Analysis Overview
SHA256
137713b97b5c79056269e461c454cfff281fe2e1b6a1ab69e1c8302cb35aa9b8
Threat Level: Known bad
The file S-400 RAT v3.0.7z was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Nirsoft
Nirsoft
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-17 14:51
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-17 14:51
Reported
2024-03-17 15:29
Platform
win10v2004-20240226-en
Max time kernel
1792s
Max time network
1802s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 4496 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3440 wrote to memory of 4496 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x51c
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 3084 -ip 3084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 4716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3084 -ip 3084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 4696
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | a39a575da05f3dddeda3508b992f41ee |
| SHA1 | 1cfb7c32b81d22d6bded1bcfe07e6b86769df7f0 |
| SHA256 | 69d72335bc69e00572e589826b8b8bcce4596df75c6f8ceae6f1c6745af3ef95 |
| SHA512 | 2bae0dcbeb9f28c2f20ad5e5103eaf4d6824d4a7f33f59e57f9ac151c898089f919c6e5ef980a56d4025ee32812ce985be0b3d7799ca72f1851caffae749683a |
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | 70ad1ec4b2ada050e2c95d9a55562e3d |
| SHA1 | 64fbc9fbaf8e8c96250cc60c6147469fe7fd230b |
| SHA256 | 1533807306717b08b2690bf19f15e08f37d1070e4d9275134dab53305e59d3a6 |
| SHA512 | c110c11c88e5484f78abea5d5586e89859398c26c476dfb0455a5ff28479997fb3c6bc6b8cb3823a6617c9231d5c054de9be5adee83af298cec5bb3e24590836 |
memory/3084-412-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3084-413-0x0000000000790000-0x0000000001250000-memory.dmp
memory/3084-414-0x0000000005C00000-0x0000000005C9C000-memory.dmp
memory/3084-415-0x0000000006250000-0x00000000067F4000-memory.dmp
memory/3084-416-0x0000000005D40000-0x0000000005DD2000-memory.dmp
memory/3084-417-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-418-0x0000000005D00000-0x0000000005D0A000-memory.dmp
memory/3084-419-0x0000000005F70000-0x0000000005FC6000-memory.dmp
C:\Users\Admin\Desktop\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
C:\Users\Admin\Desktop\Guna.UI2.dll
| MD5 | 2540ef45fbd7511c029635a1ec0af045 |
| SHA1 | bd12ba4d37f8fc42b3b11a7293fa4e3823e65caf |
| SHA256 | 6782523460e5b87367cf95f941deb35ac24923ca44e7b4a871425eb6a8fc6e73 |
| SHA512 | f64deb8b85864052612f07b7e08b023070b1f09b6806bb42cd3d7f2669d8863b476127a032a372785fad37013a501705a873e2f0f296dbfa9e66573221e7a0c2 |
C:\Users\Admin\Desktop\Guna.UI2.dll
| MD5 | 9c02cab91bd7ac041530ac459b478f98 |
| SHA1 | b5dfb8e061fb0ee2b7d45509987d0ed2558c3abf |
| SHA256 | 7b88e240dac10e88837c0c9cbd29001eccc03b6b5443587e764eb4c9273fcb4d |
| SHA512 | 1b4da4efc3075fa62cff147e58ed915bbf10c2ecb160cc91167ec7c24337f2333ed564063ea05f5b345723050876892c9c07e0199bb7d4a1ef38fa9dcfd8a629 |
memory/3084-423-0x0000000006800000-0x00000000069F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3084-429-0x00000000714B0000-0x00000000714E7000-memory.dmp
memory/3084-432-0x0000000073740000-0x00000000737C9000-memory.dmp
memory/3084-433-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3084-434-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-435-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-436-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-437-0x00000000714B0000-0x00000000714E7000-memory.dmp
memory/3084-438-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-439-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
C:\Users\Admin\Desktop\SQLABC_ModernUI.dll
| MD5 | da70e6d0b5cee1f9a69764e740f9c036 |
| SHA1 | 5848e0f7db830b29f8e542e04b025ec73b59c769 |
| SHA256 | 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360 |
| SHA512 | 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e |
memory/3084-443-0x000000000BC20000-0x000000000BC38000-memory.dmp
memory/3084-444-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
C:\Users\Admin\Desktop\API.dll
| MD5 | df1b7e8e22353b01a29cb972d054ee16 |
| SHA1 | 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7 |
| SHA256 | 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509 |
| SHA512 | 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7 |
memory/3084-448-0x0000000001AB0000-0x0000000001AC4000-memory.dmp
C:\Users\Admin\Desktop\WinMM.Net.dll
| MD5 | d4b80052c7b4093e10ce1f40ce74f707 |
| SHA1 | 2494a38f1c0d3a0aa9b31cf0650337cacc655697 |
| SHA256 | 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46 |
| SHA512 | 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450 |
memory/3084-452-0x0000000001B20000-0x0000000001B32000-memory.dmp
C:\Users\Admin\Desktop\zxing.dll
| MD5 | ce9aaa0fbc6a2bbf063b044537db1dfc |
| SHA1 | 0d2f94a52de141eeeb456c350ede8e70619fa300 |
| SHA256 | 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03 |
| SHA512 | 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8 |
memory/3084-456-0x000000000BD60000-0x000000000BDCC000-memory.dmp
C:\Users\Admin\Desktop\GeoIP.dat
| MD5 | 797b96cc417d0cde72e5c25d0898e95e |
| SHA1 | 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13 |
| SHA256 | 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426 |
| SHA512 | 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882 |
C:\Users\Admin\Desktop\FC\act.dll
| MD5 | 40514fa1bab88f1b8c4c2a42d361f67c |
| SHA1 | 9794f98cb73d50754d595cc80f7b569672c5ef5d |
| SHA256 | 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120 |
| SHA512 | a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0 |
C:\Users\Admin\Desktop\FC\anx.dll
| MD5 | 0f52530cf216a3cf65fd195c8b29768d |
| SHA1 | 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b |
| SHA256 | 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962 |
| SHA512 | 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83 |
C:\Users\Admin\Desktop\FC\anti.dll
| MD5 | ab646175867b7602f2497f3e8a8bb8e6 |
| SHA1 | 7e5bc0df0baf3771b9c730ac437c9867a783c498 |
| SHA256 | b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524 |
| SHA512 | 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82 |
C:\Users\Admin\Desktop\FC\cam.dll
| MD5 | 53c61c80bb073884c1fcbcea16ecd560 |
| SHA1 | 92cce9d3530d809374faab056192e1a6f5c19160 |
| SHA256 | 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3 |
| SHA512 | 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825 |
C:\Users\Admin\Desktop\FC\ch.dll
| MD5 | aa4870d649a3709bfddcfbaa3be12e90 |
| SHA1 | 344e33f0244179d216a90825689fdefd179a3210 |
| SHA256 | 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7 |
| SHA512 | 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451 |
C:\Users\Admin\Desktop\FC\cli.dll
| MD5 | 97e16f9fb839e5652761af079427cec4 |
| SHA1 | 4bde74a8c94bec78567fe8948eb7f2579eea3ed7 |
| SHA256 | 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9 |
| SHA512 | 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9 |
C:\Users\Admin\Desktop\FC\cok.dll
| MD5 | 6351942835b3065c559ae71af3c10996 |
| SHA1 | 7837b547591eba817f6d92e0b3a99175eb4c7442 |
| SHA256 | 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600 |
| SHA512 | b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a |
C:\Users\Admin\Desktop\FC\coc.dll
| MD5 | ab8dc285bd3f4fd4bd58fb49a3f65e4d |
| SHA1 | 445c759ee8981a1c43663a006f5fcbdd9f5bf319 |
| SHA256 | e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0 |
| SHA512 | 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0 |
C:\Users\Admin\Desktop\FC\controll.dll
| MD5 | a6100771cd31317172da585f080f50bc |
| SHA1 | e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0 |
| SHA256 | 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72 |
| SHA512 | 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086 |
C:\Users\Admin\Desktop\FC\dos.dll
| MD5 | 367f115ade76ed85b0865fab6415c486 |
| SHA1 | 1f13595c0503784050beb91563a37fc7eb8d3216 |
| SHA256 | 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b |
| SHA512 | 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea |
C:\Users\Admin\Desktop\FC\def.dll
| MD5 | 4db7a9a39fced04abe373b263887dd57 |
| SHA1 | 418475ee97c5d4bede51a48466fac4f7fe8956c1 |
| SHA256 | f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5 |
| SHA512 | 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d |
C:\Users\Admin\Desktop\FC\inff.dll
| MD5 | 282a383f16af77e6f0f3650b12e4f5cc |
| SHA1 | 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949 |
| SHA256 | 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f |
| SHA512 | 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806 |
C:\Users\Admin\Desktop\FC\iff.dll
| MD5 | f1b53847815d72f5f12455a6a1812925 |
| SHA1 | 860e77e979ec9d2e0b1bb80368a149b739abf640 |
| SHA256 | 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1 |
| SHA512 | a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16 |
C:\Users\Admin\Desktop\FC\hrr.dll
| MD5 | 79faa389d1012d22994793a40ea7d288 |
| SHA1 | 550c583107b9127e167e773ee6e65dd4266b66e8 |
| SHA256 | 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09 |
| SHA512 | 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0 |
C:\Users\Admin\Desktop\FC\hbr.dll
| MD5 | c60bcf5599f6a2446ce11fe4d82b52e3 |
| SHA1 | f440aad733cd7dffe813985a4af1ab61fd4309fc |
| SHA256 | d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1 |
| SHA512 | 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165 |
C:\Users\Admin\Desktop\FC\fun.dll
| MD5 | 9a661d32fb534ed752f57dfb14f96c69 |
| SHA1 | 3ae37dca061457507af0a371ddfce51834523d19 |
| SHA256 | af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614 |
| SHA512 | 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94 |
C:\Users\Admin\Desktop\FC\manger.dll
| MD5 | 76b3c4f07316739f10c3409c022df30d |
| SHA1 | bad54af1377009ceb5bf1b4ff3f244e5237cfe1f |
| SHA256 | 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26 |
| SHA512 | eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5 |
C:\Users\Admin\Desktop\FC\rdp.dll
| MD5 | 274775cc533fd77c904487428df6d2e2 |
| SHA1 | 17823bf9764563bb901ca9e54af330e14c0d1387 |
| SHA256 | 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178 |
| SHA512 | 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584 |
C:\Users\Admin\Desktop\FC\tory.dll
| MD5 | 678bc4981407ec867997e49a55d6691b |
| SHA1 | facadb46da06b69b5d534e4578b9b942e83c62d0 |
| SHA256 | 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560 |
| SHA512 | c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf |
C:\Users\Admin\Desktop\FC\tcp.dll
| MD5 | 4d83956c3b72011e05447df8f2522788 |
| SHA1 | 572324b5108ebd219c9362bcde8d6f63b43539fe |
| SHA256 | 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986 |
| SHA512 | edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4 |
C:\Users\Admin\Desktop\FC\so.dll
| MD5 | 931891348ccb30d3de4d6364f7cf641e |
| SHA1 | 359f2ef6edced2fa3a38e939d035c90c46da1b7c |
| SHA256 | a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79 |
| SHA512 | cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55 |
C:\Users\Admin\Desktop\FC\sc2.dll
| MD5 | f8ce280fc2b16762802e7d8b1799e9c4 |
| SHA1 | e73800699dd7ce099f6e71db602be062acd5cf8a |
| SHA256 | e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64 |
| SHA512 | ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717 |
C:\Users\Admin\Desktop\FC\pw.dll
| MD5 | ed2dfe9eefb52ee6f371119142c8e438 |
| SHA1 | 61071a2c97bd45fdcd95b3c3a14119c01e422cdc |
| SHA256 | e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6 |
| SHA512 | 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79 |
C:\Users\Admin\Desktop\FC\pass.dll
| MD5 | 45dbcb506ff2209501c1c74fe51b2b79 |
| SHA1 | a8b28d69766c0bc167c95588b587d0577c97a0fb |
| SHA256 | 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258 |
| SHA512 | ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273 |
C:\Users\Admin\Desktop\FC\ngr.dll
| MD5 | 34c65e48a13f441618d3fd7e0db4c1ac |
| SHA1 | ad321099698d1c04110efd25132faa8c4771b1fc |
| SHA256 | 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0 |
| SHA512 | 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16 |
C:\Users\Admin\Desktop\FC\msg.dll
| MD5 | 5a1e62c6f25bddd882f748e51836cf5a |
| SHA1 | cf2fdd68648e56777ec76687efed28d3fd3aea51 |
| SHA256 | 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a |
| SHA512 | 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427 |
C:\Users\Admin\Desktop\FC\mic.dll
| MD5 | 0492bf68d888d70a0b05208c45ef9e50 |
| SHA1 | 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c |
| SHA256 | 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65 |
| SHA512 | f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686 |
C:\Users\Admin\Desktop\FC\loc.dll
| MD5 | fda72bed9a70f75440146b750b2838e7 |
| SHA1 | bfba56628ea9118c99e5379f719cfbc2a9d50cc2 |
| SHA256 | 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193 |
| SHA512 | 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e |
C:\Users\Admin\Desktop\FC\uac.dll
| MD5 | 8f733c26b4dffc1844f7cf689dbb3040 |
| SHA1 | 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6 |
| SHA256 | a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822 |
| SHA512 | c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d |
C:\Users\Admin\Desktop\FC\vb.dll
| MD5 | fd3ca535716e7d32b23cc6bdc4ce808c |
| SHA1 | 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3 |
| SHA256 | 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4 |
| SHA512 | f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190 |
C:\Users\Admin\Desktop\FC\uns.dll
| MD5 | f15ba8cca8dccae5f6e0f5f38d527ea6 |
| SHA1 | 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25 |
| SHA256 | 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298 |
| SHA512 | 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b |
C:\Users\Admin\Desktop\FC\xmr.dll
| MD5 | 3f1323e572f60f6f63d447339d127fa7 |
| SHA1 | abf3f71c673ef48a606787e47ae976d9becc6576 |
| SHA256 | ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831 |
| SHA512 | af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1 |
C:\Users\Admin\Desktop\FC\vnc.dll
| MD5 | 0596dbbbcb6794def107e7d86789ca62 |
| SHA1 | 36b39f496430c314432f0a6050e6ad022f88daff |
| SHA256 | 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32 |
| SHA512 | 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5 |
C:\Users\Admin\Desktop\FC\vdp.dll
| MD5 | 8246192765d26e1c2232c1a60729944b |
| SHA1 | 65d63482db444a9ff566abb82207d8f48c573da9 |
| SHA256 | 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf |
| SHA512 | 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e |
memory/3084-492-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-493-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/3084-494-0x0000000074D90000-0x0000000075540000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-17 14:51
Reported
2024-03-17 15:35
Platform
win11-20240221-en
Max time kernel
1483s
Max time network
1508s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3896 wrote to memory of 2208 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3896 wrote to memory of 2208 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | 5a83922c41366df1bdd63ca146f5a424 |
| SHA1 | 05546170ac91b803b5b137689f2224fa250f711b |
| SHA256 | 65397c9e4a5f2634a2a01694005dc4651fb3e52572f7ef5e25e2b3c82ec59c85 |
| SHA512 | 2d4a22d9fc75bb3c84844561d82533160b889d925b08024f488a50f60771a5ac1313e03bf31dc2ace32a46f5f9f1b9c274046c9649b4dea1ed933e4575f82228 |
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | e556bdcf6dac215b6a76140f46a049a5 |
| SHA1 | d1091438186400e14ec5a33d33bac19d9fd95e23 |
| SHA256 | 4d4d3a182fd38c4e371b4d8657c9f8313d63f46913b9251ee1e0517b07ee87c3 |
| SHA512 | 8b0f4365a754b9b75d687737a031b46b9ba0359e40651f756fb670beeec357d7b097794ff4438b184cc3db210833c990795e1a704aee500eeb9b07d6696ab657 |
memory/4992-413-0x0000000000F30000-0x00000000019F0000-memory.dmp
memory/4992-412-0x00000000749A0000-0x0000000075151000-memory.dmp
memory/4992-414-0x00000000064A0000-0x000000000653C000-memory.dmp
memory/4992-415-0x0000000006AF0000-0x0000000007096000-memory.dmp
memory/4992-416-0x00000000065E0000-0x0000000006672000-memory.dmp
memory/4992-417-0x00000000065D0000-0x00000000065E0000-memory.dmp
memory/4992-418-0x0000000006540000-0x000000000654A000-memory.dmp
memory/4992-419-0x00000000067D0000-0x0000000006826000-memory.dmp
C:\Users\Admin\Desktop\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
memory/4992-423-0x00000000070A0000-0x0000000007292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/4992-431-0x0000000073320000-0x00000000733AA000-memory.dmp
memory/4992-432-0x0000000070F30000-0x0000000070F67000-memory.dmp
memory/4992-433-0x00000000065D0000-0x00000000065E0000-memory.dmp
memory/4992-434-0x00000000065D0000-0x00000000065E0000-memory.dmp
C:\Users\Admin\Desktop\SQLABC_ModernUI.dll
| MD5 | da70e6d0b5cee1f9a69764e740f9c036 |
| SHA1 | 5848e0f7db830b29f8e542e04b025ec73b59c769 |
| SHA256 | 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360 |
| SHA512 | 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e |
memory/4992-438-0x000000000BE20000-0x000000000BE38000-memory.dmp
memory/4992-439-0x00000000065D0000-0x00000000065E0000-memory.dmp
C:\Users\Admin\Desktop\API.dll
| MD5 | df1b7e8e22353b01a29cb972d054ee16 |
| SHA1 | 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7 |
| SHA256 | 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509 |
| SHA512 | 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7 |
memory/4992-443-0x000000000BD70000-0x000000000BD84000-memory.dmp
C:\Users\Admin\Desktop\WinMM.Net.dll
| MD5 | d4b80052c7b4093e10ce1f40ce74f707 |
| SHA1 | 2494a38f1c0d3a0aa9b31cf0650337cacc655697 |
| SHA256 | 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46 |
| SHA512 | 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450 |
memory/4992-447-0x000000000C300000-0x000000000C312000-memory.dmp
C:\Users\Admin\Desktop\zxing.dll
| MD5 | ce9aaa0fbc6a2bbf063b044537db1dfc |
| SHA1 | 0d2f94a52de141eeeb456c350ede8e70619fa300 |
| SHA256 | 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03 |
| SHA512 | 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8 |
memory/4992-451-0x000000000C3C0000-0x000000000C42C000-memory.dmp
C:\Users\Admin\Desktop\GeoIP.dat
| MD5 | 797b96cc417d0cde72e5c25d0898e95e |
| SHA1 | 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13 |
| SHA256 | 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426 |
| SHA512 | 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882 |
C:\Users\Admin\Desktop\FC\act.dll
| MD5 | 40514fa1bab88f1b8c4c2a42d361f67c |
| SHA1 | 9794f98cb73d50754d595cc80f7b569672c5ef5d |
| SHA256 | 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120 |
| SHA512 | a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0 |
C:\Users\Admin\Desktop\FC\anx.dll
| MD5 | 0f52530cf216a3cf65fd195c8b29768d |
| SHA1 | 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b |
| SHA256 | 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962 |
| SHA512 | 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83 |
C:\Users\Admin\Desktop\FC\anti.dll
| MD5 | ab646175867b7602f2497f3e8a8bb8e6 |
| SHA1 | 7e5bc0df0baf3771b9c730ac437c9867a783c498 |
| SHA256 | b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524 |
| SHA512 | 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82 |
C:\Users\Admin\Desktop\FC\ch.dll
| MD5 | aa4870d649a3709bfddcfbaa3be12e90 |
| SHA1 | 344e33f0244179d216a90825689fdefd179a3210 |
| SHA256 | 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7 |
| SHA512 | 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451 |
C:\Users\Admin\Desktop\FC\cam.dll
| MD5 | 53c61c80bb073884c1fcbcea16ecd560 |
| SHA1 | 92cce9d3530d809374faab056192e1a6f5c19160 |
| SHA256 | 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3 |
| SHA512 | 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825 |
C:\Users\Admin\Desktop\FC\cli.dll
| MD5 | 97e16f9fb839e5652761af079427cec4 |
| SHA1 | 4bde74a8c94bec78567fe8948eb7f2579eea3ed7 |
| SHA256 | 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9 |
| SHA512 | 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9 |
C:\Users\Admin\Desktop\FC\cok.dll
| MD5 | 6351942835b3065c559ae71af3c10996 |
| SHA1 | 7837b547591eba817f6d92e0b3a99175eb4c7442 |
| SHA256 | 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600 |
| SHA512 | b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a |
C:\Users\Admin\Desktop\FC\coc.dll
| MD5 | ab8dc285bd3f4fd4bd58fb49a3f65e4d |
| SHA1 | 445c759ee8981a1c43663a006f5fcbdd9f5bf319 |
| SHA256 | e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0 |
| SHA512 | 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0 |
C:\Users\Admin\Desktop\FC\controll.dll
| MD5 | a6100771cd31317172da585f080f50bc |
| SHA1 | e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0 |
| SHA256 | 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72 |
| SHA512 | 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086 |
C:\Users\Admin\Desktop\FC\def.dll
| MD5 | 4db7a9a39fced04abe373b263887dd57 |
| SHA1 | 418475ee97c5d4bede51a48466fac4f7fe8956c1 |
| SHA256 | f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5 |
| SHA512 | 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d |
C:\Users\Admin\Desktop\FC\dos.dll
| MD5 | 367f115ade76ed85b0865fab6415c486 |
| SHA1 | 1f13595c0503784050beb91563a37fc7eb8d3216 |
| SHA256 | 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b |
| SHA512 | 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea |
C:\Users\Admin\Desktop\FC\fun.dll
| MD5 | 9a661d32fb534ed752f57dfb14f96c69 |
| SHA1 | 3ae37dca061457507af0a371ddfce51834523d19 |
| SHA256 | af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614 |
| SHA512 | 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94 |
C:\Users\Admin\Desktop\FC\hbr.dll
| MD5 | c60bcf5599f6a2446ce11fe4d82b52e3 |
| SHA1 | f440aad733cd7dffe813985a4af1ab61fd4309fc |
| SHA256 | d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1 |
| SHA512 | 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165 |
C:\Users\Admin\Desktop\FC\hrr.dll
| MD5 | 79faa389d1012d22994793a40ea7d288 |
| SHA1 | 550c583107b9127e167e773ee6e65dd4266b66e8 |
| SHA256 | 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09 |
| SHA512 | 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0 |
C:\Users\Admin\Desktop\FC\iff.dll
| MD5 | f1b53847815d72f5f12455a6a1812925 |
| SHA1 | 860e77e979ec9d2e0b1bb80368a149b739abf640 |
| SHA256 | 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1 |
| SHA512 | a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16 |
C:\Users\Admin\Desktop\FC\ngr.dll
| MD5 | 34c65e48a13f441618d3fd7e0db4c1ac |
| SHA1 | ad321099698d1c04110efd25132faa8c4771b1fc |
| SHA256 | 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0 |
| SHA512 | 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16 |
C:\Users\Admin\Desktop\FC\msg.dll
| MD5 | 5a1e62c6f25bddd882f748e51836cf5a |
| SHA1 | cf2fdd68648e56777ec76687efed28d3fd3aea51 |
| SHA256 | 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a |
| SHA512 | 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427 |
C:\Users\Admin\Desktop\FC\mic.dll
| MD5 | 0492bf68d888d70a0b05208c45ef9e50 |
| SHA1 | 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c |
| SHA256 | 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65 |
| SHA512 | f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686 |
C:\Users\Admin\Desktop\FC\manger.dll
| MD5 | 76b3c4f07316739f10c3409c022df30d |
| SHA1 | bad54af1377009ceb5bf1b4ff3f244e5237cfe1f |
| SHA256 | 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26 |
| SHA512 | eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5 |
C:\Users\Admin\Desktop\FC\loc.dll
| MD5 | fda72bed9a70f75440146b750b2838e7 |
| SHA1 | bfba56628ea9118c99e5379f719cfbc2a9d50cc2 |
| SHA256 | 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193 |
| SHA512 | 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e |
C:\Users\Admin\Desktop\FC\inff.dll
| MD5 | 282a383f16af77e6f0f3650b12e4f5cc |
| SHA1 | 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949 |
| SHA256 | 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f |
| SHA512 | 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806 |
C:\Users\Admin\Desktop\FC\tory.dll
| MD5 | 678bc4981407ec867997e49a55d6691b |
| SHA1 | facadb46da06b69b5d534e4578b9b942e83c62d0 |
| SHA256 | 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560 |
| SHA512 | c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf |
C:\Users\Admin\Desktop\FC\tcp.dll
| MD5 | 4d83956c3b72011e05447df8f2522788 |
| SHA1 | 572324b5108ebd219c9362bcde8d6f63b43539fe |
| SHA256 | 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986 |
| SHA512 | edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4 |
C:\Users\Admin\Desktop\FC\so.dll
| MD5 | 931891348ccb30d3de4d6364f7cf641e |
| SHA1 | 359f2ef6edced2fa3a38e939d035c90c46da1b7c |
| SHA256 | a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79 |
| SHA512 | cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55 |
C:\Users\Admin\Desktop\FC\sc2.dll
| MD5 | f8ce280fc2b16762802e7d8b1799e9c4 |
| SHA1 | e73800699dd7ce099f6e71db602be062acd5cf8a |
| SHA256 | e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64 |
| SHA512 | ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717 |
C:\Users\Admin\Desktop\FC\rdp.dll
| MD5 | 274775cc533fd77c904487428df6d2e2 |
| SHA1 | 17823bf9764563bb901ca9e54af330e14c0d1387 |
| SHA256 | 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178 |
| SHA512 | 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584 |
C:\Users\Admin\Desktop\FC\pw.dll
| MD5 | ed2dfe9eefb52ee6f371119142c8e438 |
| SHA1 | 61071a2c97bd45fdcd95b3c3a14119c01e422cdc |
| SHA256 | e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6 |
| SHA512 | 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79 |
C:\Users\Admin\Desktop\FC\pass.dll
| MD5 | 45dbcb506ff2209501c1c74fe51b2b79 |
| SHA1 | a8b28d69766c0bc167c95588b587d0577c97a0fb |
| SHA256 | 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258 |
| SHA512 | ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273 |
C:\Users\Admin\Desktop\FC\uac.dll
| MD5 | 8f733c26b4dffc1844f7cf689dbb3040 |
| SHA1 | 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6 |
| SHA256 | a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822 |
| SHA512 | c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d |
C:\Users\Admin\Desktop\FC\vnc.dll
| MD5 | 0596dbbbcb6794def107e7d86789ca62 |
| SHA1 | 36b39f496430c314432f0a6050e6ad022f88daff |
| SHA256 | 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32 |
| SHA512 | 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5 |
C:\Users\Admin\Desktop\FC\xmr.dll
| MD5 | 3f1323e572f60f6f63d447339d127fa7 |
| SHA1 | abf3f71c673ef48a606787e47ae976d9becc6576 |
| SHA256 | ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831 |
| SHA512 | af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1 |
C:\Users\Admin\Desktop\FC\vdp.dll
| MD5 | 8246192765d26e1c2232c1a60729944b |
| SHA1 | 65d63482db444a9ff566abb82207d8f48c573da9 |
| SHA256 | 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf |
| SHA512 | 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e |
C:\Users\Admin\Desktop\FC\vb.dll
| MD5 | fd3ca535716e7d32b23cc6bdc4ce808c |
| SHA1 | 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3 |
| SHA256 | 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4 |
| SHA512 | f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190 |
C:\Users\Admin\Desktop\FC\uns.dll
| MD5 | f15ba8cca8dccae5f6e0f5f38d527ea6 |
| SHA1 | 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25 |
| SHA256 | 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298 |
| SHA512 | 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b |
memory/4992-487-0x00000000749A0000-0x0000000075151000-memory.dmp
memory/4992-488-0x00000000065D0000-0x00000000065E0000-memory.dmp
memory/4992-489-0x00000000065D0000-0x00000000065E0000-memory.dmp
memory/4992-490-0x0000000070F30000-0x0000000070F67000-memory.dmp
memory/4992-491-0x00000000065D0000-0x00000000065E0000-memory.dmp
memory/4992-492-0x00000000065D0000-0x00000000065E0000-memory.dmp
memory/4992-493-0x00000000065D0000-0x00000000065E0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 14:51
Reported
2024-03-17 15:28
Platform
win7-20240221-en
Max time kernel
1558s
Max time network
1559s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2488 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2320 wrote to memory of 2488 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2320 wrote to memory of 2488 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
Network
Files
\Users\Admin\Desktop\vncviewer.exe
| MD5 | c71adb577b5be3404ab150e4ef4eb9a2 |
| SHA1 | a4bc65d33a3a845074ccb3658a94f546993356e3 |
| SHA256 | d4a5ff934554cdd01319fe1e1d50fa10a61104d9a06771a5d42f743f60f3568c |
| SHA512 | 50fd3de9095ea891738fc60b9b921aaf48cf84c9d06c8a579d471b9a263df4c19818b0f623d27ec036450fc4956c25c7ffb029695d817baa609ce2473a7232cd |
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | b7bfd544b6469b73c1ae92d75a40a47e |
| SHA1 | bd68fbfd1cfc06ce3faff56256f5ed1f27f9f927 |
| SHA256 | 685f47672c7ca76e35b5c8ef612d0b376cdded7dc19bc5b67fd749e5a008c52c |
| SHA512 | ed5688c1b2769d8a60321e0a51e7dbb1da3f1f22c2fd4c4a06beace9347c66114d4e96ba08041524bd0da97df7f8b50a51a07851709e80d55ac7d063bf298c4a |
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | bf21f4877336ddca67f6500378628284 |
| SHA1 | 753e08018e86235cdf6232853bccc9e0af438259 |
| SHA256 | 1fb19c2fc029138abeb8408df255cbdfe80b9a8e551d04dc417c05482a13d882 |
| SHA512 | 676da9069e59c8c1edc464650672e0b4e818ff6541cbccca63557e2a7b6e26c7b2ea9e0b31186d66f0dfdcb1bd4f65d57ad073c6e810730b022d68ecf841ad86 |
memory/1416-1056-0x0000000000210000-0x0000000000CD0000-memory.dmp
memory/1416-1055-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/1416-1057-0x0000000005840000-0x0000000005880000-memory.dmp
C:\Users\Admin\Desktop\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
memory/1416-1061-0x0000000005880000-0x0000000005A72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/1416-1069-0x00000000734B0000-0x00000000734E7000-memory.dmp
memory/1416-1068-0x0000000073AA0000-0x0000000073B20000-memory.dmp
memory/1416-1070-0x0000000005840000-0x0000000005880000-memory.dmp
memory/1416-1071-0x0000000005840000-0x0000000005880000-memory.dmp
memory/1416-1072-0x0000000005840000-0x0000000005880000-memory.dmp
memory/1416-1073-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/1416-1074-0x0000000005840000-0x0000000005880000-memory.dmp
memory/1416-1075-0x00000000734B0000-0x00000000734E7000-memory.dmp
C:\Users\Admin\Desktop\SQLABC_ModernUI.dll
| MD5 | da70e6d0b5cee1f9a69764e740f9c036 |
| SHA1 | 5848e0f7db830b29f8e542e04b025ec73b59c769 |
| SHA256 | 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360 |
| SHA512 | 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e |
memory/1416-1079-0x0000000006450000-0x0000000006468000-memory.dmp
C:\Users\Admin\Desktop\API.dll
| MD5 | df1b7e8e22353b01a29cb972d054ee16 |
| SHA1 | 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7 |
| SHA256 | 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509 |
| SHA512 | 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7 |
memory/1416-1083-0x0000000006030000-0x0000000006044000-memory.dmp
\Users\Admin\Desktop\WinMM.Net.dll
| MD5 | d4b80052c7b4093e10ce1f40ce74f707 |
| SHA1 | 2494a38f1c0d3a0aa9b31cf0650337cacc655697 |
| SHA256 | 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46 |
| SHA512 | 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450 |
memory/1416-1087-0x0000000007000000-0x0000000007012000-memory.dmp
C:\Users\Admin\Desktop\zxing.dll
| MD5 | ce9aaa0fbc6a2bbf063b044537db1dfc |
| SHA1 | 0d2f94a52de141eeeb456c350ede8e70619fa300 |
| SHA256 | 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03 |
| SHA512 | 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8 |
memory/1416-1091-0x0000000012910000-0x000000001297C000-memory.dmp
C:\Users\Admin\Desktop\GeoIP.dat
| MD5 | 797b96cc417d0cde72e5c25d0898e95e |
| SHA1 | 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13 |
| SHA256 | 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426 |
| SHA512 | 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882 |
C:\Users\Admin\Desktop\FC\act.dll
| MD5 | 40514fa1bab88f1b8c4c2a42d361f67c |
| SHA1 | 9794f98cb73d50754d595cc80f7b569672c5ef5d |
| SHA256 | 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120 |
| SHA512 | a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0 |
C:\Users\Admin\Desktop\FC\anti.dll
| MD5 | ab646175867b7602f2497f3e8a8bb8e6 |
| SHA1 | 7e5bc0df0baf3771b9c730ac437c9867a783c498 |
| SHA256 | b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524 |
| SHA512 | 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82 |
C:\Users\Admin\Desktop\FC\anx.dll
| MD5 | 0f52530cf216a3cf65fd195c8b29768d |
| SHA1 | 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b |
| SHA256 | 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962 |
| SHA512 | 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83 |
C:\Users\Admin\Desktop\FC\cam.dll
| MD5 | 53c61c80bb073884c1fcbcea16ecd560 |
| SHA1 | 92cce9d3530d809374faab056192e1a6f5c19160 |
| SHA256 | 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3 |
| SHA512 | 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825 |
C:\Users\Admin\Desktop\FC\ch.dll
| MD5 | aa4870d649a3709bfddcfbaa3be12e90 |
| SHA1 | 344e33f0244179d216a90825689fdefd179a3210 |
| SHA256 | 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7 |
| SHA512 | 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451 |
C:\Users\Admin\Desktop\FC\cli.dll
| MD5 | 97e16f9fb839e5652761af079427cec4 |
| SHA1 | 4bde74a8c94bec78567fe8948eb7f2579eea3ed7 |
| SHA256 | 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9 |
| SHA512 | 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9 |
C:\Users\Admin\Desktop\FC\cok.dll
| MD5 | 6351942835b3065c559ae71af3c10996 |
| SHA1 | 7837b547591eba817f6d92e0b3a99175eb4c7442 |
| SHA256 | 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600 |
| SHA512 | b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a |
C:\Users\Admin\Desktop\FC\coc.dll
| MD5 | ab8dc285bd3f4fd4bd58fb49a3f65e4d |
| SHA1 | 445c759ee8981a1c43663a006f5fcbdd9f5bf319 |
| SHA256 | e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0 |
| SHA512 | 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0 |
C:\Users\Admin\Desktop\FC\controll.dll
| MD5 | a6100771cd31317172da585f080f50bc |
| SHA1 | e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0 |
| SHA256 | 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72 |
| SHA512 | 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086 |
C:\Users\Admin\Desktop\FC\mic.dll
| MD5 | 0492bf68d888d70a0b05208c45ef9e50 |
| SHA1 | 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c |
| SHA256 | 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65 |
| SHA512 | f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686 |
C:\Users\Admin\Desktop\FC\manger.dll
| MD5 | 76b3c4f07316739f10c3409c022df30d |
| SHA1 | bad54af1377009ceb5bf1b4ff3f244e5237cfe1f |
| SHA256 | 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26 |
| SHA512 | eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5 |
C:\Users\Admin\Desktop\FC\loc.dll
| MD5 | fda72bed9a70f75440146b750b2838e7 |
| SHA1 | bfba56628ea9118c99e5379f719cfbc2a9d50cc2 |
| SHA256 | 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193 |
| SHA512 | 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e |
C:\Users\Admin\Desktop\FC\inff.dll
| MD5 | 282a383f16af77e6f0f3650b12e4f5cc |
| SHA1 | 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949 |
| SHA256 | 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f |
| SHA512 | 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806 |
C:\Users\Admin\Desktop\FC\iff.dll
| MD5 | f1b53847815d72f5f12455a6a1812925 |
| SHA1 | 860e77e979ec9d2e0b1bb80368a149b739abf640 |
| SHA256 | 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1 |
| SHA512 | a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16 |
C:\Users\Admin\Desktop\FC\hrr.dll
| MD5 | 79faa389d1012d22994793a40ea7d288 |
| SHA1 | 550c583107b9127e167e773ee6e65dd4266b66e8 |
| SHA256 | 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09 |
| SHA512 | 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0 |
C:\Users\Admin\Desktop\FC\hbr.dll
| MD5 | c60bcf5599f6a2446ce11fe4d82b52e3 |
| SHA1 | f440aad733cd7dffe813985a4af1ab61fd4309fc |
| SHA256 | d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1 |
| SHA512 | 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165 |
C:\Users\Admin\Desktop\FC\fun.dll
| MD5 | 9a661d32fb534ed752f57dfb14f96c69 |
| SHA1 | 3ae37dca061457507af0a371ddfce51834523d19 |
| SHA256 | af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614 |
| SHA512 | 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94 |
C:\Users\Admin\Desktop\FC\dos.dll
| MD5 | 367f115ade76ed85b0865fab6415c486 |
| SHA1 | 1f13595c0503784050beb91563a37fc7eb8d3216 |
| SHA256 | 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b |
| SHA512 | 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea |
C:\Users\Admin\Desktop\FC\def.dll
| MD5 | 4db7a9a39fced04abe373b263887dd57 |
| SHA1 | 418475ee97c5d4bede51a48466fac4f7fe8956c1 |
| SHA256 | f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5 |
| SHA512 | 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d |
C:\Users\Admin\Desktop\FC\tory.dll
| MD5 | 678bc4981407ec867997e49a55d6691b |
| SHA1 | facadb46da06b69b5d534e4578b9b942e83c62d0 |
| SHA256 | 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560 |
| SHA512 | c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf |
C:\Users\Admin\Desktop\FC\tcp.dll
| MD5 | 4d83956c3b72011e05447df8f2522788 |
| SHA1 | 572324b5108ebd219c9362bcde8d6f63b43539fe |
| SHA256 | 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986 |
| SHA512 | edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4 |
C:\Users\Admin\Desktop\FC\so.dll
| MD5 | 931891348ccb30d3de4d6364f7cf641e |
| SHA1 | 359f2ef6edced2fa3a38e939d035c90c46da1b7c |
| SHA256 | a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79 |
| SHA512 | cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55 |
C:\Users\Admin\Desktop\FC\sc2.dll
| MD5 | f8ce280fc2b16762802e7d8b1799e9c4 |
| SHA1 | e73800699dd7ce099f6e71db602be062acd5cf8a |
| SHA256 | e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64 |
| SHA512 | ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717 |
C:\Users\Admin\Desktop\FC\rdp.dll
| MD5 | 274775cc533fd77c904487428df6d2e2 |
| SHA1 | 17823bf9764563bb901ca9e54af330e14c0d1387 |
| SHA256 | 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178 |
| SHA512 | 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584 |
C:\Users\Admin\Desktop\FC\pw.dll
| MD5 | ed2dfe9eefb52ee6f371119142c8e438 |
| SHA1 | 61071a2c97bd45fdcd95b3c3a14119c01e422cdc |
| SHA256 | e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6 |
| SHA512 | 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79 |
C:\Users\Admin\Desktop\FC\pass.dll
| MD5 | 45dbcb506ff2209501c1c74fe51b2b79 |
| SHA1 | a8b28d69766c0bc167c95588b587d0577c97a0fb |
| SHA256 | 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258 |
| SHA512 | ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273 |
C:\Users\Admin\Desktop\FC\ngr.dll
| MD5 | 34c65e48a13f441618d3fd7e0db4c1ac |
| SHA1 | ad321099698d1c04110efd25132faa8c4771b1fc |
| SHA256 | 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0 |
| SHA512 | 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16 |
C:\Users\Admin\Desktop\FC\msg.dll
| MD5 | 5a1e62c6f25bddd882f748e51836cf5a |
| SHA1 | cf2fdd68648e56777ec76687efed28d3fd3aea51 |
| SHA256 | 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a |
| SHA512 | 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427 |
C:\Users\Admin\Desktop\FC\uac.dll
| MD5 | 8f733c26b4dffc1844f7cf689dbb3040 |
| SHA1 | 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6 |
| SHA256 | a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822 |
| SHA512 | c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d |
C:\Users\Admin\Desktop\FC\uns.dll
| MD5 | f15ba8cca8dccae5f6e0f5f38d527ea6 |
| SHA1 | 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25 |
| SHA256 | 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298 |
| SHA512 | 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b |
C:\Users\Admin\Desktop\FC\vdp.dll
| MD5 | 8246192765d26e1c2232c1a60729944b |
| SHA1 | 65d63482db444a9ff566abb82207d8f48c573da9 |
| SHA256 | 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf |
| SHA512 | 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e |
C:\Users\Admin\Desktop\FC\vb.dll
| MD5 | fd3ca535716e7d32b23cc6bdc4ce808c |
| SHA1 | 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3 |
| SHA256 | 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4 |
| SHA512 | f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190 |
C:\Users\Admin\Desktop\FC\xmr.dll
| MD5 | 3f1323e572f60f6f63d447339d127fa7 |
| SHA1 | abf3f71c673ef48a606787e47ae976d9becc6576 |
| SHA256 | ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831 |
| SHA512 | af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1 |
C:\Users\Admin\Desktop\FC\vnc.dll
| MD5 | 0596dbbbcb6794def107e7d86789ca62 |
| SHA1 | 36b39f496430c314432f0a6050e6ad022f88daff |
| SHA256 | 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32 |
| SHA512 | 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5 |
memory/1416-1127-0x000000000EA40000-0x000000000EB40000-memory.dmp
memory/1416-1128-0x000000000EA40000-0x000000000EB40000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 14:51
Reported
2024-03-17 15:29
Platform
win10-20240221-en
Max time kernel
1509s
Max time network
1605s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S-400 RAT v3.0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4132 wrote to memory of 1956 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 4132 wrote to memory of 1956 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
"C:\Users\Admin\Desktop\S-400 RAT v3.0.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\S-400 RAT v3.0.exe
| MD5 | a39a575da05f3dddeda3508b992f41ee |
| SHA1 | 1cfb7c32b81d22d6bded1bcfe07e6b86769df7f0 |
| SHA256 | 69d72335bc69e00572e589826b8b8bcce4596df75c6f8ceae6f1c6745af3ef95 |
| SHA512 | 2bae0dcbeb9f28c2f20ad5e5103eaf4d6824d4a7f33f59e57f9ac151c898089f919c6e5ef980a56d4025ee32812ce985be0b3d7799ca72f1851caffae749683a |
memory/1156-412-0x0000000073C50000-0x000000007433E000-memory.dmp
memory/1156-413-0x00000000007C0000-0x0000000001280000-memory.dmp
memory/1156-414-0x0000000005BA0000-0x0000000005C3C000-memory.dmp
memory/1156-415-0x0000000006140000-0x000000000663E000-memory.dmp
memory/1156-416-0x0000000005C40000-0x0000000005CD2000-memory.dmp
memory/1156-417-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-418-0x0000000003840000-0x000000000384A000-memory.dmp
memory/1156-419-0x0000000005D70000-0x0000000005DC6000-memory.dmp
C:\Users\Admin\Desktop\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
memory/1156-423-0x0000000006640000-0x0000000006832000-memory.dmp
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/1156-432-0x0000000072650000-0x00000000726D0000-memory.dmp
memory/1156-431-0x0000000070AD0000-0x0000000070B07000-memory.dmp
memory/1156-433-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-434-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-435-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-436-0x0000000073C50000-0x000000007433E000-memory.dmp
memory/1156-437-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-438-0x0000000070AD0000-0x0000000070B07000-memory.dmp
memory/1156-439-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-440-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-441-0x0000000005E60000-0x0000000005E70000-memory.dmp
C:\Users\Admin\Desktop\SQLABC_ModernUI.dll
| MD5 | da70e6d0b5cee1f9a69764e740f9c036 |
| SHA1 | 5848e0f7db830b29f8e542e04b025ec73b59c769 |
| SHA256 | 5f3ed3d5e8d96cc6541a386302b78bc05a41db4b25dd5b9934697acc2e672360 |
| SHA512 | 2eb852b8ce57fcb1389f37de481d5750b6399ce0de8de1f3c441347d19454fefb907b07f61a3dcd6248939b7a40e34d88a0755d753ca382aee03573788018e6e |
memory/1156-445-0x000000000BAB0000-0x000000000BAC8000-memory.dmp
memory/1156-446-0x0000000005E60000-0x0000000005E70000-memory.dmp
C:\Users\Admin\Desktop\API.dll
| MD5 | df1b7e8e22353b01a29cb972d054ee16 |
| SHA1 | 27df441b511a5f4aea9a24b54cddb8d7b5fdbdd7 |
| SHA256 | 9eeea1447ac2fadce2b6dbdd73a607052007f2e3c4381336e3e31450a5092509 |
| SHA512 | 271b8ad7d51c379b0a21adcd9f1a8bf2a9f239ef5174b7d7ce9567e09aaa361a90988d63cccb6ab2b71f6936a42ecddc9f9a424a4feca1ea925cc57458e8ebd7 |
memory/1156-450-0x000000000A330000-0x000000000A344000-memory.dmp
C:\Users\Admin\Desktop\WinMM.Net.dll
| MD5 | d4b80052c7b4093e10ce1f40ce74f707 |
| SHA1 | 2494a38f1c0d3a0aa9b31cf0650337cacc655697 |
| SHA256 | 59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46 |
| SHA512 | 3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450 |
memory/1156-454-0x000000000BD30000-0x000000000BD42000-memory.dmp
C:\Users\Admin\Desktop\zxing.dll
| MD5 | ce9aaa0fbc6a2bbf063b044537db1dfc |
| SHA1 | 0d2f94a52de141eeeb456c350ede8e70619fa300 |
| SHA256 | 6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03 |
| SHA512 | 679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8 |
memory/1156-458-0x000000000BE00000-0x000000000BE6C000-memory.dmp
C:\Users\Admin\Desktop\GeoIP.dat
| MD5 | 797b96cc417d0cde72e5c25d0898e95e |
| SHA1 | 8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13 |
| SHA256 | 8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426 |
| SHA512 | 9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882 |
C:\Users\Admin\Desktop\FC\act.dll
| MD5 | 40514fa1bab88f1b8c4c2a42d361f67c |
| SHA1 | 9794f98cb73d50754d595cc80f7b569672c5ef5d |
| SHA256 | 44e9418e96f5eb466f79b77b4e9fe550f392ae84cc5f335faf4adb8d1f02c120 |
| SHA512 | a8d1c32245d8c4c93137631ec9026fb05abb5261d0ee3cca2f32f378bb54184d1d3c8d32c7916bce1c63243e929b5ab8601c82351902587f16b5b43119031de0 |
C:\Users\Admin\Desktop\FC\anti.dll
| MD5 | ab646175867b7602f2497f3e8a8bb8e6 |
| SHA1 | 7e5bc0df0baf3771b9c730ac437c9867a783c498 |
| SHA256 | b6d8c15ecfe75c7f1a3082ce202cb85ee84450bb95f83e0e1d8f202036571524 |
| SHA512 | 92bcf728a8f6ed3e79512acd7d5aad4b65c8266a03e6ea325727f6539e51799d97f4b3bd0a158786e4f59785cb7dde0d2eb951b2d7c7f7e000a119d4a9b1eb82 |
C:\Users\Admin\Desktop\FC\cam.dll
| MD5 | 53c61c80bb073884c1fcbcea16ecd560 |
| SHA1 | 92cce9d3530d809374faab056192e1a6f5c19160 |
| SHA256 | 2a7e9a9765017dce6b02efd2959f7fe663b07dbf763f136a27489be2c297aff3 |
| SHA512 | 39f0a6ccd9f1b8c261a93d34f47fb704ce853358fe0446b3e9053433f9f979fa728f9c7e8d95880fdc2b045fe5b09ccea4745fd910cbed4775f193f19a91b825 |
C:\Users\Admin\Desktop\FC\anx.dll
| MD5 | 0f52530cf216a3cf65fd195c8b29768d |
| SHA1 | 4675f8ddd03ab1fe6de9a4d5c2c1b4511ec5bc5b |
| SHA256 | 40d7c2fab8c23cb959842c8d74eff8541a4b1c1dcbec99806e3c92e7f990d962 |
| SHA512 | 42035cd7075d4019fbc42b2ae470a4c224e121c47a41925e3fec2f344aa298e1e2c95118ee0ba6a53f9ae8adf0ccf94381b21fb3b5caf2b90c28936cbc1d0c83 |
C:\Users\Admin\Desktop\FC\ch.dll
| MD5 | aa4870d649a3709bfddcfbaa3be12e90 |
| SHA1 | 344e33f0244179d216a90825689fdefd179a3210 |
| SHA256 | 1b0ba67ac7bbc28a1d6da097d9e1da4aa313b18309e34462aaeffa508f4a2ed7 |
| SHA512 | 3111e99e0a58f8119da0afad5f8166af9a5082eeda60e39d2081aaf03070a048daaf0cfa1b0b68363e357745cd80664f6f5be3bf0d5bbb766f655ade80113451 |
C:\Users\Admin\Desktop\FC\cli.dll
| MD5 | 97e16f9fb839e5652761af079427cec4 |
| SHA1 | 4bde74a8c94bec78567fe8948eb7f2579eea3ed7 |
| SHA256 | 1ae34cb4a58d051f9ae65a5945a33b972b116853c6ed6e0c54f08bb9e9db6fd9 |
| SHA512 | 6fb05e7b0eb0d206750b24495310cc49f11a140f38bf45a84bc898d91db0dc5812f68283b729441a5d21d88d1da87c226196cf78b9cfaaec7b7cf2c96f787de9 |
C:\Users\Admin\Desktop\FC\coc.dll
| MD5 | ab8dc285bd3f4fd4bd58fb49a3f65e4d |
| SHA1 | 445c759ee8981a1c43663a006f5fcbdd9f5bf319 |
| SHA256 | e7141919938ade00145db46e91629e031c23cf37d4872005bd75205ad157f2d0 |
| SHA512 | 70810d48b8d6ca5f3a46d5b22b49d81efa1f9f9068379cbd557c67f55f338f741687d6490990bef1e33cd105f3045d3f6e10f8e0a25e4a1d42c44919a420f4a0 |
C:\Users\Admin\Desktop\FC\cok.dll
| MD5 | 6351942835b3065c559ae71af3c10996 |
| SHA1 | 7837b547591eba817f6d92e0b3a99175eb4c7442 |
| SHA256 | 84669285db4e007becaaadec559c0710e1c749b94faf99303b4bb7ed4ee8c600 |
| SHA512 | b60614dca2565675c097a66a29f504eb6507d5007881a4c25ff1718cd7c6532417a7aedff52ed52de94682f37191463ad846e421f8e0d836434145a9ce85cb6a |
C:\Users\Admin\Desktop\FC\controll.dll
| MD5 | a6100771cd31317172da585f080f50bc |
| SHA1 | e6bcfcb23d50571fd2b33646c1aa5d784e28e6b0 |
| SHA256 | 1331cba1d4dfa3d78c6624ea447f8ef1f4b8ebdea4383728386c643d3743cc72 |
| SHA512 | 82fde05be3bf0eb11582711f45db0ae78fae431a7c72d0515a83f117fe1f29efaaefb316319445e7c0d6cdecc904b4f010947ef695ba0106b26f84ce56abe086 |
C:\Users\Admin\Desktop\FC\hrr.dll
| MD5 | 79faa389d1012d22994793a40ea7d288 |
| SHA1 | 550c583107b9127e167e773ee6e65dd4266b66e8 |
| SHA256 | 4ac6d44ae49568ce44e2ed3fd4ce40688f38e7dc6331728adeb19ea281694c09 |
| SHA512 | 20f35c4b6bc820b954bc733352ae547905f08b90ae5b4b6877ff2e62fa53ace011880d920c975c16a76f1b1d950e48e2256eff98e730f9b859571af190416ec0 |
C:\Users\Admin\Desktop\FC\hbr.dll
| MD5 | c60bcf5599f6a2446ce11fe4d82b52e3 |
| SHA1 | f440aad733cd7dffe813985a4af1ab61fd4309fc |
| SHA256 | d43f73538ced3dad2016eacbd70a3bef4531bceb2a2940508209047e070d60d1 |
| SHA512 | 7337b70b774c4876996626e7a303e11b68cce42e5157d51a40c57ef34a454fb46cbedf7564ebd1d1d3e42874f5d20d07a0b2d42ae665677b3337f2fbf59c6165 |
C:\Users\Admin\Desktop\FC\fun.dll
| MD5 | 9a661d32fb534ed752f57dfb14f96c69 |
| SHA1 | 3ae37dca061457507af0a371ddfce51834523d19 |
| SHA256 | af0c1c93976a8960c9e568c556bb9883a534abdc48892f932b97f1789d0db614 |
| SHA512 | 96a54c51274d21421a04dc946d8074cc22fd096fc9eb935df1d351bd0ee415d72cb4939f4ddb312d25af2a6bb7c0677c433831f5824b05cc3c757bb36635af94 |
C:\Users\Admin\Desktop\FC\dos.dll
| MD5 | 367f115ade76ed85b0865fab6415c486 |
| SHA1 | 1f13595c0503784050beb91563a37fc7eb8d3216 |
| SHA256 | 1bd1b609e2d2da3d1536ce3b64f920e0d4b0799e4af558dbfee35d04c5eaed9b |
| SHA512 | 4f61c7c60a43a23413b94c56b3a6e66309706fe41e52cc97fa4352cbf773c7e9056eefb83b27dd91798c7edc0758acad14e63f5a39f5a24d0a2b3827e183a7ea |
C:\Users\Admin\Desktop\FC\def.dll
| MD5 | 4db7a9a39fced04abe373b263887dd57 |
| SHA1 | 418475ee97c5d4bede51a48466fac4f7fe8956c1 |
| SHA256 | f9dee879d8ce99197c9dd569764777ef8693de2efdae357c59e7b7de0cb4d3b5 |
| SHA512 | 32bec165aa2e0c1fe8251f302d773547baa638cf905e2c4a1da3fd368f9a3a2974b2b4b59d30685f4295176320b8d1812c9cc23f774e96c8d24d7b462afce12d |
C:\Users\Admin\Desktop\FC\pass.dll
| MD5 | 45dbcb506ff2209501c1c74fe51b2b79 |
| SHA1 | a8b28d69766c0bc167c95588b587d0577c97a0fb |
| SHA256 | 8dcad0216a651303af76849d3b1bf1dbb96338f575d30ea6b5913df2738eb258 |
| SHA512 | ab8c4e989a4dd0c57ea3b50f3bd51b0864cf019c1b7d286db09ee46a5e7b459c963486bcea57b5c0997dd2e368d77686919225cd429c7c127971187b1dd59273 |
C:\Users\Admin\Desktop\FC\tory.dll
| MD5 | 678bc4981407ec867997e49a55d6691b |
| SHA1 | facadb46da06b69b5d534e4578b9b942e83c62d0 |
| SHA256 | 4dd5f2438b74cd631914aeb7ba2eb06d0b47bba5452b8511967d7c736c381560 |
| SHA512 | c70b111fc94f4f65a209a21fcd664469dea39d2613cbf8df0e29e159620e922c07f31818e8af439aa83359cc2ea64e388c6dd0c1efaf8d60f7a9952dff4537cf |
C:\Users\Admin\Desktop\FC\so.dll
| MD5 | 931891348ccb30d3de4d6364f7cf641e |
| SHA1 | 359f2ef6edced2fa3a38e939d035c90c46da1b7c |
| SHA256 | a4720026c4de5f0db915df45b359f325741217586a2605383f1bcf9a4cbf6f79 |
| SHA512 | cf71fe23f781debdc75e986afcfa585e14be6d2b26b6c4b7866c059203018e3156d1b04eab7b9f42eb7b68bb3d5196f48d53db88409d356446791567ba2c1a55 |
C:\Users\Admin\Desktop\FC\sc2.dll
| MD5 | f8ce280fc2b16762802e7d8b1799e9c4 |
| SHA1 | e73800699dd7ce099f6e71db602be062acd5cf8a |
| SHA256 | e72ffd501ef33e454e369aacfb39d1a1325ed132135f7f8a007c44fc4b554b64 |
| SHA512 | ca5135f64a60dbab2a4e711685466947a697925e0a0cda52a8021b0cd3844b3293a946bbcbc16d34b9bb2c693a0bcf061821ce158d7c1f3f01bfd965ab351717 |
C:\Users\Admin\Desktop\FC\pw.dll
| MD5 | ed2dfe9eefb52ee6f371119142c8e438 |
| SHA1 | 61071a2c97bd45fdcd95b3c3a14119c01e422cdc |
| SHA256 | e6a016f08c723d94ab5d1cf14228b51d0a14af3993daf1074ba40f9fe2a57fe6 |
| SHA512 | 849f0a833be9aef4fc802dfe427fefa1412e764cb5211aded8874cf832e42377691a6c34c9133d48b053285ced4a1c050ee1d22997ae36911574a36962195d79 |
C:\Users\Admin\Desktop\FC\tcp.dll
| MD5 | 4d83956c3b72011e05447df8f2522788 |
| SHA1 | 572324b5108ebd219c9362bcde8d6f63b43539fe |
| SHA256 | 2dd03a2d32ff0081af3e71902a04b67f1592ca29582522c952cfcbecd4d1c986 |
| SHA512 | edf607c1782fa41b507f52d457d62d705a5054aee980fdce4083243c8f429d3a4a38a0c91d59e9acf089e1730b5d5a2b1fdee1e98896a0cc22627085415ae5d4 |
C:\Users\Admin\Desktop\FC\rdp.dll
| MD5 | 274775cc533fd77c904487428df6d2e2 |
| SHA1 | 17823bf9764563bb901ca9e54af330e14c0d1387 |
| SHA256 | 0c0cfe380d042e8b298de784daa32ae2cedbaea6d3fd08c4fc6c8b0d45004178 |
| SHA512 | 024c8757d9c2bc3239f86088dacc305f00889e9a2f090077d337b10ca488d63df9bb5155a846c745d8573b50b79ac6e2498d1470001ce2476705463c8cb13584 |
C:\Users\Admin\Desktop\FC\ngr.dll
| MD5 | 34c65e48a13f441618d3fd7e0db4c1ac |
| SHA1 | ad321099698d1c04110efd25132faa8c4771b1fc |
| SHA256 | 207dee7df1d6caa3a074e72aa1f3beb940f0ea215c3c328ad00b52c58e700ce0 |
| SHA512 | 32adafce689b965408aed6c764fad1d71640e482891e6e1c5c88c0e9431927f41589d101f34983aac7f65374c871c9c6550a8759610d83878b47390794ef8b16 |
C:\Users\Admin\Desktop\FC\msg.dll
| MD5 | 5a1e62c6f25bddd882f748e51836cf5a |
| SHA1 | cf2fdd68648e56777ec76687efed28d3fd3aea51 |
| SHA256 | 4fdd8de2281c30a6562b8129e6f5a7fa181ce1055fa747071cd9b3e5ed23d28a |
| SHA512 | 1b5c9c9ae04255d9df36c84771147b84383612a1e74de93ffbbd9e84f72c8f9a394595238fd752aacff68544c1a8f0b7bada02bc89934ff56f09ba8a94fe6427 |
C:\Users\Admin\Desktop\FC\mic.dll
| MD5 | 0492bf68d888d70a0b05208c45ef9e50 |
| SHA1 | 232ab3ad4445d2d98f6f3db3ed5623aa57e5a93c |
| SHA256 | 2324c7d25802a33e843baa28877a258b0eff7f4e7c7588a7de5a1799f66dea65 |
| SHA512 | f87be4b8a834b16ce2d8e808bb715e23f41cc433c8e37d35e0be51a63780529737f98d2089641fdb224ce6f62cdb47134374f1f565507548949f9d91b5c78686 |
C:\Users\Admin\Desktop\FC\manger.dll
| MD5 | 76b3c4f07316739f10c3409c022df30d |
| SHA1 | bad54af1377009ceb5bf1b4ff3f244e5237cfe1f |
| SHA256 | 1439a2d967f8053d8d810182f1ea25d41de870cba1cba09e88fa744eacf79f26 |
| SHA512 | eb41234e35e6dc33e09c93b1466732972c163365947a811d3eb2b079f22f6c47e295fee65d3a12e8cdfa0828a0c1cc95dba4d43a949976f6ea8ad11ef02184a5 |
C:\Users\Admin\Desktop\FC\loc.dll
| MD5 | fda72bed9a70f75440146b750b2838e7 |
| SHA1 | bfba56628ea9118c99e5379f719cfbc2a9d50cc2 |
| SHA256 | 4162dee6bd21ed36f55afb211995e8282ec4ae0360c0a3a6733fc0ccfd34c193 |
| SHA512 | 0d4f5fb577ad123ff26f216a022851357bf0e2f733518f1d9a09331966db9da099a139955b13ae0eef5e15a0ef971119e3b91bd0413144181bb2f8bda265593e |
C:\Users\Admin\Desktop\FC\inff.dll
| MD5 | 282a383f16af77e6f0f3650b12e4f5cc |
| SHA1 | 04e20a3fda195fdf5659a6bc2e790fd1e2a0c949 |
| SHA256 | 792a3a0dd604d34b08f5c0c36aa1f0350e15bffd7a8dc5126a459e664e805b3f |
| SHA512 | 12d4f6682e3f03915d8055b37d40ee18dc383c8b5aee88d406af26555265884d60dda1aa147e95992f19858bb3bd311a9197199e968183648147a5290a321806 |
C:\Users\Admin\Desktop\FC\iff.dll
| MD5 | f1b53847815d72f5f12455a6a1812925 |
| SHA1 | 860e77e979ec9d2e0b1bb80368a149b739abf640 |
| SHA256 | 09885d32d886ad0c70fdfedea74aabaab8cd2d38acf829d7d77b8aaaab755fa1 |
| SHA512 | a62638163f058fac1d5bc0e8867b04c8b24ac26b2a2c5ade5cdf63a8675d9ca457de81501ad2504c335cc670851828e949d7f05cc48f69d43b9d837509693a16 |
C:\Users\Admin\Desktop\FC\uac.dll
| MD5 | 8f733c26b4dffc1844f7cf689dbb3040 |
| SHA1 | 543afb2afc3e19044d9f1ac2d41ffd4d3c1173a6 |
| SHA256 | a173ad5dbaa65e67a637fd7f8551a6781cf7542cc19b28bb7070e4a0e5c50822 |
| SHA512 | c5622334800011c8f74b3211dad1395d297d670a9403f546790b30147e1027e4b20ecb97db152c10cecd60de1b8923672285a0e57eb7e6ac6e4013458622939d |
C:\Users\Admin\Desktop\FC\uns.dll
| MD5 | f15ba8cca8dccae5f6e0f5f38d527ea6 |
| SHA1 | 0cdb2ac89f527779e7fc6c38cad94bd10bbb6d25 |
| SHA256 | 1c76598233511d7e4666f4301cf5f6869130c985149de8307ef3f01039d65298 |
| SHA512 | 5e05b1f4da3e570f7ec9901721186c48688dd1c9b4582affd4d2be0a83ee9bd206be98861c96b2d74910d1d970665fac9e123f83a286d3b9fd03e3249bb4262b |
C:\Users\Admin\Desktop\FC\vb.dll
| MD5 | fd3ca535716e7d32b23cc6bdc4ce808c |
| SHA1 | 0f7b99b9cb1cc27afa851a51953c5f848f69a4a3 |
| SHA256 | 91334351b509bc1b2b521be396721b059e8c14fd2a5d18cf3cd49f262755a3d4 |
| SHA512 | f7ec954625788022e071124cec05b44a65ed30cad1ed71cac6208083c03e3ff35ce0d3daa4c4a74ff3a374c0ab4361f0fbd3aae41eaaa1cbb3d0c16079ddd190 |
C:\Users\Admin\Desktop\FC\vdp.dll
| MD5 | 8246192765d26e1c2232c1a60729944b |
| SHA1 | 65d63482db444a9ff566abb82207d8f48c573da9 |
| SHA256 | 919359843ed7ba7943d842a85f3a23027d0bfd7ddf92c3a9025b8e9f9d4185cf |
| SHA512 | 003e29c2ae2b72aa2600c6797ce52291ed4957ec7bebe166a5c2004d830f8f516cc91b481132eb1df0f52467976dd526bad5b26e33da8a3b4dcdd3aa3068b22e |
C:\Users\Admin\Desktop\FC\vnc.dll
| MD5 | 0596dbbbcb6794def107e7d86789ca62 |
| SHA1 | 36b39f496430c314432f0a6050e6ad022f88daff |
| SHA256 | 42f06ee96dfc5bb6c7208f5fd409460554c4ee630639bf7e44752a4a1135db32 |
| SHA512 | 688a03cba75abac3151bb859281c25ba2b415ba41ddbfa44dca9b0a2902cbfdb6af593d1f80d46d5c9806c838be1216c17fa85bbab10f65467ebdee6b7719ce5 |
C:\Users\Admin\Desktop\FC\xmr.dll
| MD5 | 3f1323e572f60f6f63d447339d127fa7 |
| SHA1 | abf3f71c673ef48a606787e47ae976d9becc6576 |
| SHA256 | ad25d489428d12c4d8d5f594fe595ece11d8a475c8d5966037973dea6f1b2831 |
| SHA512 | af7b3084ef4895f3573836f3260decae6d2cb6d21ee57944279e515e58feb2393926d5b8981bfe3cd6ab380be7749c6e08af2e405dcef7881819edefb8088fc1 |
memory/1156-496-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-497-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-498-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-499-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-500-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-501-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-502-0x0000000005E60000-0x0000000005E70000-memory.dmp
memory/1156-503-0x0000000032CC0000-0x0000000032DC0000-memory.dmp
memory/1156-504-0x0000000032CC0000-0x0000000032DC0000-memory.dmp