Malware Analysis Report

2025-01-03 05:22

Sample ID 230321-rwfgvsda9s
Target 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.zip
SHA256 a112cbd56bacd44566fb02227b6d314e4a21e5fc6c9c68b05f4c3dd1e483a275
Tags
bitrat trojan xenarmor collection password recovery spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a112cbd56bacd44566fb02227b6d314e4a21e5fc6c9c68b05f4c3dd1e483a275

Threat Level: Known bad

The file 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.zip was found to be: Known bad.

Malicious Activity Summary

bitrat trojan xenarmor collection password recovery spyware stealer upx

BitRAT

XenArmor Suite

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Reads user/profile data of local email clients

ACProtect 1.3x - 1.4x DLL software

Reads local data of messenger clients

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 14:32

Reported

2023-03-21 14:35

Platform

win7-20230220-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe"

Signatures

BitRAT

trojan bitrat

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 2044 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 524 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 524 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 524 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 1412 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 1412 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 1412 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 436 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 920 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 1412 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 1412 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 1412 wrote to memory of 1912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe

"C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe"

C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe

"C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {C31435EE-2383-4FF0-B1C9-1B8DE7437474} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

Network

Country Destination Domain Proto
US 74.201.28.92:3569 tcp
US 74.201.28.92:3569 tcp

Files

memory/2044-54-0x0000000000B90000-0x0000000000F66000-memory.dmp

memory/2012-55-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-56-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-58-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2044-57-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

memory/2012-59-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-61-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-62-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2012-64-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-66-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-69-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-71-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-72-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-73-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-74-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-76-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-77-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-78-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-79-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-80-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-82-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2012-81-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2012-83-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-86-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-85-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-87-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-88-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-89-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-91-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-93-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-94-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-96-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2012-95-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2012-97-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/436-101-0x0000000000920000-0x0000000000CF6000-memory.dmp

memory/1932-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/1932-114-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-115-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1932-118-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-119-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-121-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-123-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-125-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-127-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-129-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2012-131-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/1912-138-0x00000000001F0000-0x00000000005C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/920-170-0x00000000001F0000-0x00000000005C6000-memory.dmp

memory/920-173-0x00000000046C0000-0x0000000004700000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 d038d6ef09538870691d998d23b466f0
SHA1 b58c50edf74be3c6c9c8a9e53def75dd6cc62b81
SHA256 dfc933bfc23bba730103748c85fa208a63427abfb4d945f0743ca1ada6db54d2
SHA512 2848cd225a60d9da14de0e2f75506b6038a2b7667939b6062e21467c2a649d7ba62451c8a5c8e53859e2d500c687341bd6dfffa912ffdb8b4710e4791dfb600b

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 14:32

Reported

2023-03-21 14:35

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1400 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 3252 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 536 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 536 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4700 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 1748 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe
PID 4360 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
PID 4360 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe

"C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe"

C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe

"C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5080 -ip 5080

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 188

C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe

-a "C:\Users\Admin\AppData\Local\1868f947\plg\HTKSNuTr.json"

C:\Users\Admin\AppData\Local\Temp\11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 74.201.28.92:3569 tcp
US 8.8.8.8:53 92.28.201.74.in-addr.arpa udp
US 74.201.28.92:3569 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
US 8.8.8.8:53 128.94.64.69.in-addr.arpa udp
US 74.201.28.92:3569 tcp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp

Files

memory/1400-133-0x0000000000AE0000-0x0000000000EB6000-memory.dmp

memory/1400-134-0x0000000005D40000-0x00000000062E4000-memory.dmp

memory/1400-135-0x0000000005840000-0x00000000058A6000-memory.dmp

memory/4700-136-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-139-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1400-138-0x0000000005970000-0x0000000005980000-memory.dmp

memory/4700-137-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-143-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-145-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-146-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-147-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-148-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-149-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-150-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-151-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-152-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-153-0x00000000752C0000-0x00000000752F9000-memory.dmp

memory/4700-154-0x0000000075640000-0x0000000075679000-memory.dmp

memory/4700-155-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-156-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-157-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-158-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-159-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-160-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-161-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-163-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-164-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-165-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-166-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-167-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-168-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-169-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-170-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-171-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-172-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-173-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/3252-177-0x00000000053A0000-0x00000000053B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/5080-183-0x0000000000B00000-0x0000000000ECE000-memory.dmp

memory/5080-187-0x0000000000B00000-0x0000000000ECE000-memory.dmp

memory/4700-189-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-193-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1748-196-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1748-198-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1748-199-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1696-223-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1748-224-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1696-225-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1696-226-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1696-228-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/4700-227-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-229-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1696-231-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/1696-235-0x0000000010000000-0x0000000010227000-memory.dmp

memory/1696-249-0x0000000010000000-0x0000000010227000-memory.dmp

memory/1696-250-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 ce3e2f5f04eff81b3b7130a90a8e3a6e
SHA1 fe9ac39d1db0a28aeef54741003d3f639125dc1c
SHA256 b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631
SHA512 8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

memory/1748-274-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\1868f947\plg\HTKSNuTr.json

MD5 ce3e2f5f04eff81b3b7130a90a8e3a6e
SHA1 fe9ac39d1db0a28aeef54741003d3f639125dc1c
SHA256 b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631
SHA512 8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

memory/4700-278-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-279-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-282-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-283-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4700-299-0x0000000075640000-0x0000000075679000-memory.dmp

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wbnh.exe.log

MD5 4bc94363628f46b343c5e8e2da62ca26
SHA1 8a41ac46e24d790e11a407d0e957c4a6be6056c4
SHA256 c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a
SHA512 cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe

MD5 86000b0a976dc4a377b2e5192fe30445
SHA1 ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512 4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

memory/4360-306-0x0000000005220000-0x0000000005230000-memory.dmp

memory/3472-307-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3472-312-0x0000000000400000-0x00000000007CE000-memory.dmp