Malware Analysis Report

2024-11-30 02:15

Sample ID 240329-3klehsca4t
Target 951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a
SHA256 951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a

Threat Level: Known bad

The file 951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 23:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 23:34

Reported

2024-03-29 23:37

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1196 created 2552 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1036 set thread context of 3944 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 632 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 632 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 5060 wrote to memory of 3576 N/A C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe
PID 5060 wrote to memory of 3576 N/A C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe
PID 5060 wrote to memory of 3576 N/A C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe
PID 3576 wrote to memory of 1036 N/A C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 3576 wrote to memory of 1036 N/A C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 3576 wrote to memory of 1036 N/A C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 1036 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3944 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1196 wrote to memory of 856 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1196 wrote to memory of 856 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1196 wrote to memory of 856 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1196 wrote to memory of 856 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1196 wrote to memory of 856 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe

"C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe"

C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe

"C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe" -burn.filehandle.attached=648 -burn.filehandle.self=548

C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe

"C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Windows\Temp\{ED37EB3A-F8D4-4E14-BEF9-F2F2CB99B408}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe

MD5 cda1b3c383681b7fb5401baacb43626b
SHA1 f47efd5e6b4e51a8eebc3293508eaee3a067857b
SHA256 1d8483135608e3c6877fec879740fda4727ee7a35558e0a9543794bb0b980096
SHA512 6ee97b9c06ee0788b810bf2829c477eed82ad40a64ec58d3fa0bbe8d70f1d2a79557d4d92ff8208a471611d9d4332c44bf79ef9f6b7eb2868942518acf1070cd

C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\Chronon.dll

MD5 6a4eb9a4146ff9641770efed824ff004
SHA1 721516ba3a9e215fac5d380a470585cc063b82cb
SHA256 8a45a8d6dcf1a4866adcf815c2f2c27cb1141e01d7caab33946dc87c42ef6159
SHA512 ea07ea8effc4a7fd37e36f420f2b72ccb4876cd4e4f634e9c349579d1b8f41cedf551915d0d27e90354885a4c9de709ddfdab339c6ab91c7162fabb3a5e0341e

C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\relay.dll

MD5 2d86682dcbdc2f2081a0e04d2236e8be
SHA1 ad7eec19af806e67601d7cfa553246e9bb77dc42
SHA256 39db32ce587e0519f4ac2932a37902784bfe54781c5ae1f1be97304b812cddd0
SHA512 66aa07446d3059730379bd5700042fef8767aed4a7133fc9ebb584964f17d06e1dadf09c8cb3230f1e87887be5d4180d941fd89aeaadcee21193286d5ce5744a

C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\canal.eps

MD5 31f15d80e1de429e8c4d926300e10c4a
SHA1 1653cccbd81ef47d3a7189946d338a71a387efb1
SHA256 67fd1c492132a3905a4cb60f077c6fd5f3cd4250960684ceb99facc30d0533a8
SHA512 679334215dd6d70938ecc79d5b7000065c70d4d0050205f2ba4f52fdb28c91536bb4c9b2cef92cd5b5bb1350e36c8d3cb4ec5f34115300c68f2815d8e4d30cee

memory/3576-18-0x0000000000C60000-0x0000000000EC3000-memory.dmp

memory/3576-19-0x0000000072D40000-0x0000000072EBB000-memory.dmp

memory/3576-20-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

C:\Windows\Temp\{24447549-93D1-4D18-ACDE-B2D1C035AE2E}\.ba\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/1036-33-0x00000000743B0000-0x000000007452B000-memory.dmp

memory/1036-32-0x0000000000690000-0x00000000008F3000-memory.dmp

memory/1036-34-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/1036-35-0x00000000743B0000-0x000000007452B000-memory.dmp

memory/1036-36-0x00000000743B0000-0x000000007452B000-memory.dmp

memory/3944-38-0x00000000743B0000-0x000000007452B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2cd19ab1

MD5 7076de60aa5c7d446ba5430f8d4c1532
SHA1 ddf0347bb4825b075abe740db552749abf89fa5e
SHA256 4b5aee857d382cd73c17a2759573053d94070ce05305adf6d8bef5a5cf330132
SHA512 196f6c6fa372f9ad0cb3f7978791e055d1c30a174cd22bd4a4c3e7cc8012889b96a71bec43532fc8efe033bedd3341056d449827b885c482ca96974f966d4f0a

memory/3944-40-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/3944-42-0x00000000743B0000-0x000000007452B000-memory.dmp

memory/3944-43-0x00000000743B0000-0x000000007452B000-memory.dmp

memory/3944-45-0x00000000743B0000-0x000000007452B000-memory.dmp

memory/1196-46-0x0000000000BE0000-0x0000000000C4F000-memory.dmp

memory/1196-47-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/1196-48-0x0000000000BE0000-0x0000000000C4F000-memory.dmp

memory/1196-50-0x0000000000660000-0x0000000000A93000-memory.dmp

memory/1196-51-0x0000000000BE0000-0x0000000000C4F000-memory.dmp

memory/1196-52-0x0000000003F90000-0x0000000004390000-memory.dmp

memory/1196-53-0x0000000003F90000-0x0000000004390000-memory.dmp

memory/1196-54-0x0000000003F90000-0x0000000004390000-memory.dmp

memory/1196-56-0x0000000003F90000-0x0000000004390000-memory.dmp

memory/856-59-0x0000000000F60000-0x0000000000F69000-memory.dmp

memory/1196-58-0x00000000753F0000-0x0000000075605000-memory.dmp

memory/1196-60-0x0000000000BE0000-0x0000000000C4F000-memory.dmp

memory/856-63-0x0000000002E80000-0x0000000003280000-memory.dmp

memory/856-62-0x0000000002E80000-0x0000000003280000-memory.dmp

memory/856-67-0x00000000753F0000-0x0000000075605000-memory.dmp

memory/856-66-0x0000000002E80000-0x0000000003280000-memory.dmp

memory/856-64-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/856-68-0x0000000002E80000-0x0000000003280000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 23:34

Reported

2024-03-29 23:37

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 2856 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2768 wrote to memory of 2760 N/A C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2760 wrote to memory of 2412 N/A C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2856 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe

"C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe"

C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe

"C:\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe

"C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe"

C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\CyFast_beta\UniversalInstaller.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

N/A

Files

\Windows\Temp\{BBF78A8E-B6F9-42CF-9BF0-2FC2E10E2FEE}\.cr\951634f13ea9cbe7e202633e5d1ff48557cbfd6bef05bbaa2f48384fe3db268a.exe

MD5 cda1b3c383681b7fb5401baacb43626b
SHA1 f47efd5e6b4e51a8eebc3293508eaee3a067857b
SHA256 1d8483135608e3c6877fec879740fda4727ee7a35558e0a9543794bb0b980096
SHA512 6ee97b9c06ee0788b810bf2829c477eed82ad40a64ec58d3fa0bbe8d70f1d2a79557d4d92ff8208a471611d9d4332c44bf79ef9f6b7eb2868942518acf1070cd

\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\Chronon.dll

MD5 6a4eb9a4146ff9641770efed824ff004
SHA1 721516ba3a9e215fac5d380a470585cc063b82cb
SHA256 8a45a8d6dcf1a4866adcf815c2f2c27cb1141e01d7caab33946dc87c42ef6159
SHA512 ea07ea8effc4a7fd37e36f420f2b72ccb4876cd4e4f634e9c349579d1b8f41cedf551915d0d27e90354885a4c9de709ddfdab339c6ab91c7162fabb3a5e0341e

\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\relay.dll

MD5 2d86682dcbdc2f2081a0e04d2236e8be
SHA1 ad7eec19af806e67601d7cfa553246e9bb77dc42
SHA256 39db32ce587e0519f4ac2932a37902784bfe54781c5ae1f1be97304b812cddd0
SHA512 66aa07446d3059730379bd5700042fef8767aed4a7133fc9ebb584964f17d06e1dadf09c8cb3230f1e87887be5d4180d941fd89aeaadcee21193286d5ce5744a

C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\canal.eps

MD5 31f15d80e1de429e8c4d926300e10c4a
SHA1 1653cccbd81ef47d3a7189946d338a71a387efb1
SHA256 67fd1c492132a3905a4cb60f077c6fd5f3cd4250960684ceb99facc30d0533a8
SHA512 679334215dd6d70938ecc79d5b7000065c70d4d0050205f2ba4f52fdb28c91536bb4c9b2cef92cd5b5bb1350e36c8d3cb4ec5f34115300c68f2815d8e4d30cee

memory/2760-22-0x0000000000120000-0x0000000000383000-memory.dmp

memory/2760-23-0x0000000074600000-0x0000000074774000-memory.dmp

memory/2760-24-0x0000000077780000-0x0000000077929000-memory.dmp

C:\Windows\Temp\{EDD092B1-C8E3-4C45-BCD6-73C3D5139C08}\.ba\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2412-39-0x0000000075130000-0x00000000752A4000-memory.dmp

memory/2412-38-0x0000000001390000-0x00000000015F3000-memory.dmp

memory/2412-40-0x0000000077780000-0x0000000077929000-memory.dmp

memory/2412-41-0x0000000075130000-0x00000000752A4000-memory.dmp

memory/2412-42-0x0000000075130000-0x00000000752A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2b4e7d4c

MD5 499332229c27a3d8da01cbad68f2c907
SHA1 a8c6a914c07e4d824368462d73d2ff7adc492bf9
SHA256 b0d5324b752b48e7b158a1192111a2ac3076b6d4898a1417851c78e4a9cd0a8f
SHA512 ff054eaad2fd5d2076e1916aca87bcb1f952d6649bc47619d1a4cb8b2842a08c3656786951c3dbf57e30e9e6f23e8bf3d8066dc26f5ec935e9a60d46f44fae0e

memory/2856-44-0x0000000075130000-0x00000000752A4000-memory.dmp

memory/2856-46-0x0000000077780000-0x0000000077929000-memory.dmp

memory/2856-92-0x0000000075130000-0x00000000752A4000-memory.dmp

memory/2856-93-0x0000000075130000-0x00000000752A4000-memory.dmp

memory/2856-95-0x0000000075130000-0x00000000752A4000-memory.dmp

memory/1164-96-0x0000000000460000-0x00000000004CF000-memory.dmp

memory/1164-97-0x0000000077780000-0x0000000077929000-memory.dmp

memory/1164-98-0x0000000000460000-0x00000000004CF000-memory.dmp

memory/1164-101-0x00000000000D0000-0x0000000000351000-memory.dmp

memory/1164-102-0x0000000000460000-0x00000000004CF000-memory.dmp