Malware Analysis Report

2025-01-03 05:23

Sample ID 230920-j5ktyahb29
Target 18e07c4772a2687ee06a434ffef9572f.exe
SHA256 ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
Tags
bitrat trojan xenarmor password recovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

Threat Level: Known bad

The file 18e07c4772a2687ee06a434ffef9572f.exe was found to be: Known bad.

Malicious Activity Summary

bitrat trojan xenarmor password recovery upx

XenArmor Suite

BitRAT

UPX packed file

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-20 08:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-20 08:15

Reported

2023-09-20 08:17

Platform

win10v2004-20230915-en

Max time kernel

44s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\state\state.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 936 set thread context of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 936 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3060 -ip 3060

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 188

C:\Users\Admin\AppData\Roaming\state\state.exe

C:\Users\Admin\AppData\Roaming\state\state.exe

C:\Users\Admin\AppData\Roaming\state\state.exe

"C:\Users\Admin\AppData\Roaming\state\state.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp

Files

memory/936-0-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/936-1-0x00000000000A0000-0x000000000083E000-memory.dmp

memory/936-2-0x00000000057A0000-0x0000000005D44000-memory.dmp

memory/936-3-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/936-4-0x0000000006D50000-0x00000000074DA000-memory.dmp

memory/3060-5-0x0000000001150000-0x000000000151E000-memory.dmp

memory/3060-10-0x0000000001150000-0x000000000151E000-memory.dmp

memory/936-11-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/3060-15-0x0000000001150000-0x000000000151E000-memory.dmp

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 dc21cfd65fdc3546702d7fd7ff8e7a80
SHA1 1b00080e60a7a993b7ee8f4fd1fa709d82bf8916
SHA256 9cf1c334edf65832fec57abafac950c983f8247c2de67218bfe9946182c9c34c
SHA512 7c3eebb9e5adf56ccaa2daea9f119e0b6c4d2cf47d24a02ad786417199573d3549d7bf5566755b26752f72878a5e6b6d7bb0bbfd386b2687c45f743355dcc52b

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 dc21cfd65fdc3546702d7fd7ff8e7a80
SHA1 1b00080e60a7a993b7ee8f4fd1fa709d82bf8916
SHA256 9cf1c334edf65832fec57abafac950c983f8247c2de67218bfe9946182c9c34c
SHA512 7c3eebb9e5adf56ccaa2daea9f119e0b6c4d2cf47d24a02ad786417199573d3549d7bf5566755b26752f72878a5e6b6d7bb0bbfd386b2687c45f743355dcc52b

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 9c7169d77a4b9fbca8edb5e6b02b6fab
SHA1 852b181b9f45c7ccc83f134d13906b02d02d7ab0
SHA256 c27050a9fbf430413d56de9d352418879545083378ecc4739925cf6ba2a2b269
SHA512 f8c5f4f0b7722819cdcead16dc58267db2e0fcad1aa094e18c6579359459f207c99687e3cea0e6961095395e8cdc6a1fbe7e575a3c11ca682dbe51a8e1eefcb5

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-20 08:15

Reported

2023-09-20 08:17

Platform

win7-20230831-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\state\state.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\state\state.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\state\state.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\state\state.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1456 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 2576 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1276 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1276 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1276 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1276 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
PID 1648 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 1648 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 1648 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 1648 wrote to memory of 2272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Users\Admin\AppData\Roaming\state\state.exe
PID 2272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\state\state.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\E1BbseDv.json"

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Windows\system32\taskeng.exe

taskeng.exe {E51CC7D2-BCA9-4388-BD69-1A6EB681DCCC} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\state\state.exe

C:\Users\Admin\AppData\Roaming\state\state.exe

C:\Users\Admin\AppData\Roaming\state\state.exe

"C:\Users\Admin\AppData\Roaming\state\state.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\state\state.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Users\Admin\AppData\Roaming\state\state.exe

C:\Users\Admin\AppData\Roaming\state\state.exe

C:\Users\Admin\AppData\Roaming\state\state.exe

"C:\Users\Admin\AppData\Roaming\state\state.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\state\state.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f

Network

Country Destination Domain Proto
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp

Files

memory/1456-0-0x00000000745A0000-0x0000000074C8E000-memory.dmp

memory/1456-1-0x0000000000B70000-0x000000000130E000-memory.dmp

memory/1456-2-0x0000000004B20000-0x0000000004B60000-memory.dmp

memory/1456-3-0x0000000006C20000-0x00000000073AA000-memory.dmp

memory/2576-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-9-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-10-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-11-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2576-14-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-16-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1456-17-0x00000000745A0000-0x0000000074C8E000-memory.dmp

memory/2576-20-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-21-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-23-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-22-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-26-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-27-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-28-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-29-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2576-30-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2576-31-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-33-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-35-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-37-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-38-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-39-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-43-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2576-44-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2576-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-48-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-49-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-51-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-52-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-53-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1276-56-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-58-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-60-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-64-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-66-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-68-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-69-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1276-67-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2576-70-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1276-118-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\E1BbseDv.json

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2576-120-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-121-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2576-124-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 18e07c4772a2687ee06a434ffef9572f
SHA1 ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256 ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512 8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 18e07c4772a2687ee06a434ffef9572f
SHA1 ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256 ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512 8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

memory/2272-129-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2272-130-0x00000000008B0000-0x000000000104E000-memory.dmp

memory/2272-131-0x00000000050A0000-0x00000000050E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 18e07c4772a2687ee06a434ffef9572f
SHA1 ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256 ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512 8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

memory/2272-147-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/1832-152-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 18e07c4772a2687ee06a434ffef9572f
SHA1 ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256 ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512 8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

memory/2992-174-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2992-175-0x00000000012A0000-0x0000000001A3E000-memory.dmp

memory/2992-176-0x0000000001230000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Roaming\state\state.exe

MD5 18e07c4772a2687ee06a434ffef9572f
SHA1 ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256 ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512 8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

memory/2992-197-0x00000000740C0000-0x00000000747AE000-memory.dmp