Malware Analysis Report

2024-11-16 13:39

Sample ID 240531-bdevlsaa54
Target 06f89bea6cec0ee3459c26732c6f4d40.bin
SHA256 786790d91eccdabb8ed61cb77ab64f2547d508360c0dad4148a72a18c59a59a4
Tags
agenttesla xworm keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

786790d91eccdabb8ed61cb77ab64f2547d508360c0dad4148a72a18c59a59a4

Threat Level: Known bad

The file 06f89bea6cec0ee3459c26732c6f4d40.bin was found to be: Known bad.

Malicious Activity Summary

agenttesla xworm keylogger persistence rat spyware stealer trojan

Xworm

Detect Xworm Payload

AgentTesla

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Loads dropped DLL

Reads WinSCP keys stored on the system

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 01:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 01:01

Reported

2024-05-31 01:03

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Findo = "C:\\Users\\Admin\\AppData\\Roaming\\Findo.exe" C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Findo = "C:\\Users\\Admin\\AppData\\Roaming\\Findo.exe" C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1904 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1904 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1904 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1904 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3192 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe

"C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe"

C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe

"C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
CY 185.205.187.173:80 185.205.187.173 tcp
CY 185.205.187.173:80 185.205.187.173 tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
TR 178.215.236.251:717 tcp
TR 178.215.236.251:717 tcp
TR 178.215.236.251:717 tcp
TR 178.215.236.251:717 tcp

Files

memory/1904-0-0x00000000740DE000-0x00000000740DF000-memory.dmp

memory/1904-1-0x0000000000990000-0x00000000009C4000-memory.dmp

memory/1904-2-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/1904-3-0x0000000006480000-0x00000000066C6000-memory.dmp

memory/1904-4-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-5-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-23-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-27-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-21-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-19-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-17-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-15-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-13-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-11-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-9-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-8-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-41-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-51-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-67-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-65-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-63-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-61-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-59-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-57-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-55-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-53-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-49-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-47-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-45-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-43-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-39-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-37-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-35-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-33-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-31-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-29-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-25-0x0000000006480000-0x00000000066C0000-memory.dmp

memory/1904-4890-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/1904-4891-0x0000000005300000-0x0000000005382000-memory.dmp

memory/1904-4892-0x0000000004720000-0x000000000476C000-memory.dmp

\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe

MD5 f3578e8755842b11168c9cfe8d72f51e
SHA1 5973e517739c944d5e1e269f399e7bebf33fd172
SHA256 2376cb21ed4b8e05774a49512f21e1f4d3ca960df5d74865786774d000481f5b
SHA512 48b2ed8fe52bdf97d5be0d8ea75c1e4243ee2e282240041e7b7715db8dad4c5d3457a270d4b4b006b56a0641b839e54a24a879ddb4526e5e961d8700829d3a29

memory/3192-4900-0x0000000000EF0000-0x0000000000F22000-memory.dmp

memory/1904-4901-0x0000000005DD0000-0x0000000005E24000-memory.dmp

memory/3192-4902-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/3192-4903-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/1904-4918-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/3296-4919-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3192-4920-0x00000000061F0000-0x0000000006410000-memory.dmp

memory/3192-9807-0x0000000005190000-0x00000000051EC000-memory.dmp

memory/3192-9808-0x00000000740D0000-0x00000000747BE000-memory.dmp

\??\c:\users\admin\appdata\roaming\findo.exe

MD5 9d4dcf280bb10cd4bd030bfd87b14ff9
SHA1 20393d494e912ddea7036d95963f9783e40f7462
SHA256 2c256b37acab51690ca4d1e6cfe3cb74e421f7fbff011a2d29b4c3f406961181
SHA512 8d1205220d6bc09d44a0601ffd7535dfe4b76eb685b3a49cee9db0c74ea72c59ccb15f9c10a33004ec5e1fc3af2f7a66f2cb57fa0f7a873d045b8229d09272a5

memory/1160-9823-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3192-9824-0x00000000740D0000-0x00000000747BE000-memory.dmp

\Users\Admin\AppData\Roaming\XClient.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 01:01

Reported

2024-05-31 01:04

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Findo = "C:\\Users\\Admin\\AppData\\Roaming\\Findo.exe" C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Findo = "C:\\Users\\Admin\\AppData\\Roaming\\Findo.exe" C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1348 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1348 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1348 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 928 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe

"C:\Users\Admin\AppData\Local\Temp\71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d.exe"

C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe

"C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CY 185.205.187.173:80 185.205.187.173 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.187.205.185.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 185.205.187.173:80 185.205.187.173 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
TR 178.215.236.251:717 tcp
TR 178.215.236.251:717 tcp
TR 178.215.236.251:717 tcp

Files

memory/1348-0-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

memory/1348-1-0x0000000000A70000-0x0000000000AA4000-memory.dmp

memory/1348-2-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1348-3-0x0000000006550000-0x0000000006796000-memory.dmp

memory/1348-4-0x0000000006D40000-0x00000000072E4000-memory.dmp

memory/1348-5-0x0000000006890000-0x0000000006922000-memory.dmp

memory/1348-13-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-11-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-9-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-29-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-25-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-59-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-63-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-69-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-67-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-65-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-61-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-53-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-51-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-49-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-57-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-55-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-47-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-45-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-43-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-41-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-39-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-37-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-35-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-33-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-31-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-28-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-23-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-21-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-19-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-17-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-15-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-7-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-6-0x0000000006550000-0x0000000006790000-memory.dmp

memory/1348-4892-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1348-4893-0x0000000005D10000-0x0000000005D92000-memory.dmp

memory/1348-4894-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/1348-4895-0x0000000006450000-0x00000000064B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pdmyfgbmmsc.exe

MD5 f3578e8755842b11168c9cfe8d72f51e
SHA1 5973e517739c944d5e1e269f399e7bebf33fd172
SHA256 2376cb21ed4b8e05774a49512f21e1f4d3ca960df5d74865786774d000481f5b
SHA512 48b2ed8fe52bdf97d5be0d8ea75c1e4243ee2e282240041e7b7715db8dad4c5d3457a270d4b4b006b56a0641b839e54a24a879ddb4526e5e961d8700829d3a29

memory/1348-4907-0x0000000006AC0000-0x0000000006B14000-memory.dmp

memory/928-4908-0x00000000005B0000-0x00000000005E2000-memory.dmp

memory/928-4910-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1348-4913-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3308-4915-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3308-4914-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3308-4916-0x0000000006CC0000-0x0000000006D10000-memory.dmp

memory/3308-4917-0x0000000006D30000-0x0000000006D3A000-memory.dmp

memory/928-4918-0x0000000005F50000-0x0000000006170000-memory.dmp

memory/928-9805-0x00000000058A0000-0x00000000058FC000-memory.dmp

memory/928-9806-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3308-9807-0x0000000074F50000-0x0000000075700000-memory.dmp

\??\c:\users\admin\appdata\roaming\findo.exe

MD5 06f89bea6cec0ee3459c26732c6f4d40
SHA1 077c773301223d98b07630487facd24710353335
SHA256 71540af9f3dd877a91cd506fb2efb0ebb4211c4370c8edb74185a5b9554bb66d
SHA512 a172753e363467928c9bf700f36865eb53ab5ea85dcbf7bb3fa8bc756f130eacf3ba194f8b25707203b55e8b84a256f756e27a17cce4f81991e9cc2c31353d6b

memory/928-9812-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4400-9813-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4400-9814-0x0000000004E50000-0x0000000004EEC000-memory.dmp