Malware Analysis Report

2025-01-03 05:14

Sample ID 221201-sknjrsed91
Target 311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c
SHA256 311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c
Tags
bitrat xenarmor collection password persistence recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c

Threat Level: Known bad

The file 311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password persistence recovery spyware stealer trojan upx

XenArmor Suite

BitRAT

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Checks computer location settings

Reads local data of messenger clients

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-01 15:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-01 15:11

Reported

2022-12-01 15:13

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Reads local data of messenger clients

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ajfpl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cagqu\\Ajfpl.exe\"" C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\External C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 400 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1944 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1104 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe

"C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-Date

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

-a "C:\Users\Admin\AppData\Local\707c9a17\plg\CwE6Xkaj.json"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 a.pomf.cat udp
N/A 69.39.225.3:443 a.pomf.cat tcp
N/A 20.189.173.15:443 tcp
N/A 2.18.109.224:443 tcp
N/A 37.139.128.233:3569 tcp
N/A 37.139.128.233:3569 tcp
N/A 8.8.8.8:53 www.xenarmor.com udp
N/A 69.64.94.128:80 www.xenarmor.com tcp
N/A 37.139.128.233:3569 tcp

Files

memory/400-132-0x0000000000340000-0x0000000000356000-memory.dmp

memory/400-133-0x0000000005210000-0x00000000057B4000-memory.dmp

memory/2348-134-0x0000000000000000-mapping.dmp

memory/2348-135-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

memory/400-136-0x0000000005A20000-0x0000000005AB2000-memory.dmp

memory/2348-137-0x0000000005740000-0x0000000005D68000-memory.dmp

memory/2348-138-0x00000000055D0000-0x00000000055F2000-memory.dmp

memory/2348-139-0x0000000005DE0000-0x0000000005E46000-memory.dmp

memory/2348-140-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/400-141-0x0000000005A10000-0x0000000005A1A000-memory.dmp

memory/2348-142-0x0000000005340000-0x000000000535E000-memory.dmp

memory/2348-143-0x0000000007CB0000-0x000000000832A000-memory.dmp

memory/2348-144-0x0000000006A70000-0x0000000006A8A000-memory.dmp

memory/4584-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e57283afa46563c60c53dc103abd8e98
SHA1 1e1b5107870820c613e78cb6e74255dd048f63bd
SHA256 41a77c3e4d60ee39c69fd15cdb6f6e77ec95c6ac51bb10674be5f330498b3ae9
SHA512 ffdddc29857ddf461681412d9bec5c0d4231eb695d66fbfc8a61a02f71526473c56ea090f2aaf77bd6b2da8c04aa7ea07899555b738ddd02223d1426601e9696

memory/1944-148-0x0000000000000000-mapping.dmp

memory/1944-149-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1944-151-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1944-150-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1944-152-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1944-153-0x00000000750E0000-0x0000000075119000-memory.dmp

memory/1944-154-0x0000000075460000-0x0000000075499000-memory.dmp

memory/1944-155-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1104-156-0x0000000000000000-mapping.dmp

memory/1104-157-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1104-159-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1104-160-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3172-161-0x0000000000000000-mapping.dmp

memory/3172-162-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3172-163-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3172-164-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3172-165-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/1104-168-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3172-170-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/3172-171-0x0000000010000000-0x0000000010227000-memory.dmp

memory/3172-173-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3172-172-0x0000000010000000-0x0000000010227000-memory.dmp

memory/1104-176-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 2839088c337f35edbce9721dddc514e3
SHA1 54e573718f2579b31d7fb8edd7b1e42f005e857f
SHA256 83086b306de7176597d26be3ffa5f8852b0238e5ed8880374512dc6c697a75ce
SHA512 4f47cc8de0c1bbf04c7a337bd4e52f33cf400f6a421908623806461b0a3b5488b57fb1bed8462e7e7f7037482f6ec451f8e6836867168b1f5c5d3d3ecadd2d48

C:\Users\Admin\AppData\Local\707c9a17\plg\CwE6Xkaj.json

MD5 2839088c337f35edbce9721dddc514e3
SHA1 54e573718f2579b31d7fb8edd7b1e42f005e857f
SHA256 83086b306de7176597d26be3ffa5f8852b0238e5ed8880374512dc6c697a75ce
SHA512 4f47cc8de0c1bbf04c7a337bd4e52f33cf400f6a421908623806461b0a3b5488b57fb1bed8462e7e7f7037482f6ec451f8e6836867168b1f5c5d3d3ecadd2d48

memory/1944-178-0x00000000750E0000-0x0000000075119000-memory.dmp

memory/1944-179-0x0000000075460000-0x0000000075499000-memory.dmp