Malware Analysis Report

2025-01-03 05:30

Sample ID 230914-xvp8kaed4x
Target docbit20230908.exe
SHA256 d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
Tags
bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0

Threat Level: Known bad

The file docbit20230908.exe was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password recovery spyware stealer trojan upx

BitRAT

XenArmor Suite

Reads user/profile data of web browsers

Reads user/profile data of local email clients

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Reads local data of messenger clients

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 19:10

Reported

2023-09-14 19:14

Platform

win7-20230831-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 488 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1820 wrote to memory of 3060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 1820 wrote to memory of 3060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 1820 wrote to memory of 3060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 1820 wrote to memory of 3060 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 1708 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 2200 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe
PID 3060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {3E3BEA27-044C-4BB9-8750-91E7C46335E0} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

-a "C:\Users\Admin\AppData\Local\ed01f8a1\plg\J7VA7cHn.json"

C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

-a "C:\Users\Admin\AppData\Local\ed01f8a1\plg\J7VA7cHn.json"

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 homesafe1000.duckdns.org udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
US 8.8.8.8:53 softwarez.online udp
DE 144.91.112.240:443 softwarez.online tcp
DE 144.91.112.240:443 softwarez.online tcp
DE 144.91.112.240:443 softwarez.online tcp
DE 144.91.112.240:443 softwarez.online tcp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
US 8.8.8.8:53 homesafe1000.duckdns.org udp

Files

memory/488-0-0x0000000000390000-0x0000000000792000-memory.dmp

memory/488-1-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/488-2-0x00000000008D0000-0x0000000000910000-memory.dmp

memory/488-3-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/488-4-0x00000000008D0000-0x0000000000910000-memory.dmp

memory/488-5-0x00000000053F0000-0x00000000057B8000-memory.dmp

memory/1708-6-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-8-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-10-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-12-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-13-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-14-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-15-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1708-18-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-23-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-27-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-28-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-29-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-30-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-31-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-32-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-33-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-34-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-35-0x0000000000460000-0x000000000082E000-memory.dmp

memory/488-36-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/1708-39-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-40-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-41-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-42-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-43-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-44-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-45-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-46-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-47-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-48-0x0000000000310000-0x000000000031A000-memory.dmp

memory/1708-49-0x0000000000310000-0x000000000031A000-memory.dmp

memory/1708-50-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-51-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-52-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-54-0x0000000000310000-0x000000000031A000-memory.dmp

memory/1708-55-0x0000000000310000-0x000000000031A000-memory.dmp

memory/1708-58-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-59-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-60-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-61-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-62-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-63-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-66-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-68-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-69-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-70-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-71-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-73-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-72-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-74-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-75-0x0000000000460000-0x000000000082E000-memory.dmp

memory/1708-76-0x0000000000460000-0x000000000082E000-memory.dmp

\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 81e0872e2be9487534ddd879b05e6f62
SHA1 f97c783cb79036a9f2ff27e70a182f1b6919da18
SHA256 d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
SHA512 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90

C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/2200-107-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2200-109-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 81e0872e2be9487534ddd879b05e6f62
SHA1 f97c783cb79036a9f2ff27e70a182f1b6919da18
SHA256 d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
SHA512 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90

memory/3060-125-0x00000000730B0000-0x000000007379E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Local\Temp\MU8lUxUa.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/1916-148-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3060-150-0x0000000001270000-0x0000000001672000-memory.dmp

memory/3060-152-0x00000000011B0000-0x00000000011F0000-memory.dmp

memory/1916-154-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/1916-159-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/2200-163-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3060-164-0x00000000730B0000-0x000000007379E000-memory.dmp

memory/1916-166-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1916-179-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1916-180-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

memory/2200-206-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\ed01f8a1\plg\J7VA7cHn.json

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

memory/3060-250-0x00000000730B0000-0x000000007379E000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 877d75e00c8c9aa93ffed547e3c6bf22
SHA1 8d88378e6acdf09522b05a64794ff526d27db69b
SHA256 11894b720cfddb2f11ea85590a64c727fe9794499c9716731f959164c2bd7764
SHA512 82764af659054114f63af31d364eb055406746cc62e108e23edeff1464d9a90d784efbde00b2bd1250ac3767593efa493e0bcddac75c8fce431dad0e7388737a

memory/1220-264-0x00000000729C0000-0x00000000730AE000-memory.dmp

memory/1220-266-0x0000000004710000-0x0000000004750000-memory.dmp

memory/1220-265-0x00000000001A0000-0x00000000005A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 19:10

Reported

2023-09-14 19:14

Platform

win10v2004-20230831-en

Max time kernel

98s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\External C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4704 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1072 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1072 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1668 wrote to memory of 2344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2344 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2344 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2344 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

-a "C:\Users\Admin\AppData\Local\ed01f8a1\plg\VUmm8IJD.json"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 homesafe1000.duckdns.org udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
US 8.8.8.8:53 151.62.110.79.in-addr.arpa udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
US 8.8.8.8:53 softwarez.online udp
DE 144.91.112.240:443 softwarez.online tcp
US 8.8.8.8:53 240.112.91.144.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 139.121.18.2.in-addr.arpa udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp

Files

memory/4704-0-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4704-1-0x0000000000A60000-0x0000000000E62000-memory.dmp

memory/4704-2-0x0000000005900000-0x0000000005910000-memory.dmp

memory/4704-3-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4704-4-0x0000000005900000-0x0000000005910000-memory.dmp

memory/1668-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-7-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4704-8-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/1668-9-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-11-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-13-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-15-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-17-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-19-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-21-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-23-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-26-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-27-0x0000000074470000-0x00000000744A9000-memory.dmp

memory/1668-28-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-29-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-30-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-31-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-33-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-34-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-35-0x0000000074810000-0x0000000074849000-memory.dmp

memory/1668-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-37-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-38-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-39-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-41-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-43-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-44-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-48-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-51-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-52-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-53-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-54-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-55-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-62-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-63-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-64-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-65-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-66-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-67-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-68-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-69-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-70-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-71-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1668-73-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2344-76-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2344-78-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2344-79-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2344-83-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1668-104-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2344-129-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\ed01f8a1\plg\VUmm8IJD.json

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/1668-131-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 54fa5d2c128d1b7ef3323d30bd34100f
SHA1 661f68773383ac6bafc1d09f1ba967acaf6106ef
SHA256 21fec52cb164c053b92e54690769d7f60f4bbe5f0af2109737f8ed470226b4df
SHA512 1bb671bb1f3d10233ba477fecb4e15978dcb3aee19e2f15a697324a9799ba40b045015468ed1f70052a86085c940aea1f62426f2d1a10b2e03775da8505b10c9

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 ac51c340fe4d262b623695075ff7981d
SHA1 85623cce7bc0d6798fdc8199c7165dc46c56c741
SHA256 8c0594ff2d021b44745951f3fd86c1f3671dd1ac876974f289e14f6280073df1
SHA512 536ea5c823123e9ac6245382e9954604461123d5f3e0175121ccdd410ad330480bb7018e724e29f7eb12ee01f4e23a751cf170f92f269e20be7485f6e01c0221