Malware Analysis Report

2025-06-16 03:22

Sample ID 220509-xwnq5aggfj
Target Invoice May 2 to 6 2022.exe
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657

Threat Level: Known bad

The file Invoice May 2 to 6 2022.exe was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-09 19:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-09 19:12

Reported

2022-05-09 19:19

Platform

win7-20220414-en

Max time kernel

303s

Max time network

314s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\laoqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\laoqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\laoqp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 604 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 528 wrote to memory of 1300 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\laoqp.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6BBE2939-C6EA-49DC-BA7C-0F84D1D31C27} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp

Files

memory/604-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

memory/604-55-0x0000000000AA0000-0x0000000000C66000-memory.dmp

memory/2016-56-0x0000000000000000-mapping.dmp

memory/1964-57-0x0000000000000000-mapping.dmp

memory/948-60-0x0000000000000000-mapping.dmp

memory/364-63-0x00000000006B2000-0x0000000000823000-memory.dmp

memory/364-65-0x0000000000440000-0x0000000000824000-memory.dmp

memory/364-67-0x00000000007E2740-mapping.dmp

memory/364-68-0x0000000000440000-0x0000000000824000-memory.dmp

memory/364-69-0x0000000000440000-0x0000000000824000-memory.dmp

memory/364-72-0x0000000000440000-0x0000000000824000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/1300-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/364-80-0x0000000000440000-0x0000000000824000-memory.dmp

memory/1300-82-0x0000000000350000-0x0000000000516000-memory.dmp

memory/956-83-0x0000000000000000-mapping.dmp

memory/880-84-0x0000000000000000-mapping.dmp

memory/1732-87-0x0000000000000000-mapping.dmp

memory/1472-88-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-89-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-92-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-93-0x00000000007E2740-mapping.dmp

memory/1472-94-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-95-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-99-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-100-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1472-101-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/908-102-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/908-108-0x0000000001230000-0x00000000013F6000-memory.dmp

memory/572-109-0x0000000000000000-mapping.dmp

memory/1492-110-0x0000000000000000-mapping.dmp

memory/748-113-0x0000000000000000-mapping.dmp

memory/1116-120-0x00000000007E2740-mapping.dmp

memory/1116-127-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1752-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 fd219bca969edbca85a3e0ed8fa0cc2f
SHA1 fbac9387fac5a888a505fca07719cddb3b9a5747
SHA256 2ed0e3b8c5ff62646077e61090991da1f1fa05ba9dac70036a7317f3f4b06dc6
SHA512 511f591a0486cce1ed23be1eca8c9dcd2b6eccbc3c0ff0568c13e259c35b6d598c9dc065c1080b456933abf229e8996cc4e8cfc328f49a42601525d9ef383cd3

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 33430707f438839e9f65aadea523a375
SHA1 caa26ec689a5bb7dc497161ba2ab08930f25de6e
SHA256 586af7639e0f154d261b41d98c253b5d67d4ea4c4da7f782a86239dafcce4dd2
SHA512 2b470d95e2470cb24fbcdd64d898257a9e3a68fb4e4846e2c1ad7062ef0ceaec960b30373430b7eb552e7aec32f6fec95c16c488dc1d275feb67c3e1ab500288

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 8a1eb9eba71a520054faeb13ebc7d480
SHA1 d5732b21f4c28f82bada3347631fb79262c9bee4
SHA256 9ee742a63830b5c3e234a4359afbc50cb60081f1ff4c6d571810eb7431fdb7a5
SHA512 01ca96f0109ad13724212cc022692509b56b7fa0ef4d87835eb66739c2048af672609f23c7c5033978661cf00246d53ae41d016d6128bdbb1f4da4312b514218

\Users\Admin\AppData\Roaming\laoqp.exe

MD5 377128087de9cbca3583d900ba3dc97a
SHA1 66b95ddab6eaecefc4a5b6dc28b6456b3d9b4dbc
SHA256 65fd19ed2a0ddbed252e8bb6dcdbe8def5708e8b6ee598b0e6b5dac965ba4678
SHA512 338b8e4f328f2246e29823f94b881131bf48259af0efcb7e26d1b0a2d4d5710c74776654eb505e9b8f5bacc388f3e8c22e20b4288c994398578874acc07475e6

memory/1752-134-0x0000000001230000-0x00000000013F6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-09 19:12

Reported

2022-05-09 19:19

Platform

win10v2004-20220414-en

Max time kernel

303s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

Signatures

BitRAT

trojan bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\laoqp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\laoqp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\laoqp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\laoqp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4876 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4072 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 308 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 308 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 308 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4800 wrote to memory of 476 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 476 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 476 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4800 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 476 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 476 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 476 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2652 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\laoqp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe

"C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f

C:\Users\Admin\AppData\Roaming\laoqp.exe

C:\Users\Admin\AppData\Roaming\laoqp.exe

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
GB 37.120.159.213:24993 houseofc.duckdns.org tcp
US 8.8.8.8:53 houseofc.duckdns.org udp

Files

memory/4876-130-0x0000000000A50000-0x0000000000C16000-memory.dmp

memory/4876-131-0x0000000005B00000-0x00000000060A4000-memory.dmp

memory/4876-132-0x00000000055F0000-0x0000000005682000-memory.dmp

memory/2580-133-0x0000000000000000-mapping.dmp

memory/1760-134-0x0000000000000000-mapping.dmp

memory/3476-135-0x0000000000000000-mapping.dmp

memory/1136-136-0x0000000000000000-mapping.dmp

memory/1136-137-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1136-138-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1136-139-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1136-140-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1136-141-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/308-144-0x0000000000000000-mapping.dmp

memory/1564-145-0x0000000000000000-mapping.dmp

memory/1616-146-0x0000000000000000-mapping.dmp

memory/4388-147-0x0000000000000000-mapping.dmp

memory/1616-152-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\laoqp.exe.log

MD5 4b74e933d78bd5e8fb1cc4653fb2133c
SHA1 f6e931eec700fa325bd40c3adc6f1c0eba806066
SHA256 fd99bed17853f5ad196ca6d4a62f5e2405fbdf5b98cbf45af8b7cef83e4bcec3
SHA512 b56ff89eff1a757a87dcb875206ae92d39ffdb5adf638600c21bc7c76ff4cc25502ae1060716488c7ed1641f8cdfad2a320443b7b4d9f09808eb86eb87f351ec

memory/476-155-0x0000000000000000-mapping.dmp

memory/3140-156-0x0000000000000000-mapping.dmp

memory/3636-157-0x0000000000000000-mapping.dmp

memory/3792-158-0x0000000000000000-mapping.dmp

memory/3636-163-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/1948-165-0x0000000000000000-mapping.dmp

memory/4244-166-0x0000000000000000-mapping.dmp

memory/1464-167-0x0000000000000000-mapping.dmp

memory/2260-168-0x0000000000000000-mapping.dmp

memory/1464-173-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 9ee044706961afb5c1b1cc98936786b5
SHA1 b583dd8cb884cc786ae6ccb5c007537f42ca20d0
SHA256 9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657
SHA512 255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

memory/4860-175-0x0000000000000000-mapping.dmp

memory/4416-176-0x0000000000000000-mapping.dmp

memory/4248-177-0x0000000000000000-mapping.dmp

memory/4908-178-0x0000000000000000-mapping.dmp

memory/4248-183-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\laoqp.exe

MD5 07bc8e0b433be8b1311525d476634ca7
SHA1 c171b45dae9cc9719969eb2ce75244fbb37235cb
SHA256 fc5a4d868f6932e104c385ef5d9d7a094bf3526a0e3e54265d37d0a1f8084323
SHA512 b3ad1d10a4956ac85fca9792b9d765a7f0308b86f8c7f021e4d255b687a4c16a1e4b02cc0a679f790e40ab121609851b30a11b3a755a8b8920f8383ae6c65de4