 0bca974b2eb926635502f95eece2be093ff40baf7413ceb93a704ade9aec95a5
SHA512 21a08b915e850a940672c9dd61d351c1db0fb858f028922ea756a571ba94527e666a77f7655385d903da2d06383c2097ed03fc723520f71286852a2621b5e5a9

\Users\Admin\AppData\Local\Temp\test.exe

MD5 0783e60c389e4a4738c08e71a168a03a
SHA1 1b3ac595975791c6e45c2e187414eb76765ab4a8
SHA256 46bf7fbfaecd11863eebb43b7621c41024237a6efc69e8d893da603831bb19b9
SHA512 b8fcb513e7fe14aa48ed5c2c1b14ecf08da6ea30584cac524d4f2439379629e4e8c6d53025d3edad46ed9d8e78279a855878e532eff0ba26ccf996c20c80be54

memory/2664-6-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/2664-5-0x0000000000350000-0x000000000043E000-memory.dmp

memory/2664-7-0x00000000040D0000-0x0000000004110000-memory.dmp

memory/2664-8-0x0000000004C50000-0x0000000004CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\File.exe

MD5 3c2a9934fc9e2c4b3d3cae7f0407ffee
SHA1 56b3604687011391767bfa8814fee1841cea0cbf
SHA256 b3acbfb32c641343369023d810229d1abd46a024077a7c231422f09d93fc6e90
SHA512 ba430e99e6075d46cf0f18d8fbe739432a5919f938491e00ad6964e7b2e90dbd4c4b955a12807988848ac46fdfd0cbd66fbdfc9bb28752e513404f29f5f8e0c9

memory/2836-18-0x0000000000290000-0x00000000002B4000-memory.dmp

memory/2836-19-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/2836-17-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/2836-16-0x00000000002E0000-0x000000000033C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\File.exe

MD5 be056e771dfb796d2e32c405951c4f7f
SHA1 6841e25b82eae8e092c5ad7768d758e811f25497
SHA256 c960ecec6700c05e39b5425e0846911f0f409762b35c75d6bed8daace1a4b247
SHA512 09ba92635a0d693f3c553db3056c465306f2ac1a4a5bda8f8d4a48959f0f09898c43c8f68b76dd2707c0cfaacd91a83d7e2b41a6fea9acd9a2734625d26ead93

\Users\Admin\AppData\Local\Temp\File.exe

MD5 aa779ad2cb01953d3593586b5fda3986
SHA1 96a0d16cf93297ccdc1c1ca784881cbb76338a18
SHA256 76d8da55fc66c3b9277621c348e7ecde970e5763c16e5a5a32f27a0f32004b91
SHA512 703050f93a7400948f24c19fce2f37febcee37453d22e2745befc8dc5e44c10797110ff60ff264a1c262bb9133188047605c6359253e30b03850d7b4f1eb94af

\Users\Admin\AppData\Roaming\tmp.exe

MD5 bae2b04e1160950e570661f55d7cd6f8
SHA1 f4abc073a091292547dda85d0ba044cab231c8da
SHA256 ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59
SHA512 1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 0af7fb9963d5d3bda368bf1635864f52
SHA1 aa3cac125cac2b98bd186a2b30472530e071579e
SHA256 f5cfe19fb4c3a11c72d23f49a22b0ab85acc2dbf381989cf7a3b1ef8c83aac53
SHA512 e0d8f4a5a9b5fc6e31cad55095f656eba9b3a98e864c9a1a85756b4f5ae7d88c988eef87339c0e21dc538ea65fb06530265b6fe96058e1c15fdde87e9b62a2f3

memory/1688-35-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 c2ce202722a3c0b6c53832d1db4b0bf0
SHA1 37ce156ca3949b4c62fd4ae4752ec29b4a6c524f
SHA256 1b146835125e787f071a56c8d2a466bf64f0399ebc4b3f412e2a91d444d7d52f
SHA512 d7027df67308a7486dfb244b9c18999386b2995b348b8ad19f83dadec3e1e6b4f6cb4f615f3a69b71703907627f848c64f11682a7ada18738fa40a6c7330cf85

memory/2436-42-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1688-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1688-48-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2436-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 494a0fba6d438ba7bcc86e8eb2b97937
SHA1 390e2f767c231e92cba3f54e1c49233236aa570a
SHA256 804e329815d71c888bd9300fd2015278320c34997334b1fcbdfb9c5c5fd40cb4
SHA512 366c181ccffea836dbeb8356452c3697f4337081850c8e263aa8c5ad2c4c658321f0d6ba9c341b906f1b610095f8fb94788a8fdfecc7a207b71ea100b8ddffd9

memory/1688-64-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1688-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 d1f0da08530090f3b0973676def022a5
SHA1 843684a1682c599a7a049f96ab1a16488c1aa414
SHA256 8ddd68f1f9999bf2c39696baa9fd1a910051f166ef43a39ccc0b53433a9265d9
SHA512 01bb8a131026a0cf13b44e1c364286476ffbbbd057c8af9f4c95ca68fb4caa49953a4c7a246f5d55d1d7b1ae508dcc5caa594395e2fe7dfdbabc425a834aa7ac

memory/2644-71-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 2f16e3b37a8d890ef685adb762dbb481
SHA1 5b9aeb1f199214d7b93d9926f315151e6fb698e0
SHA256 d6a060a2c8a48ec9e4ef4daeb5ea347e1adf01dfc9a81f2f9a5f84a368fa9957
SHA512 ceb2fdbcd6873e98730f26c2cb016db7381fc2d30b25f3b5c0e1f57e537538d76fac3fada2f883bee5c22d3f367dbca062545e92c9ba446d0dd668f7ff1b9c6d

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 786fce6b1803e3cb79c9ad30036fe39d
SHA1 e928ad22a08ef174765bdb74d05f3d111ae80277
SHA256 92ebebb907bc53eaf09b094a41249269a481d3e1dd1347513d6d7e060276c990
SHA512 18721d6192b2d9be63afb63c3337f9454cacfab708ca3b67dd3a07693d2122fbe02b6c3aaeaaa4ce5968f1b4c19a815a213df9a3b8814a47727b60df04d7440d

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 d944216698f3a864645b0484e4f9974c
SHA1 08acf7435f1c356b334ca05cecf333cbb319297b
SHA256 8a579a1edeb5b08ab0bf88de5ba2d7cb56169c074c3e02f7a284f80b0664f000
SHA512 df20f423487d45eed90ce4950dda33b3434c65001b6d38ff6fe08c18e74589aba32504413922bbe90890cf7768871074b62144f98999c18b4d23006333a2d5ae

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5 37c82e15058e2f8f5e9525b956e6440d
SHA1 3bf20d00bd7a7943c4066d534f5b276cac5ae39f
SHA256 80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7
SHA512 5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

memory/2436-61-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1688-60-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2436-57-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1688-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1688-52-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2436-51-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2436-47-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2436-45-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2436-43-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1688-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2436-39-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 40cb4166fa3c8a67e9c1a067e9e5eac6
SHA1 21105ab1487bdbe1fc27b245a28a0ae3bfe7d7f0
SHA256 83ff7e114a5875e39674bd0ca4470c9759e2aa819241e7a44799346ac941417e
SHA512 71f12ed1fd220af554b9adae1269c2efdf126b5e9b8056c402373998f41eb9ccc4793233508f7ce081ea0f9294b4a3110fe8caa4f4bd2495af46bfefb86886e7

memory/1688-28-0x0000000000400000-0x0000000000433000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/1816-80-0x0000000000400000-0x0000000000B9D000-memory.dmp

memory/2664-81-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/2664-82-0x00000000040D0000-0x0000000004110000-memory.dmp

memory/2836-83-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/1816-86-0x0000000000400000-0x0000000000B9D000-memory.dmp

memory/2664-85-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/2836-84-0x0000000074010000-0x00000000746FE000-memory.dmp

memory/1688-87-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 01:38

Reported

2024-03-12 01:40

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe"

Signatures

Azorult

trojan infostealer azorult

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\File.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 648 set thread context of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 set thread context of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1952 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1952 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 648 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 648 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 648 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\File.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 5028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 5028 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 648 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 5028 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 648 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4768 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4768 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5028 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe

"C:\Users\Admin\AppData\Local\Temp\c221a38ae1e20f3638560e3c08d707c8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier

Network

Country Destination Domain Proto
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 174.127.99.159:7882 tcp
US 8.8.8.8:53 gemateknindoperkasa.co.id udp
US 8.8.8.8:53 gemateknindoperkasa.co.id udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 174.127.99.159:7882 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp

Files

memory/4472-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 51130ca8466bb5cac5515972009b9768
SHA1 781eae547250d5ba8553259e4c1f3e504d7f77ee
SHA256 8b10ce80933d69cf343c2a12f275a0215ca373abbcce27300dab272bcdb70ff9
SHA512 0a3bfc7fc9550a1884c996794ec4932b8d7266b12908bfbcc2d2e38a9bb35e4d7695ca4c6414258ed92e9a9ed0c4c9e99c5248205444d066bf384ee734daaa98

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 aaf75d7d86bd560384df38c452d6be21
SHA1 1402fd164891bc4d0994b0262b05789c357e5910
SHA256 41fb298334a7be579285473a9264a53e0f48fd8c51c1ed8dd1cbb911007be311
SHA512 3b19100feb66fb16ed6ce4ce05c5fcf4ab3d621dba9c8efb7b4866773b1be6c6f86cc4eeae4df5df3b4842390ea47266a3d04d09ef297eaf6f2e8b268832c4d5

memory/648-6-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/648-5-0x0000000000770000-0x000000000085E000-memory.dmp

memory/648-7-0x0000000005200000-0x000000000529C000-memory.dmp

memory/648-8-0x0000000005340000-0x0000000005350000-memory.dmp

memory/648-9-0x00000000052A0000-0x0000000005326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\File.exe

MD5 37c82e15058e2f8f5e9525b956e6440d
SHA1 3bf20d00bd7a7943c4066d534f5b276cac5ae39f
SHA256 80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7
SHA512 5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

memory/5028-21-0x0000000000CD0000-0x0000000000D2C000-memory.dmp

memory/5028-22-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/5028-24-0x0000000005570000-0x0000000005594000-memory.dmp

memory/5028-23-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/3264-27-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

memory/3264-30-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3264-31-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 bae2b04e1160950e570661f55d7cd6f8
SHA1 f4abc073a091292547dda85d0ba044cab231c8da
SHA256 ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59
SHA512 1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

memory/4332-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4332-44-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4332-45-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3740-51-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

MD5 ff1ce8469e8f94703502e221335bf939
SHA1 6876d45268886917c95c498a1c8756ed86c1a9ac
SHA256 8676f3927053a61cf67f23cfea36ec80631bc422ee8992fa9233cd89f7727fd3
SHA512 8c45883a4b1c994d9de1f5a96b55afc25fa6367bd536fc498383898858d03f6ae0258b2ab4dfb815ff7caa6c4208eef7cd7494c7b0c9a5ec54ddf60abfef5e18

memory/4472-59-0x0000000000400000-0x0000000000B9D000-memory.dmp

memory/648-60-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/648-61-0x0000000005340000-0x0000000005350000-memory.dmp

memory/648-63-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/4472-64-0x0000000000400000-0x0000000000B9D000-memory.dmp

memory/5028-66-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3264-67-0x0000000000400000-0x0000000000433000-memory.dmp