Malware Analysis Report

2025-01-03 05:15

Sample ID 221130-tattgadf34
Target a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07
SHA256 a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07
Tags
evasion bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07

Threat Level: Known bad

The file a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07 was found to be: Known bad.

Malicious Activity Summary

evasion bitrat trojan

BitRAT

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Maps connected drives based on registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 15:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 15:51

Reported

2022-12-02 14:16

Platform

win7-20220812-en

Max time kernel

112s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe

"C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uskPBklHAI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5AA.tmp"

Network

N/A

Files

memory/952-54-0x0000000000F40000-0x0000000001906000-memory.dmp

memory/952-55-0x0000000075E11000-0x0000000075E13000-memory.dmp

memory/952-56-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/952-57-0x000000000CCC0000-0x000000000D65A000-memory.dmp

memory/1688-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB5AA.tmp

MD5 cfc27433ef57b556319acca7645f3177
SHA1 b76fcab52373ee44844b33e647c7ac856e3409ba
SHA256 f28a3d1da3a24679f31b2870a702558504134619abc6e125c881a992633f3ef5
SHA512 aa88e275fe5e9a3fdaa660b331ad1b808d69b30cc257fcbd55522b232cb1ae950b7d6df08baffa9827285714e417afa7a3d983d74abac86d17421aa3992a0202

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 15:51

Reported

2022-12-02 14:16

Platform

win10v2004-20220812-en

Max time kernel

184s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe"

Signatures

BitRAT

trojan bitrat

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Defender.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\SysWOW64\schtasks.exe
PID 844 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\SysWOW64\schtasks.exe
PID 844 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\SysWOW64\schtasks.exe
PID 844 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 844 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 236 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3992 wrote to memory of 176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 236 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\system32\cmd.exe
PID 236 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe
PID 2664 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe
PID 2664 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe
PID 1384 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe C:\Users\Admin\AppData\Local\Temp\Defender.exe
PID 1384 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe C:\Users\Admin\AppData\Local\Temp\Defender.exe
PID 1384 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe C:\Users\Admin\AppData\Local\Temp\Defender.exe
PID 1384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe
PID 1384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe
PID 1384 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe

"C:\Users\Admin\AppData\Local\Temp\a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uskPBklHAI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\85B5.tmp\85C6.tmp\85C7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe

Bypass.exe

C:\Users\Admin\AppData\Local\Temp\Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1384 -ip 1384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 832

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 209.197.3.8:80 tcp
N/A 87.248.202.1:80 tcp
N/A 20.52.64.200:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 logonapplication.ddns.net udp
N/A 8.8.8.8:53 logonapplication.ddns.net udp

Files

memory/844-132-0x0000000000C00000-0x00000000015C6000-memory.dmp

memory/844-133-0x0000000005F70000-0x000000000600C000-memory.dmp

memory/844-134-0x00000000065C0000-0x0000000006B64000-memory.dmp

memory/844-135-0x00000000060B0000-0x0000000006142000-memory.dmp

memory/844-136-0x0000000006020000-0x000000000602A000-memory.dmp

memory/844-137-0x0000000006150000-0x00000000061A6000-memory.dmp

memory/844-138-0x0000000001F20000-0x0000000001F86000-memory.dmp

memory/636-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp

MD5 3370595f7fb7d89c30240fdfc9f90bc1
SHA1 c8a96ac467aadbc00b036cec5a243e0f546d7d74
SHA256 559908711aac2e84ffa8b57b9d8cb94906f6522fc03fd9896e4ca2128f7ff21f
SHA512 79c091e61c64ccc2ba9c97d97ef8ab85ae6ff2dd0bc2f8e3c23ac59e989f3dfd13d6ea24ac937300605ac77405617094c6a4bc0662d840e089ded1b1c93df384

memory/4044-141-0x0000000000000000-mapping.dmp

memory/3992-142-0x0000000000000000-mapping.dmp

memory/3992-143-0x0000000000400000-0x0000000000D6A000-memory.dmp

memory/3992-144-0x0000000000400000-0x0000000000D6A000-memory.dmp

memory/3992-145-0x0000000000400000-0x0000000000D6A000-memory.dmp

memory/236-146-0x0000000000000000-mapping.dmp

memory/236-147-0x0000000000400000-0x000000000096B000-memory.dmp

memory/176-149-0x0000000000000000-mapping.dmp

memory/176-152-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/236-151-0x0000000000400000-0x000000000096B000-memory.dmp

memory/176-150-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3992-154-0x0000000000400000-0x0000000000D6A000-memory.dmp

memory/176-153-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/236-155-0x0000000000400000-0x000000000096B000-memory.dmp

memory/176-156-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2664-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\85B5.tmp\85C6.tmp\85C7.bat

MD5 d4a739ca802d5dff563766977640f58e
SHA1 0a0c28f80cdedb2ecac1d76d15e38b60a63b2be5
SHA256 17e4ba6c84d45d5228b96a9a28292e658212c41b8764df0b6510cad24926d6f5
SHA512 15de091c5da6fd765e77f23169ce0cbf5b6d045d784cea28f688afe21a96a686fb9995acb2ea8394753a1024c27e4d31d8753ba86d18f880b8009ee001b24004

memory/1384-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe

MD5 8ec8ca109abce872ef8e54a7c6af215f
SHA1 3b4b130d9fdeef5a41a740ea52bf121f24aab713
SHA256 5f556b89361ab895a2fc24da90323a2ca43ad1dd46a644b128caeb2879eb411d
SHA512 04b3e1457ca6c4ab85d1622a4650e24516af597cb009d9f3681008d72c15e6a9ef626ce4d1e9d52aa6df176836079c6fe6f3d62716afe23c6409871beccc18a5

C:\Users\Admin\AppData\Local\Temp\85B5.tmp\Bypass.exe

MD5 8ec8ca109abce872ef8e54a7c6af215f
SHA1 3b4b130d9fdeef5a41a740ea52bf121f24aab713
SHA256 5f556b89361ab895a2fc24da90323a2ca43ad1dd46a644b128caeb2879eb411d
SHA512 04b3e1457ca6c4ab85d1622a4650e24516af597cb009d9f3681008d72c15e6a9ef626ce4d1e9d52aa6df176836079c6fe6f3d62716afe23c6409871beccc18a5

memory/1384-162-0x00000000000B0000-0x0000000000180000-memory.dmp

memory/1988-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Defender.exe

MD5 ac34ba84a5054cd701efad5dd14645c9
SHA1 dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256 c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512 df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

C:\Users\Admin\AppData\Local\Temp\Defender.exe

MD5 ac34ba84a5054cd701efad5dd14645c9
SHA1 dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256 c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512 df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

memory/236-166-0x0000000000400000-0x000000000096B000-memory.dmp

memory/176-167-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/176-168-0x00000000742F0000-0x0000000074329000-memory.dmp

memory/176-169-0x0000000071B70000-0x0000000071BA9000-memory.dmp

memory/176-170-0x0000000071B70000-0x0000000071BA9000-memory.dmp

memory/2168-171-0x0000000000000000-mapping.dmp

memory/176-172-0x0000000071D10000-0x0000000071D49000-memory.dmp

memory/176-173-0x0000000071D10000-0x0000000071D49000-memory.dmp