Malware Analysis Report

2025-01-03 05:14

Sample ID 221130-rjwy3sbb6w
Target 526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d
SHA256 526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d
Tags
evasion bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

Threat Level: Known bad

The file 526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d was found to be: Known bad.

Malicious Activity Summary

evasion bitrat trojan

BitRAT

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Maps connected drives based on registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 14:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 14:13

Reported

2022-12-02 12:35

Platform

win7-20220812-en

Max time kernel

79s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 560 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe

"C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zGKLtN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/560-54-0x00000000001A0000-0x00000000007E0000-memory.dmp

memory/560-55-0x0000000076041000-0x0000000076043000-memory.dmp

memory/560-56-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/560-57-0x0000000008DF0000-0x0000000009428000-memory.dmp

memory/1184-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA5E.tmp

MD5 94f96c6e48051b87a0ac3ab27341bc34
SHA1 eca68acf99904ad4f2e5b8196df9de4a529f51de
SHA256 8c813027bf14ac5dcfe6c6c615886e4f558b58e58c3a011c2c7822f90eb28c8a
SHA512 c6fdd1e4514eb2855dabb2701d95e9699af7865f232c094b43fe017d78f7e8f451a27392f50a2773e2b7e17e6b13d04259491c6c9a7729061c95d952f9a0955d

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 14:13

Reported

2022-12-02 12:35

Platform

win10v2004-20220812-en

Max time kernel

154s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe"

Signatures

BitRAT

trojan bitrat

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4416 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4416 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\SysWOW64\schtasks.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4416 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 3644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3516 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe

"C:\Users\Admin\AppData\Local\Temp\526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zGKLtN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD992.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 13.69.109.130:443 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 45.153.203.230:5235 tcp
N/A 8.8.8.8:53 7c7d6df163322b93f948b9c12a47c262.xyz udp
N/A 8.8.8.8:53 logonapplication.ddns.net udp
N/A 8.8.8.8:53 7c7d6df163322b93f948b9c12a47c262.xyz udp

Files

memory/4416-132-0x0000000000210000-0x0000000000850000-memory.dmp

memory/4416-133-0x0000000005230000-0x00000000052CC000-memory.dmp

memory/4416-134-0x0000000005880000-0x0000000005E24000-memory.dmp

memory/4416-135-0x00000000052D0000-0x0000000005362000-memory.dmp

memory/4416-136-0x0000000005210000-0x000000000521A000-memory.dmp

memory/4416-137-0x00000000054C0000-0x0000000005516000-memory.dmp

memory/4416-138-0x0000000001040000-0x00000000010A6000-memory.dmp

memory/4832-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD992.tmp

MD5 c713ea94be659c35683dafa4ef8df5bb
SHA1 51ca1bfaa67cf6f000f64017f3c5265c36e8326b
SHA256 796e97e9caa1f382858c1f991721ee7a89b50a2e0f7c78d7624270fc328f5e03
SHA512 790b08892347e4d24b7e261c180357ced73f48d48caf3adaabbeb8756c7b62663f45fc85203bd863c5dfc902f8166e7dfaaf6c7c834b17c4e8904a8f90924063

memory/3516-141-0x0000000000000000-mapping.dmp

memory/3516-142-0x0000000000400000-0x00000000009FE000-memory.dmp

memory/3516-143-0x0000000000400000-0x00000000009FE000-memory.dmp

memory/3516-144-0x0000000000400000-0x00000000009FE000-memory.dmp

memory/3644-145-0x0000000000000000-mapping.dmp

memory/3644-146-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3644-147-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3644-148-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2984-149-0x0000000000000000-mapping.dmp

memory/2984-150-0x0000000000400000-0x0000000000603000-memory.dmp

memory/2984-151-0x0000000000400000-0x0000000000603000-memory.dmp

memory/3516-152-0x0000000000400000-0x00000000009FE000-memory.dmp

memory/2984-153-0x0000000000400000-0x0000000000603000-memory.dmp

memory/2984-154-0x0000000000400000-0x0000000000603000-memory.dmp

memory/3644-155-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3644-156-0x0000000074CA0000-0x0000000074CD9000-memory.dmp

memory/3644-157-0x0000000074BE0000-0x0000000074C19000-memory.dmp

memory/3644-158-0x0000000074BE0000-0x0000000074C19000-memory.dmp

memory/3644-159-0x0000000000400000-0x00000000007CD000-memory.dmp