Analysis Overview
SHA256
d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
Threat Level: Known bad
The file docbit20230908.exe.1 was found to be: Known bad.
Malicious Activity Summary
BitRAT
XenArmor Suite
Reads local data of messenger clients
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Reads data files stored by FTP clients
UPX packed file
Reads user/profile data of local email clients
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-14 19:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-14 19:14
Reported
2023-09-14 19:18
Platform
win10v2004-20230831-en
Max time kernel
153s
Max time network
151s
Command Line
Signatures
BitRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4964 set thread context of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3692 set thread context of 4372 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe
"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 540
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 540
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 52.109.8.86:443 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/4964-0-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/4964-1-0x00000000003F0000-0x00000000007F2000-memory.dmp
memory/4964-2-0x0000000005250000-0x0000000005260000-memory.dmp
memory/4964-3-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/4964-4-0x0000000005250000-0x0000000005260000-memory.dmp
memory/1456-5-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/4964-10-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1456-12-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-16-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-17-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-18-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-19-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-20-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-21-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-22-0x00000000005A0000-0x000000000096E000-memory.dmp
memory/1456-23-0x00000000005A0000-0x000000000096E000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | 81e0872e2be9487534ddd879b05e6f62 |
| SHA1 | f97c783cb79036a9f2ff27e70a182f1b6919da18 |
| SHA256 | d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0 |
| SHA512 | 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90 |
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | 81e0872e2be9487534ddd879b05e6f62 |
| SHA1 | f97c783cb79036a9f2ff27e70a182f1b6919da18 |
| SHA256 | d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0 |
| SHA512 | 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90 |
memory/3692-28-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/3692-29-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/4372-35-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/3692-41-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/4372-39-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-42-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-43-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-44-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-45-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-46-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-47-0x0000000000900000-0x0000000000CCE000-memory.dmp
memory/4372-48-0x0000000000900000-0x0000000000CCE000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | 0e5b0b74d6de33d6a014d1a094d5cd7a |
| SHA1 | 60f1ec39b291f2e4cfd1a4ee0a85f0e1a2f34f97 |
| SHA256 | 944c989c34bb9344b61ff8d3ee3b9d0c7e000f11a0f109b5c77731fe475a3ae1 |
| SHA512 | d8422c1c06ce5a98a18b0b58bac75cbe41c37a14f02dacc28e1e2d82d918ebeb0ddb8894c0947d39701ffc1787b2fa552c54e5b4be829824284ab184a2a37479 |
memory/4172-50-0x0000000074490000-0x0000000074C40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-14 19:14
Reported
2023-09-14 19:18
Platform
win7-20230831-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
BitRAT
XenArmor Suite
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 388 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2756 set thread context of 1592 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1592 set thread context of 1980 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 916 set thread context of 1772 | N/A | C:\Users\Admin\AppData\Roaming\svchost\svchost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe
"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
-a "C:\Users\Admin\AppData\Local\ed01f8a1\plg\TNvfYPJf.json"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
C:\Windows\system32\taskeng.exe
taskeng.exe {C83DD212-71F5-4B5E-9D6E-75E074635B8A} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | homesafe1000.duckdns.org | udp |
| NL | 79.110.62.151:1234 | homesafe1000.duckdns.org | tcp |
| NL | 79.110.62.151:1234 | homesafe1000.duckdns.org | tcp |
| NL | 79.110.62.151:1234 | homesafe1000.duckdns.org | tcp |
| US | 8.8.8.8:53 | softwarez.online | udp |
| DE | 144.91.112.240:443 | softwarez.online | tcp |
| DE | 144.91.112.240:443 | softwarez.online | tcp |
| DE | 144.91.112.240:443 | softwarez.online | tcp |
| DE | 144.91.112.240:443 | softwarez.online | tcp |
| US | 8.8.8.8:53 | www.xenarmor.com | udp |
| US | 69.64.94.128:80 | www.xenarmor.com | tcp |
| NL | 79.110.62.151:1234 | homesafe1000.duckdns.org | tcp |
| US | 8.8.8.8:53 | homesafe1000.duckdns.org | udp |
Files
memory/388-0-0x0000000000A20000-0x0000000000E22000-memory.dmp
memory/388-1-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/388-2-0x0000000004EA0000-0x0000000004EE0000-memory.dmp
memory/388-3-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/388-4-0x0000000004EA0000-0x0000000004EE0000-memory.dmp
memory/388-5-0x0000000005490000-0x0000000005858000-memory.dmp
memory/2756-6-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-7-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-8-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-10-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-12-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-14-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-16-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2756-20-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-22-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-24-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/388-26-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/2756-27-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-29-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-31-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-33-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-35-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-37-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-39-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-42-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-43-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-44-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-46-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-45-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-48-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-49-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-50-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-51-0x0000000000360000-0x000000000036A000-memory.dmp
memory/2756-52-0x0000000000360000-0x000000000036A000-memory.dmp
memory/2756-53-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-54-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-55-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-57-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-58-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-60-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-62-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-61-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-64-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-66-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-67-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-69-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-70-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-71-0x0000000000360000-0x000000000036A000-memory.dmp
memory/2756-72-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-73-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-74-0x0000000000360000-0x000000000036A000-memory.dmp
memory/2756-75-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2756-76-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1592-103-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/1980-142-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll
| MD5 | 86114faba7e1ec4a667d2bcb2e23f024 |
| SHA1 | 670df6e1ba1dc6bece046e8b2e573dd36748245e |
| SHA256 | 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d |
| SHA512 | d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f |
\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll
| MD5 | 86114faba7e1ec4a667d2bcb2e23f024 |
| SHA1 | 670df6e1ba1dc6bece046e8b2e573dd36748245e |
| SHA256 | 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d |
| SHA512 | d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f |
memory/1980-146-0x0000000010000000-0x0000000010227000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor
| MD5 | 4f3bde9212e17ef18226866d6ac739b6 |
| SHA1 | 732733bec8314beb81437e60876ffa75e72ae6cd |
| SHA256 | 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174 |
| SHA512 | 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744 |
memory/1980-159-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1980-160-0x0000000010000000-0x0000000010227000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unk.xml
| MD5 | 67efe59fbf8aaf3e8de7d67dab21c2a7 |
| SHA1 | 0869d3ea3b16639ed4a0803acea1c476e199b16c |
| SHA256 | 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1 |
| SHA512 | 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor
| MD5 | bf5da170f7c9a8eae88d1cb1a191ff80 |
| SHA1 | dd1b991a1b03587a5d1edc94e919a2070e325610 |
| SHA256 | e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd |
| SHA512 | 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e |
memory/1592-184-0x0000000000400000-0x00000000008DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | 81e0872e2be9487534ddd879b05e6f62 |
| SHA1 | f97c783cb79036a9f2ff27e70a182f1b6919da18 |
| SHA256 | d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0 |
| SHA512 | 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90 |
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | 81e0872e2be9487534ddd879b05e6f62 |
| SHA1 | f97c783cb79036a9f2ff27e70a182f1b6919da18 |
| SHA256 | d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0 |
| SHA512 | 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90 |
memory/916-189-0x0000000073120000-0x000000007380E000-memory.dmp
memory/916-190-0x00000000009D0000-0x0000000000DD2000-memory.dmp
memory/916-191-0x0000000004A20000-0x0000000004A60000-memory.dmp
C:\Users\Admin\AppData\Local\ed01f8a1\plg\TNvfYPJf.json
| MD5 | 67efe59fbf8aaf3e8de7d67dab21c2a7 |
| SHA1 | 0869d3ea3b16639ed4a0803acea1c476e199b16c |
| SHA256 | 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1 |
| SHA512 | 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb |
memory/916-200-0x0000000073120000-0x000000007380E000-memory.dmp
memory/916-203-0x0000000004A20000-0x0000000004A60000-memory.dmp
memory/916-242-0x0000000073120000-0x000000007380E000-memory.dmp
memory/1772-250-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1772-255-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
| MD5 | 0d93dcc547eab04c3e29636e6d14b8b6 |
| SHA1 | c435ead1255a38b7188b321bce5d03c60cfe22da |
| SHA256 | 189da8b47feaa3c76abd282627007c34accd5e9dd98375fbc0b1e4b4a3400c66 |
| SHA512 | c8043eb4b958f1928bb186e3125997a71b5f83f878b7b07253581cda5b5a80018c87d3470f27150f8950ab92e18e521d999e1abd9ed7f671b78cc1391f677534 |
memory/536-259-0x0000000072A30000-0x000000007311E000-memory.dmp
memory/536-260-0x0000000000FC0000-0x00000000013C2000-memory.dmp
memory/536-261-0x0000000000D50000-0x0000000000D90000-memory.dmp