bitrat | 3d464460a5eca975b045bdf92d3cc2952047279a06a7d618c6ea2c8b66ddce2c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf528c6e9dcc6876871abd209ae90a8.exe
Size

3.8MB
MD5

aaf528c6e9dcc6876871abd209ae90a8
SHA1

9f6392d28cdf543b5508ce7e86f0dc26df53cc0c
SHA256

3d464460a5eca975b045bdf92d3cc2952047279a06a7d618c6ea2c8b66ddce2c
SHA512

11452d10f571800290880696695f4cadcf979558dc096df25f3b2f57622a62571b8836780c48f00989578c1d6ad7ee9f77dd7485115e7e221f5e245b43ae34ca

Score

10^/10

bitrat xenarmor xmrig collection miner password persistence recovery spyware stealer suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

connect.holix.de:8700

Attributes

communication_password
2011af5a2285a618daf8125dd3fd296e
install_dir
Microsoft
install_file
SignatureUpdate.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Unknown.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\Unknown.dll	acprotect

Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
miner

Processes:

46f012e663ebbbf8ad5384a54dbf3c07.exe46f012e663ebbbf8ad5384a54dbf3c07.exe

pid process

4168 46f012e663ebbbf8ad5384a54dbf3c07.exe
3044 46f012e663ebbbf8ad5384a54dbf3c07.exe

pid	process
4168	46f012e663ebbbf8ad5384a54dbf3c07.exe
3044	46f012e663ebbbf8ad5384a54dbf3c07.exe

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3044-175-0x0000000000400000-0x0000000000A97000-memory.dmp	xmrig
behavioral2/memory/3044-177-0x0000000000400000-0x0000000000A97000-memory.dmp	xmrig
behavioral2/memory/3044-181-0x0000000000400000-0x0000000000A97000-memory.dmp	xmrig

Executes dropped EXE 5 IoCs

Processes:

SignatureUpdate.exeFwg2Hg7Y.exeFwg2Hg7Y.exe46f012e663ebbbf8ad5384a54dbf3c07.exe46f012e663ebbbf8ad5384a54dbf3c07.exe

pid process

4432 SignatureUpdate.exe
4936 Fwg2Hg7Y.exe
4504 Fwg2Hg7Y.exe
4168 46f012e663ebbbf8ad5384a54dbf3c07.exe
3044 46f012e663ebbbf8ad5384a54dbf3c07.exe

pid	process
4432	SignatureUpdate.exe
4936	Fwg2Hg7Y.exe
4504	Fwg2Hg7Y.exe
4168	46f012e663ebbbf8ad5384a54dbf3c07.exe
3044	46f012e663ebbbf8ad5384a54dbf3c07.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4936-138-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4936-142-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4936-143-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4936-144-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4936-146-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4936-162-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/3044-168-0x0000000000400000-0x0000000000A97000-memory.dmp	upx
behavioral2/memory/3044-172-0x0000000000400000-0x0000000000A97000-memory.dmp	upx
behavioral2/memory/3044-173-0x0000000000400000-0x0000000000A97000-memory.dmp	upx
behavioral2/memory/3044-175-0x0000000000400000-0x0000000000A97000-memory.dmp	upx
behavioral2/memory/3044-177-0x0000000000400000-0x0000000000A97000-memory.dmp	upx
behavioral2/memory/3044-181-0x0000000000400000-0x0000000000A97000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SignatureUpdate.exeaaf528c6e9dcc6876871abd209ae90a8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SignatureUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	aaf528c6e9dcc6876871abd209ae90a8.exe

Loads dropped DLL 1 IoCs

Processes:

Fwg2Hg7Y.exe

pid process

4504 Fwg2Hg7Y.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4504	Fwg2Hg7Y.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

Fwg2Hg7Y.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Fwg2Hg7Y.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exeSignatureUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SignatureUpdate = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SignatureUpdate.exe"	aaf528c6e9dcc6876871abd209ae90a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SignatureUpdate = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SignatureUpdate.exe"	SignatureUpdate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exeSignatureUpdate.exe

pid	process
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SignatureUpdate.exeFwg2Hg7Y.exe46f012e663ebbbf8ad5384a54dbf3c07.exe

description	pid	process	target process
PID 4432 set thread context of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4936 set thread context of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4168 set thread context of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exeSignatureUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell\open\command	aaf528c6e9dcc6876871abd209ae90a8.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell\open	aaf528c6e9dcc6876871abd209ae90a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SignatureUpdate.exe -uac 4644"	aaf528c6e9dcc6876871abd209ae90a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell\open\command\DelegateExecute	aaf528c6e9dcc6876871abd209ae90a8.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings	aaf528c6e9dcc6876871abd209ae90a8.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell	aaf528c6e9dcc6876871abd209ae90a8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell\open\command	SignatureUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell\open	SignatureUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\shell	SignatureUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings	SignatureUpdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Fwg2Hg7Y.exe

pid process

4504 Fwg2Hg7Y.exe
4504 Fwg2Hg7Y.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
4504	Fwg2Hg7Y.exe
4504	Fwg2Hg7Y.exe

pid	process
668

Suspicious behavior: RenamesItself 29 IoCs

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exeSignatureUpdate.exe

pid	process
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4644	aaf528c6e9dcc6876871abd209ae90a8.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe
4432	SignatureUpdate.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exeSignatureUpdate.exeFwg2Hg7Y.exe46f012e663ebbbf8ad5384a54dbf3c07.exe

description	pid	process
Token: SeShutdownPrivilege	4644	aaf528c6e9dcc6876871abd209ae90a8.exe
Token: SeShutdownPrivilege	4432	SignatureUpdate.exe
Token: SeDebugPrivilege	4504	Fwg2Hg7Y.exe
Token: SeLockMemoryPrivilege	3044	46f012e663ebbbf8ad5384a54dbf3c07.exe
Token: SeLockMemoryPrivilege	3044	46f012e663ebbbf8ad5384a54dbf3c07.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exeSignatureUpdate.exe

pid process

4644 aaf528c6e9dcc6876871abd209ae90a8.exe
4644 aaf528c6e9dcc6876871abd209ae90a8.exe
4432 SignatureUpdate.exe
4432 SignatureUpdate.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

aaf528c6e9dcc6876871abd209ae90a8.exefodhelper.exeSignatureUpdate.exeFwg2Hg7Y.exe46f012e663ebbbf8ad5384a54dbf3c07.exe

description	pid	process	target process
PID 4644 wrote to memory of 980	4644	aaf528c6e9dcc6876871abd209ae90a8.exe	fodhelper.exe
PID 4644 wrote to memory of 980	4644	aaf528c6e9dcc6876871abd209ae90a8.exe	fodhelper.exe
PID 980 wrote to memory of 4432	980	fodhelper.exe	SignatureUpdate.exe
PID 980 wrote to memory of 4432	980	fodhelper.exe	SignatureUpdate.exe
PID 980 wrote to memory of 4432	980	fodhelper.exe	SignatureUpdate.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4936	4432	SignatureUpdate.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4936 wrote to memory of 4504	4936	Fwg2Hg7Y.exe	Fwg2Hg7Y.exe
PID 4432 wrote to memory of 4168	4432	SignatureUpdate.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4432 wrote to memory of 4168	4432	SignatureUpdate.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe
PID 4168 wrote to memory of 3044	4168	46f012e663ebbbf8ad5384a54dbf3c07.exe	46f012e663ebbbf8ad5384a54dbf3c07.exe

C:\Users\Admin\AppData\Local\Temp\aaf528c6e9dcc6876871abd209ae90a8.exe
"C:\Users\Admin\AppData\Local\Temp\aaf528c6e9dcc6876871abd209ae90a8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Microsoft\SignatureUpdate.exe
"C:\Users\Admin\AppData\Local\Microsoft\SignatureUpdate.exe" -uac 4644
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\Fwg2Hg7Y.exe
-a "C:\Users\Admin\AppData\Local\13c0cab3\plg\Ba3Rvrul.json"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\Fwg2Hg7Y.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Users\Admin\AppData\Local\13c0cab3\plg\46f012e663ebbbf8ad5384a54dbf3c07.exe
"C:\Users\Admin\AppData\Local\13c0cab3\plg\46f012e663ebbbf8ad5384a54dbf3c07.exe" C:\Users\Admin\AppData\Local\13c0cab3\plg\pid;C:\Users\Admin\AppData\Local\13c0cab3\plg\030b035f9e92c83d23adf57e8127be75.enc; -a rx/0 -o stratum+tcp://randomxmonero.auto.nicehash.com:9200 -u 3D26u983xGKYFMVnQugcky8fVvkm2aEVWe.Bit --nicehash --keepalive --donate-level=1 -l "C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat" --background --print-time=5
4⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\13c0cab3\plg\46f012e663ebbbf8ad5384a54dbf3c07.exe
-a rx/0 -o stratum+tcp://randomxmonero.auto.nicehash.com:9200 -u 3D26u983xGKYFMVnQugcky8fVvkm2aEVWe.Bit --nicehash --keepalive --donate-level=1 -l "C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat" --background --print-time=5
5⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\13c0cab3\plg\030b035f9e92c83d23adf57e8127be75.enc
Filesize
1.0MB

MD5
030b035f9e92c83d23adf57e8127be75

SHA1
44b70520fd6c4c03dfc205d6e6a53ce9e45190fb

SHA256
88f67f5d48c54fef371acd4822463b1f3de03bad761b185921c7cce4133685da

SHA512
19e17e6d5f99d114e1de0ab0c564513f21a3f19bb0cbe4690b877a876097e4b65cf727f76185b900deff1573dcdf539ef4d8e5e9dbbb8b192770bbbeaa4ed77c

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\46f012e663ebbbf8ad5384a54dbf3c07.exe
Filesize
235KB

MD5
d80a87517bdb38c1daff017ec52b733a

SHA1
bac7da7598d615cdfaadf78f3f9f69f2155ac428

SHA256
aa7ca8da0004c776eaf5601269626ccb14ac8f7ef0ce91103b34440016ff30f7

SHA512
134778998690e676d1a523ee0789a992affa0b539acb08148b7289343ff51b0c6270b5daa758fa1a24a30dfafb1a7c40ea1face3b8472483af8c26939158a5c1

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\46f012e663ebbbf8ad5384a54dbf3c07.exe
Filesize
235KB

MD5
d80a87517bdb38c1daff017ec52b733a

SHA1
bac7da7598d615cdfaadf78f3f9f69f2155ac428

SHA256
aa7ca8da0004c776eaf5601269626ccb14ac8f7ef0ce91103b34440016ff30f7

SHA512
134778998690e676d1a523ee0789a992affa0b539acb08148b7289343ff51b0c6270b5daa758fa1a24a30dfafb1a7c40ea1face3b8472483af8c26939158a5c1

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\46f012e663ebbbf8ad5384a54dbf3c07.exe
Filesize
235KB

MD5
d80a87517bdb38c1daff017ec52b733a

SHA1
bac7da7598d615cdfaadf78f3f9f69f2155ac428

SHA256
aa7ca8da0004c776eaf5601269626ccb14ac8f7ef0ce91103b34440016ff30f7

SHA512
134778998690e676d1a523ee0789a992affa0b539acb08148b7289343ff51b0c6270b5daa758fa1a24a30dfafb1a7c40ea1face3b8472483af8c26939158a5c1

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\Ba3Rvrul.json
Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
d560ba70dfcdee845dde7938b368817a

SHA1
04b5670213ffcce06df9f59229dd39159ae72346

SHA256
6d3587d5cda86bc23040d41df7e07106bf819a09a3adf4939cf6290093798ebd

SHA512
540c41dfb0ce7ab6e7284102723934f9d1b29f5fe1640c2e91b1d887a7a93cf575d95e26f9506b414387f6040d426cf0f94f176a383647d682ac6733e148d51f

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
3170b5f83d327e071f8f45fa02a7b013

SHA1
0373beff42f71b202671962810c7383916a97eed

SHA256
2ed6a83b47bafd6efedc13a3051e398300d5f8b30039a240309c358e8b9e5099

SHA512
3c8a05326f7773134d6cba5094fa30508dfbe8b38ca851390004cc45f1d5347cada69cd349931de40e2780b6b5511ebce582b7a6f4d7246eaa71ffbe68786000

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
6206792de954aec3149ffd2bb91efb79

SHA1
f92c7bf6098693056a8a8df41032290dfbadb4ee

SHA256
b80e74c90758f04dcd775d4294e79761fae73870024edf405a888e41aa98c374

SHA512
291ada29692bcedd5771172c857b55c27600747e940905c01a62c148ab819e2592c51ca4a868649a892b1aa0f054161465789713916bd8cff5eef7498191e809

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
6206792de954aec3149ffd2bb91efb79

SHA1
f92c7bf6098693056a8a8df41032290dfbadb4ee

SHA256
b80e74c90758f04dcd775d4294e79761fae73870024edf405a888e41aa98c374

SHA512
291ada29692bcedd5771172c857b55c27600747e940905c01a62c148ab819e2592c51ca4a868649a892b1aa0f054161465789713916bd8cff5eef7498191e809

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
207031feeeed672d8d1dabe128d3b474

SHA1
31ab423b9a0958f1a74387ec134417837e28be8d

SHA256
e0f47548fbcce77d0f7787728225fcb239a78ea6f0e2acb014b210a4abe23157

SHA512
dbbbe5f5250c70930f2b45afa084e54b147c17c9c8ce705c7d8b2ffd8a6afc4f42058270cdd9c9fcca6ec2c6ec029a94aa383a34e5218658be4b25c2c4ddb1c2

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
8fb513624dc51c0ba75070ab6484fe0c

SHA1
6ea22e4cecd4c78caa8d034af10132341fcaad61

SHA256
a41699bf31d455f4eb822078a06e2c32afbd3b7a5621418321e36709340fad43

SHA512
d0d5f6ba1cccc1102fe397823cc4e5744b5dfa13c56bc9afb6ab765a0e976bacd248f2ded470a71dc789bdfcf4a1bec819b9e8447f1fac3d439e08aa0c274bea

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
5660301824d9709dd8c5f485df7b0c9e

SHA1
946dcab5426d8d0c624f43b72597dd37eb34d905

SHA256
b8b8a43b8d3b0dfe8ba0526ca0a24b1ae5be7b92fbc121e63c55e0145693df7c

SHA512
124f2a286908945108ddb0023e868e6c1897ea31f629b53c0e0383d1a826024ade265da1ec4d04ce2285e988b790ff7335be8081e970c916543b89eb151ce1d0

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
bebac8a79e86ab872ef5984f34eaeaa0

SHA1
918144ef265095d8ba3e9742bc588d6c7aab0b47

SHA256
b6c50cc91ce3e5928241498652b4fadeb2b33a1d0cd00c89c506ca01ecf21a79

SHA512
c5500abb0726f644bdc0df47dd1cc873f50fa5ad6cd5fb2b70dbf4cbc706ca1b8912901f9f7c7edd63205e237ca4b66ca35ec3ce67bb194404ffcde15ca9de07

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
a36f81ad1db4b9e705faa1b10491da07

SHA1
004389053493fe6cd65437ca328bc3c7ba5dc366

SHA256
83b992228d4f6a4287cbbd22fe0a543bec89e1197b195067a8c9158ef0e7fc3f

SHA512
9f8ad0925097af2de0917c99f3ede31fc70736dc2ddccf4aee6c3f4a0a8d40c2688f41de7027da327c544f56068b953e3b79b61f0891bb954a978c1258c018a0

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pOCErTNdkVqx6kC9.dat
Filesize
1KB

MD5
e750ed3ab994dbf4aa104b554226d5e1

SHA1
b08d3c9b70877adc308b675cdadeb63b80ae7415

SHA256
ca671d83c0f427e5c3769e46d7610bff6f1e6759d4477b93cb74658f4b049e0f

SHA512
d30fc65bfea036ddc77298058c4528795b352b5492864d141680a9a0b2f91f0fea32375b5297e2d72be06ad9efe6fb815c705c153ea9f45de0380e877f6dfeb1

Download Submit
C:\Users\Admin\AppData\Local\13c0cab3\plg\pid
Filesize
4B

MD5
b8af7d0fbf094517781e0382102d7b27

SHA1
9753e686f0a75399ca60ae03442353b4b7862ee2

SHA256
374313d96f3fe2b592fd9c2876e8d7eec40fe8e5fdaef321b3604ea45dc9504e

SHA512
822b8faaec43205fb379995ca1a9d46c269e9a473fa3713be6386f62090258dbe902a33566e43046a2725c3396080fc6ef039c64e00fe91a087d185a82913905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\SignatureUpdate.exe
Filesize
3.8MB

MD5
aaf528c6e9dcc6876871abd209ae90a8

SHA1
9f6392d28cdf543b5508ce7e86f0dc26df53cc0c

SHA256
3d464460a5eca975b045bdf92d3cc2952047279a06a7d618c6ea2c8b66ddce2c

SHA512
11452d10f571800290880696695f4cadcf979558dc096df25f3b2f57622a62571b8836780c48f00989578c1d6ad7ee9f77dd7485115e7e221f5e245b43ae34ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwg2Hg7Y.exe
Filesize
402B

MD5
ca42e05f9d53c7ec9383307c1ea282bb

SHA1
ed0efa1b59b461dcda08121a39411bee72f6b4cb

SHA256
63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

SHA512
4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwg2Hg7Y.exe
Filesize
402B

MD5
ca42e05f9d53c7ec9383307c1ea282bb

SHA1
ed0efa1b59b461dcda08121a39411bee72f6b4cb

SHA256
63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

SHA512
4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwg2Hg7Y.exe
Filesize
402B

MD5
ca42e05f9d53c7ec9383307c1ea282bb

SHA1
ed0efa1b59b461dcda08121a39411bee72f6b4cb

SHA256
63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade

SHA512
4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unknown.dll
Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unknown.dll
Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml
Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
memory/980-132-0x0000000000000000-mapping.dmp

Download
memory/3044-178-0x0000000000B70000-0x0000000000B90000-memory.dmp

Filesize
128KB

Download
memory/3044-175-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/3044-176-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/3044-191-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/3044-192-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/3044-177-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/3044-173-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/3044-172-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/3044-185-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/3044-186-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/3044-169-0x0000000000A95110-mapping.dmp

Download
memory/3044-168-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/3044-181-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/4168-164-0x0000000000000000-mapping.dmp

Download
memory/4432-135-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/4432-179-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/4432-136-0x0000000074DA0000-0x0000000074DD9000-memory.dmp

Filesize
228KB

Download
memory/4432-133-0x0000000000000000-mapping.dmp

Download
memory/4504-149-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-156-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-158-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-145-0x0000000000000000-mapping.dmp

Download
memory/4504-147-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-157-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/4504-152-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-151-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-159-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/4644-130-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/4644-131-0x0000000074DA0000-0x0000000074DD9000-memory.dmp

Filesize
228KB

Download
memory/4936-142-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4936-138-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4936-137-0x0000000000000000-mapping.dmp

Download
memory/4936-143-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4936-162-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4936-144-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4936-146-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download