Malware Analysis Report

2024-11-30 18:49

Sample ID 240317-r8j1tagg24
Target S-400 RAT v3.0.7z
SHA256 137713b97b5c79056269e461c454cfff281fe2e1b6a1ab69e1c8302cb35aa9b8
Tags
agilenet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

137713b97b5c79056269e461c454cfff281fe2e1b6a1ab69e1c8302cb35aa9b8

Threat Level: Known bad

The file S-400 RAT v3.0.7z was found to be: Known bad.

Malicious Activity Summary

agilenet

Contains code to disable Windows Defender

Nirsoft

Nirsoft

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 14:51

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-17 14:51

Reported

2024-03-17 15:29

Platform

win10v2004-20240226-en

Max time kernel

1792s

Max time network

1802s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3440 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514 0x51c

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 3084 -ip 3084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 4716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3084 -ip 3084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 4696

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 a39a575da05f3dddeda3508b992f41ee
SHA1 1cfb7c32b81d22d6bded1bcfe07e6b86769df7f0
SHA256 69d72335bc69e00572e589826b8b8bcce4596df75c6f8ceae6f1c6745af3ef95
SHA512 2bae0dcbeb9f28c2f20ad5e5103eaf4d6824d4a7f33f59e57f9ac151c898089f919c6e5ef980a56d4025ee32812ce985be0b3d7799ca72f1851caffae749683a

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 70ad1ec4b2ada050e2c95d9a55562e3d
SHA1 64fbc9fbaf8e8c96250cc60c6147469fe7fd230b
SHA256 1533807306717b08b2690bf19f15e08f37d1070e4d9275134dab53305e59d3a6
SHA512 c110c11c88e5484f78abea5d5586e89859398c26c476dfb0455a5ff28479997fb3c6bc6b8cb3823a6617c9231d5c054de9be5adee83af298cec5bb3e24590836

memory/3084-412-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3084-413-0x0000000000790000-0x0000000001250000-memory.dmp

memory/3084-414-0x0000000005C00000-0x0000000005C9C000-memory.dmp

memory/3084-415-0x0000000006250000-0x00000000067F4000-memory.dmp

memory/3084-416-0x0000000005D40000-0x0000000005DD2000-memory.dmp

memory/3084-417-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-418-0x0000000005D00000-0x0000000005D0A000-memory.dmp

memory/3084-419-0x0000000005F70000-0x0000000005FC6000-memory.dmp

C:\Users\Admin\Desktop\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

C:\Users\Admin\Desktop\Guna.UI2.dll

MD5 2540ef45fbd7511c029635a1ec0af045
SHA1 bd12ba4d37f8fc42b3b11a7293fa4e3823e65caf
SHA256 6782523460e5b87367cf95f941deb35ac24923ca44e7b4a871425eb6a8fc6e73
SHA512 f64deb8b85864052612f07b7e08b023070b1f09b6806bb42cd3d7f2669d8863b476127a032a372785fad37013a501705a873e2f0f296dbfa9e66573221e7a0c2

C:\Users\Admin\Desktop\Guna.UI2.dll

MD5 9c02cab91bd7ac041530ac459b478f98
SHA1 b5dfb8e061fb0ee2b7d45509987d0ed2558c3abf
SHA256 7b88e240dac10e88837c0c9cbd29001eccc03b6b5443587e764eb4c9273fcb4d
SHA512 1b4da4efc3075fa62cff147e58ed915bbf10c2ecb160cc91167ec7c24337f2333ed564063ea05f5b345723050876892c9c07e0199bb7d4a1ef38fa9dcfd8a629

memory/3084-423-0x0000000006800000-0x00000000069F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/3084-429-0x00000000714B0000-0x00000000714E7000-memory.dmp

memory/3084-432-0x0000000073740000-0x00000000737C9000-memory.dmp

memory/3084-433-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3084-434-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-435-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-436-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-437-0x00000000714B0000-0x00000000714E7000-memory.dmp

memory/3084-438-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-439-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

C:\Users\Admin\Desktop\SQLABC_ModernUI.dll

MD5 da70e6d0b5cee1f9a69764e740f9c036
SHA1 5848e0f7db830b29f8e542e04b025ec73b59c769
SHA256 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360
SHA512 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e

memory/3084-443-0x000000000BC20000-0x000000000BC38000-memory.dmp

memory/3084-444-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

C:\Users\Admin\Desktop\API.dll

MD5 df1b7e8e22353b01a29cb972d054ee16
SHA1 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7
SHA256 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509
SHA512 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7

memory/3084-448-0x0000000001AB0000-0x0000000001AC4000-memory.dmp

C:\Users\Admin\Desktop\WinMM.Net.dll

MD5 d4b80052c7b4093e10ce1f40ce74f707
SHA1 2494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA256 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA512 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

memory/3084-452-0x0000000001B20000-0x0000000001B32000-memory.dmp

C:\Users\Admin\Desktop\zxing.dll

MD5 ce9aaa0fbc6a2bbf063b044537db1dfc
SHA1 0d2f94a52de141eeeb456c350ede8e70619fa300
SHA256 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03
SHA512 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8

memory/3084-456-0x000000000BD60000-0x000000000BDCC000-memory.dmp

C:\Users\Admin\Desktop\GeoIP.dat

MD5 797b96cc417d0cde72e5c25d0898e95e
SHA1 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13
SHA256 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426
SHA512 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

C:\Users\Admin\Desktop\FC\act.dll

MD5 40514fa1bab88f1b8c4c2a42d361f67c
SHA1 9794f98cb73d50754d595cc80f7b569672c5ef5d
SHA256 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120
SHA512 a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0

C:\Users\Admin\Desktop\FC\anx.dll

MD5 0f52530cf216a3cf65fd195c8b29768d
SHA1 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b
SHA256 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962
SHA512 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83

C:\Users\Admin\Desktop\FC\anti.dll

MD5 ab646175867b7602f2497f3e8a8bb8e6
SHA1 7e5bc0df0baf3771b9c730ac437c9867a783c498
SHA256 b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524
SHA512 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82

C:\Users\Admin\Desktop\FC\cam.dll

MD5 53c61c80bb073884c1fcbcea16ecd560
SHA1 92cce9d3530d809374faab056192e1a6f5c19160
SHA256 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3
SHA512 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825

C:\Users\Admin\Desktop\FC\ch.dll

MD5 aa4870d649a3709bfddcfbaa3be12e90
SHA1 344e33f0244179d216a90825689fdefd179a3210
SHA256 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7
SHA512 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451

C:\Users\Admin\Desktop\FC\cli.dll

MD5 97e16f9fb839e5652761af079427cec4
SHA1 4bde74a8c94bec78567fe8948eb7f2579eea3ed7
SHA256 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9
SHA512 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9

C:\Users\Admin\Desktop\FC\cok.dll

MD5 6351942835b3065c559ae71af3c10996
SHA1 7837b547591eba817f6d92e0b3a99175eb4c7442
SHA256 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600
SHA512 b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a

C:\Users\Admin\Desktop\FC\coc.dll

MD5 ab8dc285bd3f4fd4bd58fb49a3f65e4d
SHA1 445c759ee8981a1c43663a006f5fcbdd9f5bf319
SHA256 e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0
SHA512 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0

C:\Users\Admin\Desktop\FC\controll.dll

MD5 a6100771cd31317172da585f080f50bc
SHA1 e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0
SHA256 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72
SHA512 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086

C:\Users\Admin\Desktop\FC\dos.dll

MD5 367f115ade76ed85b0865fab6415c486
SHA1 1f13595c0503784050beb91563a37fc7eb8d3216
SHA256 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b
SHA512 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea

C:\Users\Admin\Desktop\FC\def.dll

MD5 4db7a9a39fced04abe373b263887dd57
SHA1 418475ee97c5d4bede51a48466fac4f7fe8956c1
SHA256 f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5
SHA512 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d

C:\Users\Admin\Desktop\FC\inff.dll

MD5 282a383f16af77e6f0f3650b12e4f5cc
SHA1 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949
SHA256 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f
SHA512 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806

C:\Users\Admin\Desktop\FC\iff.dll

MD5 f1b53847815d72f5f12455a6a1812925
SHA1 860e77e979ec9d2e0b1bb80368a149b739abf640
SHA256 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1
SHA512 a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16

C:\Users\Admin\Desktop\FC\hrr.dll

MD5 79faa389d1012d22994793a40ea7d288
SHA1 550c583107b9127e167e773ee6e65dd4266b66e8
SHA256 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09
SHA512 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0

C:\Users\Admin\Desktop\FC\hbr.dll

MD5 c60bcf5599f6a2446ce11fe4d82b52e3
SHA1 f440aad733cd7dffe813985a4af1ab61fd4309fc
SHA256 d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1
SHA512 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165

C:\Users\Admin\Desktop\FC\fun.dll

MD5 9a661d32fb534ed752f57dfb14f96c69
SHA1 3ae37dca061457507af0a371ddfce51834523d19
SHA256 af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614
SHA512 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94

C:\Users\Admin\Desktop\FC\manger.dll

MD5 76b3c4f07316739f10c3409c022df30d
SHA1 bad54af1377009ceb5bf1b4ff3f244e5237cfe1f
SHA256 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26
SHA512 eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5

C:\Users\Admin\Desktop\FC\rdp.dll

MD5 274775cc533fd77c904487428df6d2e2
SHA1 17823bf9764563bb901ca9e54af330e14c0d1387
SHA256 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178
SHA512 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584

C:\Users\Admin\Desktop\FC\tory.dll

MD5 678bc4981407ec867997e49a55d6691b
SHA1 facadb46da06b69b5d534e4578b9b942e83c62d0
SHA256 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560
SHA512 c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf

C:\Users\Admin\Desktop\FC\tcp.dll

MD5 4d83956c3b72011e05447df8f2522788
SHA1 572324b5108ebd219c9362bcde8d6f63b43539fe
SHA256 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986
SHA512 edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4

C:\Users\Admin\Desktop\FC\so.dll

MD5 931891348ccb30d3de4d6364f7cf641e
SHA1 359f2ef6edced2fa3a38e939d035c90c46da1b7c
SHA256 a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79
SHA512 cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55

C:\Users\Admin\Desktop\FC\sc2.dll

MD5 f8ce280fc2b16762802e7d8b1799e9c4
SHA1 e73800699dd7ce099f6e71db602be062acd5cf8a
SHA256 e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64
SHA512 ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717

C:\Users\Admin\Desktop\FC\pw.dll

MD5 ed2dfe9eefb52ee6f371119142c8e438
SHA1 61071a2c97bd45fdcd95b3c3a14119c01e422cdc
SHA256 e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6
SHA512 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79

C:\Users\Admin\Desktop\FC\pass.dll

MD5 45dbcb506ff2209501c1c74fe51b2b79
SHA1 a8b28d69766c0bc167c95588b587d0577c97a0fb
SHA256 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258
SHA512 ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273

C:\Users\Admin\Desktop\FC\ngr.dll

MD5 34c65e48a13f441618d3fd7e0db4c1ac
SHA1 ad321099698d1c04110efd25132faa8c4771b1fc
SHA256 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0
SHA512 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16

C:\Users\Admin\Desktop\FC\msg.dll

MD5 5a1e62c6f25bddd882f748e51836cf5a
SHA1 cf2fdd68648e56777ec76687efed28d3fd3aea51
SHA256 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a
SHA512 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427

C:\Users\Admin\Desktop\FC\mic.dll

MD5 0492bf68d888d70a0b05208c45ef9e50
SHA1 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c
SHA256 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65
SHA512 f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686

C:\Users\Admin\Desktop\FC\loc.dll

MD5 fda72bed9a70f75440146b750b2838e7
SHA1 bfba56628ea9118c99e5379f719cfbc2a9d50cc2
SHA256 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193
SHA512 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e

C:\Users\Admin\Desktop\FC\uac.dll

MD5 8f733c26b4dffc1844f7cf689dbb3040
SHA1 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6
SHA256 a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822
SHA512 c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d

C:\Users\Admin\Desktop\FC\vb.dll

MD5 fd3ca535716e7d32b23cc6bdc4ce808c
SHA1 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3
SHA256 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4
SHA512 f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190

C:\Users\Admin\Desktop\FC\uns.dll

MD5 f15ba8cca8dccae5f6e0f5f38d527ea6
SHA1 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25
SHA256 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298
SHA512 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b

C:\Users\Admin\Desktop\FC\xmr.dll

MD5 3f1323e572f60f6f63d447339d127fa7
SHA1 abf3f71c673ef48a606787e47ae976d9becc6576
SHA256 ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831
SHA512 af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1

C:\Users\Admin\Desktop\FC\vnc.dll

MD5 0596dbbbcb6794def107e7d86789ca62
SHA1 36b39f496430c314432f0a6050e6ad022f88daff
SHA256 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32
SHA512 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5

C:\Users\Admin\Desktop\FC\vdp.dll

MD5 8246192765d26e1c2232c1a60729944b
SHA1 65d63482db444a9ff566abb82207d8f48c573da9
SHA256 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf
SHA512 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e

memory/3084-492-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-493-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/3084-494-0x0000000074D90000-0x0000000075540000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-17 14:51

Reported

2024-03-17 15:35

Platform

win11-20240221-en

Max time kernel

1483s

Max time network

1508s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3896 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C8

Network

Country Destination Domain Proto
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 5a83922c41366df1bdd63ca146f5a424
SHA1 05546170ac91b803b5b137689f2224fa250f711b
SHA256 65397c9e4a5f2634a2a01694005dc4651fb3e52572f7ef5e25e2b3c82ec59c85
SHA512 2d4a22d9fc75bb3c84844561d82533160b889d925b08024f488a50f60771a5ac1313e03bf31dc2ace32a46f5f9f1b9c274046c9649b4dea1ed933e4575f82228

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 e556bdcf6dac215b6a76140f46a049a5
SHA1 d1091438186400e14ec5a33d33bac19d9fd95e23
SHA256 4d4d3a182fd38c4e371b4d8657c9f8313d63f46913b9251ee1e0517b07ee87c3
SHA512 8b0f4365a754b9b75d687737a031b46b9ba0359e40651f756fb670beeec357d7b097794ff4438b184cc3db210833c990795e1a704aee500eeb9b07d6696ab657

memory/4992-413-0x0000000000F30000-0x00000000019F0000-memory.dmp

memory/4992-412-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/4992-414-0x00000000064A0000-0x000000000653C000-memory.dmp

memory/4992-415-0x0000000006AF0000-0x0000000007096000-memory.dmp

memory/4992-416-0x00000000065E0000-0x0000000006672000-memory.dmp

memory/4992-417-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4992-418-0x0000000006540000-0x000000000654A000-memory.dmp

memory/4992-419-0x00000000067D0000-0x0000000006826000-memory.dmp

C:\Users\Admin\Desktop\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

memory/4992-423-0x00000000070A0000-0x0000000007292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/4992-431-0x0000000073320000-0x00000000733AA000-memory.dmp

memory/4992-432-0x0000000070F30000-0x0000000070F67000-memory.dmp

memory/4992-433-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4992-434-0x00000000065D0000-0x00000000065E0000-memory.dmp

C:\Users\Admin\Desktop\SQLABC_ModernUI.dll

MD5 da70e6d0b5cee1f9a69764e740f9c036
SHA1 5848e0f7db830b29f8e542e04b025ec73b59c769
SHA256 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360
SHA512 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e

memory/4992-438-0x000000000BE20000-0x000000000BE38000-memory.dmp

memory/4992-439-0x00000000065D0000-0x00000000065E0000-memory.dmp

C:\Users\Admin\Desktop\API.dll

MD5 df1b7e8e22353b01a29cb972d054ee16
SHA1 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7
SHA256 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509
SHA512 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7

memory/4992-443-0x000000000BD70000-0x000000000BD84000-memory.dmp

C:\Users\Admin\Desktop\WinMM.Net.dll

MD5 d4b80052c7b4093e10ce1f40ce74f707
SHA1 2494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA256 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA512 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

memory/4992-447-0x000000000C300000-0x000000000C312000-memory.dmp

C:\Users\Admin\Desktop\zxing.dll

MD5 ce9aaa0fbc6a2bbf063b044537db1dfc
SHA1 0d2f94a52de141eeeb456c350ede8e70619fa300
SHA256 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03
SHA512 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8

memory/4992-451-0x000000000C3C0000-0x000000000C42C000-memory.dmp

C:\Users\Admin\Desktop\GeoIP.dat

MD5 797b96cc417d0cde72e5c25d0898e95e
SHA1 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13
SHA256 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426
SHA512 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

C:\Users\Admin\Desktop\FC\act.dll

MD5 40514fa1bab88f1b8c4c2a42d361f67c
SHA1 9794f98cb73d50754d595cc80f7b569672c5ef5d
SHA256 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120
SHA512 a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0

C:\Users\Admin\Desktop\FC\anx.dll

MD5 0f52530cf216a3cf65fd195c8b29768d
SHA1 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b
SHA256 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962
SHA512 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83

C:\Users\Admin\Desktop\FC\anti.dll

MD5 ab646175867b7602f2497f3e8a8bb8e6
SHA1 7e5bc0df0baf3771b9c730ac437c9867a783c498
SHA256 b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524
SHA512 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82

C:\Users\Admin\Desktop\FC\ch.dll

MD5 aa4870d649a3709bfddcfbaa3be12e90
SHA1 344e33f0244179d216a90825689fdefd179a3210
SHA256 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7
SHA512 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451

C:\Users\Admin\Desktop\FC\cam.dll

MD5 53c61c80bb073884c1fcbcea16ecd560
SHA1 92cce9d3530d809374faab056192e1a6f5c19160
SHA256 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3
SHA512 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825

C:\Users\Admin\Desktop\FC\cli.dll

MD5 97e16f9fb839e5652761af079427cec4
SHA1 4bde74a8c94bec78567fe8948eb7f2579eea3ed7
SHA256 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9
SHA512 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9

C:\Users\Admin\Desktop\FC\cok.dll

MD5 6351942835b3065c559ae71af3c10996
SHA1 7837b547591eba817f6d92e0b3a99175eb4c7442
SHA256 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600
SHA512 b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a

C:\Users\Admin\Desktop\FC\coc.dll

MD5 ab8dc285bd3f4fd4bd58fb49a3f65e4d
SHA1 445c759ee8981a1c43663a006f5fcbdd9f5bf319
SHA256 e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0
SHA512 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0

C:\Users\Admin\Desktop\FC\controll.dll

MD5 a6100771cd31317172da585f080f50bc
SHA1 e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0
SHA256 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72
SHA512 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086

C:\Users\Admin\Desktop\FC\def.dll

MD5 4db7a9a39fced04abe373b263887dd57
SHA1 418475ee97c5d4bede51a48466fac4f7fe8956c1
SHA256 f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5
SHA512 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d

C:\Users\Admin\Desktop\FC\dos.dll

MD5 367f115ade76ed85b0865fab6415c486
SHA1 1f13595c0503784050beb91563a37fc7eb8d3216
SHA256 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b
SHA512 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea

C:\Users\Admin\Desktop\FC\fun.dll

MD5 9a661d32fb534ed752f57dfb14f96c69
SHA1 3ae37dca061457507af0a371ddfce51834523d19
SHA256 af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614
SHA512 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94

C:\Users\Admin\Desktop\FC\hbr.dll

MD5 c60bcf5599f6a2446ce11fe4d82b52e3
SHA1 f440aad733cd7dffe813985a4af1ab61fd4309fc
SHA256 d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1
SHA512 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165

C:\Users\Admin\Desktop\FC\hrr.dll

MD5 79faa389d1012d22994793a40ea7d288
SHA1 550c583107b9127e167e773ee6e65dd4266b66e8
SHA256 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09
SHA512 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0

C:\Users\Admin\Desktop\FC\iff.dll

MD5 f1b53847815d72f5f12455a6a1812925
SHA1 860e77e979ec9d2e0b1bb80368a149b739abf640
SHA256 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1
SHA512 a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16

C:\Users\Admin\Desktop\FC\ngr.dll

MD5 34c65e48a13f441618d3fd7e0db4c1ac
SHA1 ad321099698d1c04110efd25132faa8c4771b1fc
SHA256 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0
SHA512 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16

C:\Users\Admin\Desktop\FC\msg.dll

MD5 5a1e62c6f25bddd882f748e51836cf5a
SHA1 cf2fdd68648e56777ec76687efed28d3fd3aea51
SHA256 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a
SHA512 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427

C:\Users\Admin\Desktop\FC\mic.dll

MD5 0492bf68d888d70a0b05208c45ef9e50
SHA1 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c
SHA256 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65
SHA512 f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686

C:\Users\Admin\Desktop\FC\manger.dll

MD5 76b3c4f07316739f10c3409c022df30d
SHA1 bad54af1377009ceb5bf1b4ff3f244e5237cfe1f
SHA256 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26
SHA512 eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5

C:\Users\Admin\Desktop\FC\loc.dll

MD5 fda72bed9a70f75440146b750b2838e7
SHA1 bfba56628ea9118c99e5379f719cfbc2a9d50cc2
SHA256 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193
SHA512 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e

C:\Users\Admin\Desktop\FC\inff.dll

MD5 282a383f16af77e6f0f3650b12e4f5cc
SHA1 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949
SHA256 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f
SHA512 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806

C:\Users\Admin\Desktop\FC\tory.dll

MD5 678bc4981407ec867997e49a55d6691b
SHA1 facadb46da06b69b5d534e4578b9b942e83c62d0
SHA256 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560
SHA512 c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf

C:\Users\Admin\Desktop\FC\tcp.dll

MD5 4d83956c3b72011e05447df8f2522788
SHA1 572324b5108ebd219c9362bcde8d6f63b43539fe
SHA256 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986
SHA512 edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4

C:\Users\Admin\Desktop\FC\so.dll

MD5 931891348ccb30d3de4d6364f7cf641e
SHA1 359f2ef6edced2fa3a38e939d035c90c46da1b7c
SHA256 a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79
SHA512 cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55

C:\Users\Admin\Desktop\FC\sc2.dll

MD5 f8ce280fc2b16762802e7d8b1799e9c4
SHA1 e73800699dd7ce099f6e71db602be062acd5cf8a
SHA256 e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64
SHA512 ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717

C:\Users\Admin\Desktop\FC\rdp.dll

MD5 274775cc533fd77c904487428df6d2e2
SHA1 17823bf9764563bb901ca9e54af330e14c0d1387
SHA256 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178
SHA512 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584

C:\Users\Admin\Desktop\FC\pw.dll

MD5 ed2dfe9eefb52ee6f371119142c8e438
SHA1 61071a2c97bd45fdcd95b3c3a14119c01e422cdc
SHA256 e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6
SHA512 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79

C:\Users\Admin\Desktop\FC\pass.dll

MD5 45dbcb506ff2209501c1c74fe51b2b79
SHA1 a8b28d69766c0bc167c95588b587d0577c97a0fb
SHA256 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258
SHA512 ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273

C:\Users\Admin\Desktop\FC\uac.dll

MD5 8f733c26b4dffc1844f7cf689dbb3040
SHA1 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6
SHA256 a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822
SHA512 c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d

C:\Users\Admin\Desktop\FC\vnc.dll

MD5 0596dbbbcb6794def107e7d86789ca62
SHA1 36b39f496430c314432f0a6050e6ad022f88daff
SHA256 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32
SHA512 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5

C:\Users\Admin\Desktop\FC\xmr.dll

MD5 3f1323e572f60f6f63d447339d127fa7
SHA1 abf3f71c673ef48a606787e47ae976d9becc6576
SHA256 ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831
SHA512 af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1

C:\Users\Admin\Desktop\FC\vdp.dll

MD5 8246192765d26e1c2232c1a60729944b
SHA1 65d63482db444a9ff566abb82207d8f48c573da9
SHA256 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf
SHA512 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e

C:\Users\Admin\Desktop\FC\vb.dll

MD5 fd3ca535716e7d32b23cc6bdc4ce808c
SHA1 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3
SHA256 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4
SHA512 f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190

C:\Users\Admin\Desktop\FC\uns.dll

MD5 f15ba8cca8dccae5f6e0f5f38d527ea6
SHA1 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25
SHA256 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298
SHA512 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b

memory/4992-487-0x00000000749A0000-0x0000000075151000-memory.dmp

memory/4992-488-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4992-489-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4992-490-0x0000000070F30000-0x0000000070F67000-memory.dmp

memory/4992-491-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4992-492-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4992-493-0x00000000065D0000-0x00000000065E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 14:51

Reported

2024-03-17 15:28

Platform

win7-20240221-en

Max time kernel

1558s

Max time network

1559s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2320 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2320 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x50c

Network

N/A

Files

\Users\Admin\Desktop\vncviewer.exe

MD5 c71adb577b5be3404ab150e4ef4eb9a2
SHA1 a4bc65d33a3a845074ccb3658a94f546993356e3
SHA256 d4a5ff934554cdd01319fe1e1d50fa10a61104d9a06771a5d42f743f60f3568c
SHA512 50fd3de9095ea891738fc60b9b921aaf48cf84c9d06c8a579d471b9a263df4c19818b0f623d27ec036450fc4956c25c7ffb029695d817baa609ce2473a7232cd

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 b7bfd544b6469b73c1ae92d75a40a47e
SHA1 bd68fbfd1cfc06ce3faff56256f5ed1f27f9f927
SHA256 685f47672c7ca76e35b5c8ef612d0b376cdded7dc19bc5b67fd749e5a008c52c
SHA512 ed5688c1b2769d8a60321e0a51e7dbb1da3f1f22c2fd4c4a06beace9347c66114d4e96ba08041524bd0da97df7f8b50a51a07851709e80d55ac7d063bf298c4a

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 bf21f4877336ddca67f6500378628284
SHA1 753e08018e86235cdf6232853bccc9e0af438259
SHA256 1fb19c2fc029138abeb8408df255cbdfe80b9a8e551d04dc417c05482a13d882
SHA512 676da9069e59c8c1edc464650672e0b4e818ff6541cbccca63557e2a7b6e26c7b2ea9e0b31186d66f0dfdcb1bd4f65d57ad073c6e810730b022d68ecf841ad86

memory/1416-1056-0x0000000000210000-0x0000000000CD0000-memory.dmp

memory/1416-1055-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1416-1057-0x0000000005840000-0x0000000005880000-memory.dmp

C:\Users\Admin\Desktop\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

memory/1416-1061-0x0000000005880000-0x0000000005A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/1416-1069-0x00000000734B0000-0x00000000734E7000-memory.dmp

memory/1416-1068-0x0000000073AA0000-0x0000000073B20000-memory.dmp

memory/1416-1070-0x0000000005840000-0x0000000005880000-memory.dmp

memory/1416-1071-0x0000000005840000-0x0000000005880000-memory.dmp

memory/1416-1072-0x0000000005840000-0x0000000005880000-memory.dmp

memory/1416-1073-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1416-1074-0x0000000005840000-0x0000000005880000-memory.dmp

memory/1416-1075-0x00000000734B0000-0x00000000734E7000-memory.dmp

C:\Users\Admin\Desktop\SQLABC_ModernUI.dll

MD5 da70e6d0b5cee1f9a69764e740f9c036
SHA1 5848e0f7db830b29f8e542e04b025ec73b59c769
SHA256 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360
SHA512 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e

memory/1416-1079-0x0000000006450000-0x0000000006468000-memory.dmp

C:\Users\Admin\Desktop\API.dll

MD5 df1b7e8e22353b01a29cb972d054ee16
SHA1 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7
SHA256 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509
SHA512 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7

memory/1416-1083-0x0000000006030000-0x0000000006044000-memory.dmp

\Users\Admin\Desktop\WinMM.Net.dll

MD5 d4b80052c7b4093e10ce1f40ce74f707
SHA1 2494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA256 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA512 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

memory/1416-1087-0x0000000007000000-0x0000000007012000-memory.dmp

C:\Users\Admin\Desktop\zxing.dll

MD5 ce9aaa0fbc6a2bbf063b044537db1dfc
SHA1 0d2f94a52de141eeeb456c350ede8e70619fa300
SHA256 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03
SHA512 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8

memory/1416-1091-0x0000000012910000-0x000000001297C000-memory.dmp

C:\Users\Admin\Desktop\GeoIP.dat

MD5 797b96cc417d0cde72e5c25d0898e95e
SHA1 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13
SHA256 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426
SHA512 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

C:\Users\Admin\Desktop\FC\act.dll

MD5 40514fa1bab88f1b8c4c2a42d361f67c
SHA1 9794f98cb73d50754d595cc80f7b569672c5ef5d
SHA256 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120
SHA512 a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0

C:\Users\Admin\Desktop\FC\anti.dll

MD5 ab646175867b7602f2497f3e8a8bb8e6
SHA1 7e5bc0df0baf3771b9c730ac437c9867a783c498
SHA256 b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524
SHA512 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82

C:\Users\Admin\Desktop\FC\anx.dll

MD5 0f52530cf216a3cf65fd195c8b29768d
SHA1 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b
SHA256 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962
SHA512 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83

C:\Users\Admin\Desktop\FC\cam.dll

MD5 53c61c80bb073884c1fcbcea16ecd560
SHA1 92cce9d3530d809374faab056192e1a6f5c19160
SHA256 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3
SHA512 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825

C:\Users\Admin\Desktop\FC\ch.dll

MD5 aa4870d649a3709bfddcfbaa3be12e90
SHA1 344e33f0244179d216a90825689fdefd179a3210
SHA256 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7
SHA512 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451

C:\Users\Admin\Desktop\FC\cli.dll

MD5 97e16f9fb839e5652761af079427cec4
SHA1 4bde74a8c94bec78567fe8948eb7f2579eea3ed7
SHA256 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9
SHA512 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9

C:\Users\Admin\Desktop\FC\cok.dll

MD5 6351942835b3065c559ae71af3c10996
SHA1 7837b547591eba817f6d92e0b3a99175eb4c7442
SHA256 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600
SHA512 b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a

C:\Users\Admin\Desktop\FC\coc.dll

MD5 ab8dc285bd3f4fd4bd58fb49a3f65e4d
SHA1 445c759ee8981a1c43663a006f5fcbdd9f5bf319
SHA256 e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0
SHA512 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0

C:\Users\Admin\Desktop\FC\controll.dll

MD5 a6100771cd31317172da585f080f50bc
SHA1 e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0
SHA256 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72
SHA512 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086

C:\Users\Admin\Desktop\FC\mic.dll

MD5 0492bf68d888d70a0b05208c45ef9e50
SHA1 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c
SHA256 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65
SHA512 f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686

C:\Users\Admin\Desktop\FC\manger.dll

MD5 76b3c4f07316739f10c3409c022df30d
SHA1 bad54af1377009ceb5bf1b4ff3f244e5237cfe1f
SHA256 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26
SHA512 eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5

C:\Users\Admin\Desktop\FC\loc.dll

MD5 fda72bed9a70f75440146b750b2838e7
SHA1 bfba56628ea9118c99e5379f719cfbc2a9d50cc2
SHA256 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193
SHA512 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e

C:\Users\Admin\Desktop\FC\inff.dll

MD5 282a383f16af77e6f0f3650b12e4f5cc
SHA1 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949
SHA256 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f
SHA512 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806

C:\Users\Admin\Desktop\FC\iff.dll

MD5 f1b53847815d72f5f12455a6a1812925
SHA1 860e77e979ec9d2e0b1bb80368a149b739abf640
SHA256 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1
SHA512 a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16

C:\Users\Admin\Desktop\FC\hrr.dll

MD5 79faa389d1012d22994793a40ea7d288
SHA1 550c583107b9127e167e773ee6e65dd4266b66e8
SHA256 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09
SHA512 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0

C:\Users\Admin\Desktop\FC\hbr.dll

MD5 c60bcf5599f6a2446ce11fe4d82b52e3
SHA1 f440aad733cd7dffe813985a4af1ab61fd4309fc
SHA256 d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1
SHA512 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165

C:\Users\Admin\Desktop\FC\fun.dll

MD5 9a661d32fb534ed752f57dfb14f96c69
SHA1 3ae37dca061457507af0a371ddfce51834523d19
SHA256 af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614
SHA512 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94

C:\Users\Admin\Desktop\FC\dos.dll

MD5 367f115ade76ed85b0865fab6415c486
SHA1 1f13595c0503784050beb91563a37fc7eb8d3216
SHA256 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b
SHA512 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea

C:\Users\Admin\Desktop\FC\def.dll

MD5 4db7a9a39fced04abe373b263887dd57
SHA1 418475ee97c5d4bede51a48466fac4f7fe8956c1
SHA256 f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5
SHA512 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d

C:\Users\Admin\Desktop\FC\tory.dll

MD5 678bc4981407ec867997e49a55d6691b
SHA1 facadb46da06b69b5d534e4578b9b942e83c62d0
SHA256 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560
SHA512 c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf

C:\Users\Admin\Desktop\FC\tcp.dll

MD5 4d83956c3b72011e05447df8f2522788
SHA1 572324b5108ebd219c9362bcde8d6f63b43539fe
SHA256 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986
SHA512 edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4

C:\Users\Admin\Desktop\FC\so.dll

MD5 931891348ccb30d3de4d6364f7cf641e
SHA1 359f2ef6edced2fa3a38e939d035c90c46da1b7c
SHA256 a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79
SHA512 cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55

C:\Users\Admin\Desktop\FC\sc2.dll

MD5 f8ce280fc2b16762802e7d8b1799e9c4
SHA1 e73800699dd7ce099f6e71db602be062acd5cf8a
SHA256 e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64
SHA512 ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717

C:\Users\Admin\Desktop\FC\rdp.dll

MD5 274775cc533fd77c904487428df6d2e2
SHA1 17823bf9764563bb901ca9e54af330e14c0d1387
SHA256 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178
SHA512 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584

C:\Users\Admin\Desktop\FC\pw.dll

MD5 ed2dfe9eefb52ee6f371119142c8e438
SHA1 61071a2c97bd45fdcd95b3c3a14119c01e422cdc
SHA256 e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6
SHA512 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79

C:\Users\Admin\Desktop\FC\pass.dll

MD5 45dbcb506ff2209501c1c74fe51b2b79
SHA1 a8b28d69766c0bc167c95588b587d0577c97a0fb
SHA256 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258
SHA512 ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273

C:\Users\Admin\Desktop\FC\ngr.dll

MD5 34c65e48a13f441618d3fd7e0db4c1ac
SHA1 ad321099698d1c04110efd25132faa8c4771b1fc
SHA256 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0
SHA512 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16

C:\Users\Admin\Desktop\FC\msg.dll

MD5 5a1e62c6f25bddd882f748e51836cf5a
SHA1 cf2fdd68648e56777ec76687efed28d3fd3aea51
SHA256 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a
SHA512 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427

C:\Users\Admin\Desktop\FC\uac.dll

MD5 8f733c26b4dffc1844f7cf689dbb3040
SHA1 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6
SHA256 a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822
SHA512 c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d

C:\Users\Admin\Desktop\FC\uns.dll

MD5 f15ba8cca8dccae5f6e0f5f38d527ea6
SHA1 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25
SHA256 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298
SHA512 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b

C:\Users\Admin\Desktop\FC\vdp.dll

MD5 8246192765d26e1c2232c1a60729944b
SHA1 65d63482db444a9ff566abb82207d8f48c573da9
SHA256 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf
SHA512 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e

C:\Users\Admin\Desktop\FC\vb.dll

MD5 fd3ca535716e7d32b23cc6bdc4ce808c
SHA1 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3
SHA256 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4
SHA512 f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190

C:\Users\Admin\Desktop\FC\xmr.dll

MD5 3f1323e572f60f6f63d447339d127fa7
SHA1 abf3f71c673ef48a606787e47ae976d9becc6576
SHA256 ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831
SHA512 af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1

C:\Users\Admin\Desktop\FC\vnc.dll

MD5 0596dbbbcb6794def107e7d86789ca62
SHA1 36b39f496430c314432f0a6050e6ad022f88daff
SHA256 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32
SHA512 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5

memory/1416-1127-0x000000000EA40000-0x000000000EB40000-memory.dmp

memory/1416-1128-0x000000000EA40000-0x000000000EB40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 14:51

Reported

2024-03-17 15:29

Platform

win10-20240221-en

Max time kernel

1509s

Max time network

1605s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\S-400 RAT v3.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4132 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4132 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x424

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\S-400 RAT v3.0.exe

MD5 a39a575da05f3dddeda3508b992f41ee
SHA1 1cfb7c32b81d22d6bded1bcfe07e6b86769df7f0
SHA256 69d72335bc69e00572e589826b8b8bcce4596df75c6f8ceae6f1c6745af3ef95
SHA512 2bae0dcbeb9f28c2f20ad5e5103eaf4d6824d4a7f33f59e57f9ac151c898089f919c6e5ef980a56d4025ee32812ce985be0b3d7799ca72f1851caffae749683a

memory/1156-412-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1156-413-0x00000000007C0000-0x0000000001280000-memory.dmp

memory/1156-414-0x0000000005BA0000-0x0000000005C3C000-memory.dmp

memory/1156-415-0x0000000006140000-0x000000000663E000-memory.dmp

memory/1156-416-0x0000000005C40000-0x0000000005CD2000-memory.dmp

memory/1156-417-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-418-0x0000000003840000-0x000000000384A000-memory.dmp

memory/1156-419-0x0000000005D70000-0x0000000005DC6000-memory.dmp

C:\Users\Admin\Desktop\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

memory/1156-423-0x0000000006640000-0x0000000006832000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/1156-432-0x0000000072650000-0x00000000726D0000-memory.dmp

memory/1156-431-0x0000000070AD0000-0x0000000070B07000-memory.dmp

memory/1156-433-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-434-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-435-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-436-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1156-437-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-438-0x0000000070AD0000-0x0000000070B07000-memory.dmp

memory/1156-439-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-440-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-441-0x0000000005E60000-0x0000000005E70000-memory.dmp

C:\Users\Admin\Desktop\SQLABC_ModernUI.dll

MD5 da70e6d0b5cee1f9a69764e740f9c036
SHA1 5848e0f7db830b29f8e542e04b025ec73b59c769
SHA256 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360
SHA512 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e

memory/1156-445-0x000000000BAB0000-0x000000000BAC8000-memory.dmp

memory/1156-446-0x0000000005E60000-0x0000000005E70000-memory.dmp

C:\Users\Admin\Desktop\API.dll

MD5 df1b7e8e22353b01a29cb972d054ee16
SHA1 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7
SHA256 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509
SHA512 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7

memory/1156-450-0x000000000A330000-0x000000000A344000-memory.dmp

C:\Users\Admin\Desktop\WinMM.Net.dll

MD5 d4b80052c7b4093e10ce1f40ce74f707
SHA1 2494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA256 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA512 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

memory/1156-454-0x000000000BD30000-0x000000000BD42000-memory.dmp

C:\Users\Admin\Desktop\zxing.dll

MD5 ce9aaa0fbc6a2bbf063b044537db1dfc
SHA1 0d2f94a52de141eeeb456c350ede8e70619fa300
SHA256 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03
SHA512 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8

memory/1156-458-0x000000000BE00000-0x000000000BE6C000-memory.dmp

C:\Users\Admin\Desktop\GeoIP.dat

MD5 797b96cc417d0cde72e5c25d0898e95e
SHA1 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13
SHA256 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426
SHA512 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

C:\Users\Admin\Desktop\FC\act.dll

MD5 40514fa1bab88f1b8c4c2a42d361f67c
SHA1 9794f98cb73d50754d595cc80f7b569672c5ef5d
SHA256 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120
SHA512 a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0

C:\Users\Admin\Desktop\FC\anti.dll

MD5 ab646175867b7602f2497f3e8a8bb8e6
SHA1 7e5bc0df0baf3771b9c730ac437c9867a783c498
SHA256 b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524
SHA512 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82

C:\Users\Admin\Desktop\FC\cam.dll

MD5 53c61c80bb073884c1fcbcea16ecd560
SHA1 92cce9d3530d809374faab056192e1a6f5c19160
SHA256 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3
SHA512 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825

C:\Users\Admin\Desktop\FC\anx.dll

MD5 0f52530cf216a3cf65fd195c8b29768d
SHA1 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b
SHA256 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962
SHA512 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83

C:\Users\Admin\Desktop\FC\ch.dll

MD5 aa4870d649a3709bfddcfbaa3be12e90
SHA1 344e33f0244179d216a90825689fdefd179a3210
SHA256 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7
SHA512 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451

C:\Users\Admin\Desktop\FC\cli.dll

MD5 97e16f9fb839e5652761af079427cec4
SHA1 4bde74a8c94bec78567fe8948eb7f2579eea3ed7
SHA256 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9
SHA512 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9

C:\Users\Admin\Desktop\FC\coc.dll

MD5 ab8dc285bd3f4fd4bd58fb49a3f65e4d
SHA1 445c759ee8981a1c43663a006f5fcbdd9f5bf319
SHA256 e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0
SHA512 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0

C:\Users\Admin\Desktop\FC\cok.dll

MD5 6351942835b3065c559ae71af3c10996
SHA1 7837b547591eba817f6d92e0b3a99175eb4c7442
SHA256 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600
SHA512 b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a

C:\Users\Admin\Desktop\FC\controll.dll

MD5 a6100771cd31317172da585f080f50bc
SHA1 e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0
SHA256 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72
SHA512 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086

C:\Users\Admin\Desktop\FC\hrr.dll

MD5 79faa389d1012d22994793a40ea7d288
SHA1 550c583107b9127e167e773ee6e65dd4266b66e8
SHA256 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09
SHA512 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0

C:\Users\Admin\Desktop\FC\hbr.dll

MD5 c60bcf5599f6a2446ce11fe4d82b52e3
SHA1 f440aad733cd7dffe813985a4af1ab61fd4309fc
SHA256 d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1
SHA512 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165

C:\Users\Admin\Desktop\FC\fun.dll

MD5 9a661d32fb534ed752f57dfb14f96c69
SHA1 3ae37dca061457507af0a371ddfce51834523d19
SHA256 af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614
SHA512 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94

C:\Users\Admin\Desktop\FC\dos.dll

MD5 367f115ade76ed85b0865fab6415c486
SHA1 1f13595c0503784050beb91563a37fc7eb8d3216
SHA256 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b
SHA512 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea

C:\Users\Admin\Desktop\FC\def.dll

MD5 4db7a9a39fced04abe373b263887dd57
SHA1 418475ee97c5d4bede51a48466fac4f7fe8956c1
SHA256 f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5
SHA512 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d

C:\Users\Admin\Desktop\FC\pass.dll

MD5 45dbcb506ff2209501c1c74fe51b2b79
SHA1 a8b28d69766c0bc167c95588b587d0577c97a0fb
SHA256 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258
SHA512 ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273

C:\Users\Admin\Desktop\FC\tory.dll

MD5 678bc4981407ec867997e49a55d6691b
SHA1 facadb46da06b69b5d534e4578b9b942e83c62d0
SHA256 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560
SHA512 c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf

C:\Users\Admin\Desktop\FC\so.dll

MD5 931891348ccb30d3de4d6364f7cf641e
SHA1 359f2ef6edced2fa3a38e939d035c90c46da1b7c
SHA256 a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79
SHA512 cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55

C:\Users\Admin\Desktop\FC\sc2.dll

MD5 f8ce280fc2b16762802e7d8b1799e9c4
SHA1 e73800699dd7ce099f6e71db602be062acd5cf8a
SHA256 e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64
SHA512 ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717

C:\Users\Admin\Desktop\FC\pw.dll

MD5 ed2dfe9eefb52ee6f371119142c8e438
SHA1 61071a2c97bd45fdcd95b3c3a14119c01e422cdc
SHA256 e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6
SHA512 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79

C:\Users\Admin\Desktop\FC\tcp.dll

MD5 4d83956c3b72011e05447df8f2522788
SHA1 572324b5108ebd219c9362bcde8d6f63b43539fe
SHA256 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986
SHA512 edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4

C:\Users\Admin\Desktop\FC\rdp.dll

MD5 274775cc533fd77c904487428df6d2e2
SHA1 17823bf9764563bb901ca9e54af330e14c0d1387
SHA256 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178
SHA512 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584

C:\Users\Admin\Desktop\FC\ngr.dll

MD5 34c65e48a13f441618d3fd7e0db4c1ac
SHA1 ad321099698d1c04110efd25132faa8c4771b1fc
SHA256 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0
SHA512 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16

C:\Users\Admin\Desktop\FC\msg.dll

MD5 5a1e62c6f25bddd882f748e51836cf5a
SHA1 cf2fdd68648e56777ec76687efed28d3fd3aea51
SHA256 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a
SHA512 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427

C:\Users\Admin\Desktop\FC\mic.dll

MD5 0492bf68d888d70a0b05208c45ef9e50
SHA1 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c
SHA256 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65
SHA512 f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686

C:\Users\Admin\Desktop\FC\manger.dll

MD5 76b3c4f07316739f10c3409c022df30d
SHA1 bad54af1377009ceb5bf1b4ff3f244e5237cfe1f
SHA256 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26
SHA512 eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5

C:\Users\Admin\Desktop\FC\loc.dll

MD5 fda72bed9a70f75440146b750b2838e7
SHA1 bfba56628ea9118c99e5379f719cfbc2a9d50cc2
SHA256 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193
SHA512 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e

C:\Users\Admin\Desktop\FC\inff.dll

MD5 282a383f16af77e6f0f3650b12e4f5cc
SHA1 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949
SHA256 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f
SHA512 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806

C:\Users\Admin\Desktop\FC\iff.dll

MD5 f1b53847815d72f5f12455a6a1812925
SHA1 860e77e979ec9d2e0b1bb80368a149b739abf640
SHA256 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1
SHA512 a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16

C:\Users\Admin\Desktop\FC\uac.dll

MD5 8f733c26b4dffc1844f7cf689dbb3040
SHA1 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6
SHA256 a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822
SHA512 c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d

C:\Users\Admin\Desktop\FC\uns.dll

MD5 f15ba8cca8dccae5f6e0f5f38d527ea6
SHA1 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25
SHA256 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298
SHA512 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b

C:\Users\Admin\Desktop\FC\vb.dll

MD5 fd3ca535716e7d32b23cc6bdc4ce808c
SHA1 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3
SHA256 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4
SHA512 f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190

C:\Users\Admin\Desktop\FC\vdp.dll

MD5 8246192765d26e1c2232c1a60729944b
SHA1 65d63482db444a9ff566abb82207d8f48c573da9
SHA256 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf
SHA512 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e

C:\Users\Admin\Desktop\FC\vnc.dll

MD5 0596dbbbcb6794def107e7d86789ca62
SHA1 36b39f496430c314432f0a6050e6ad022f88daff
SHA256 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32
SHA512 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5

C:\Users\Admin\Desktop\FC\xmr.dll

MD5 3f1323e572f60f6f63d447339d127fa7
SHA1 abf3f71c673ef48a606787e47ae976d9becc6576
SHA256 ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831
SHA512 af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1

memory/1156-496-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-497-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-498-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-499-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-500-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-501-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-502-0x0000000005E60000-0x0000000005E70000-memory.dmp

memory/1156-503-0x0000000032CC0000-0x0000000032DC0000-memory.dmp

memory/1156-504-0x0000000032CC0000-0x0000000032DC0000-memory.dmp