Malware Analysis Report

2025-01-03 05:30

Sample ID 230915-qqnqlseh33
Target c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
Tags
bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3

Threat Level: Known bad

The file c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password recovery spyware stealer trojan upx

BitRAT

XenArmor Suite

Reads local data of messenger clients

Reads user/profile data of local email clients

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 13:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 13:28

Reported

2023-09-15 13:30

Platform

win7-20230831-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3032 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3032 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3032 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2324 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 3028 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {B21CE224-7A11-4A4E-B1A1-F1EB67302892} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\QeXGQiWA.json"

C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\QeXGQiWA.json"

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

Network

Country Destination Domain Proto
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
NL 185.225.75.68:3569 tcp

Files

memory/1728-0-0x00000000000A0000-0x0000000000478000-memory.dmp

memory/1728-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/1728-2-0x0000000004D50000-0x0000000004D90000-memory.dmp

memory/1728-3-0x0000000005070000-0x0000000005438000-memory.dmp

memory/2324-4-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-5-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-6-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-7-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-8-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-9-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-10-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2324-14-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-18-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-22-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/1728-25-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2324-26-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-27-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-28-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-29-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-30-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-31-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-32-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-33-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-34-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-35-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2324-36-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2324-37-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-38-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-39-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-43-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-44-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-45-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-46-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-47-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-50-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-51-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-52-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-53-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-54-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-55-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-56-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-57-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-58-0x0000000000740000-0x0000000000B0E000-memory.dmp

memory/2324-59-0x0000000000740000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/3028-65-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/3028-66-0x00000000003C0000-0x0000000000798000-memory.dmp

memory/3028-67-0x0000000004B20000-0x0000000004B60000-memory.dmp

memory/2324-68-0x0000000000740000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/2844-78-0x0000000000400000-0x00000000008DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/2844-80-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2844-81-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2844-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2844-85-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/2844-88-0x0000000000400000-0x00000000008DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/1316-149-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1316-155-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/1316-159-0x0000000010000000-0x0000000010227000-memory.dmp

memory/3028-161-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/2844-166-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1316-177-0x0000000010000000-0x0000000010227000-memory.dmp

memory/1316-178-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

memory/2844-204-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\QeXGQiWA.json

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/2728-230-0x0000000073DB0000-0x000000007449E000-memory.dmp

memory/2728-231-0x00000000003C0000-0x0000000000798000-memory.dmp

memory/2728-234-0x0000000004D70000-0x0000000004DB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/2728-254-0x0000000073DB0000-0x000000007449E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-15 13:28

Reported

2023-09-15 13:30

Platform

win10v2004-20230915-en

Max time kernel

50s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
PID 2056 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1988 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1988 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 68.75.225.185.in-addr.arpa udp
NL 185.225.75.68:3569 tcp

Files

memory/2056-0-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2056-1-0x0000000000E30000-0x0000000001208000-memory.dmp

memory/2056-2-0x00000000062A0000-0x0000000006844000-memory.dmp

memory/2056-3-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

memory/2056-4-0x0000000005CF0000-0x00000000060B8000-memory.dmp

memory/5096-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-7-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-9-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2056-10-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/5096-13-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-14-0x0000000074C30000-0x0000000074C69000-memory.dmp

memory/5096-15-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-16-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-17-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-18-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-19-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-20-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-21-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-22-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/5096-23-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-26-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-27-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-31-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-33-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-34-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-35-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-38-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-39-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-41-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-43-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-44-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5096-47-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 8b7fc4a4ad7b71b10999a1464bf5ca7f
SHA1 8f4b73478624c1dca486699bf5a8753a1cdb2161
SHA256 f96065948074ba84b11079b8e2b27a312879db52d13141d3e4281eb273a45ef5
SHA512 283aa9d66c7af11299306070372fba9b6ae320399ab723cb6571ef330f9de4e12865c2fcb627b634c66a2e18533ae01bf120dba97d0604ad1064ec7325303824

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 b3f1bf2d871aa25b54fd035b674a1b1b
SHA1 c78a60f4b9326a1dc433f128aea71c22c554f380
SHA256 629ced3b1fa9f56cba96e4ae1cd203f708278d75d28dc98e96569c065287d6e8
SHA512 c91689196eb23bbc7d5eeda1b17151a4b1524d0aabece9ca8e5e97643379f10c13edc61d2d8833c9eefd9e2228412f3f213843e573a15c3ed1f46ba363768706