bitrat | 0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9

Analysis

max time kernel
397s
max time network
421s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

3.8MB
MD5

d5cad087973fab0104f92810bbf16871
SHA1

ced93e48beea62c6e444cdb8ae5ea2fbed72085d
SHA256

0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9
SHA512

1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/JmlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat xenarmor collection password persistence recovery spyware stealer trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

soon-lp.at.ply.gg:17209

Attributes

communication_password
33d47f3d76b1b6a91406c01ef0ce5164
install_dir
BIRAT
install_file
svchost
tor_process
Tls_Connect

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0002000000022c9a-189.dat	acprotect
behavioral2/files/0x0002000000022c9a-190.dat	acprotect
behavioral2/files/0x000600000002317e-456.dat	acprotect
behavioral2/files/0x000600000002317e-458.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
1028	svchost
4692	svchost
3136	svchost
2128	svchost
808	svchost

Loads dropped DLL 2 IoCs

pid	Process
3136	svchost
808	svchost

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1028-138-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/1028-140-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/1028-142-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/1028-143-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/1028-144-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/1028-147-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral2/memory/4692-156-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4692-159-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4692-160-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4692-191-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/4692-254-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2128-457-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2128-503-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\BIRAT\\svchost\ue800"	stub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\BIRAT\\svchost관"	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\BIRAT\\svchost"	stub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\BIRAT\\svchost䀀"	stub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\BIRAT\\svchost준"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 1028	1916	stub.exe	96
PID 1916 set thread context of 4692	1916	stub.exe	101
PID 4692 set thread context of 3136	4692	svchost	102
PID 1916 set thread context of 2128	1916	stub.exe	119
PID 2128 set thread context of 808	2128	svchost	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133267418985944121"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1028	svchost
1028	svchost
1916	stub.exe
1916	stub.exe
3136	svchost
3136	svchost
1776	chrome.exe
1776	chrome.exe
808	svchost
808	svchost

Suspicious behavior: RenamesItself 64 IoCs

pid	Process
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe
1916	stub.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1916	stub.exe
Token: SeDebugPrivilege	1028	svchost
Token: SeImpersonatePrivilege	1028	svchost
Token: SeSecurityPrivilege	1028	svchost
Token: SeDebugPrivilege	1028	svchost
Token: SeBackupPrivilege	1028	svchost
Token: SeRestorePrivilege	1028	svchost
Token: SeDebugPrivilege	3136	svchost
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe
Token: SeShutdownPrivilege	1776	chrome.exe
Token: SeCreatePagefilePrivilege	1776	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe
1776	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	stub.exe
1916	stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1028	1916	stub.exe	96
PID 1916 wrote to memory of 1776	1916	stub.exe	99
PID 1916 wrote to memory of 1776	1916	stub.exe	99
PID 1776 wrote to memory of 972	1776	chrome.exe	100
PID 1776 wrote to memory of 972	1776	chrome.exe	100
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 1916 wrote to memory of 4692	1916	stub.exe	101
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 4692 wrote to memory of 3136	4692	svchost	102
PID 1776 wrote to memory of 4212	1776	chrome.exe	104
PID 1776 wrote to memory of 4212	1776	chrome.exe	104
PID 1776 wrote to memory of 4688	1776	chrome.exe	105
PID 1776 wrote to memory of 4688	1776	chrome.exe	105
PID 1776 wrote to memory of 2560	1776	chrome.exe	106
PID 1776 wrote to memory of 2560	1776	chrome.exe	106
PID 1776 wrote to memory of 3232	1776	chrome.exe	108
PID 1776 wrote to memory of 3232	1776	chrome.exe	108
PID 1776 wrote to memory of 2308	1776	chrome.exe	107
PID 1776 wrote to memory of 2308	1776	chrome.exe	107
PID 1776 wrote to memory of 4032	1776	chrome.exe	109
PID 1776 wrote to memory of 4032	1776	chrome.exe	109
PID 1776 wrote to memory of 4364	1776	chrome.exe	111
PID 1776 wrote to memory of 4364	1776	chrome.exe	111
PID 1776 wrote to memory of 2372	1776	chrome.exe	112
PID 1776 wrote to memory of 2372	1776	chrome.exe	112
PID 1776 wrote to memory of 2196	1776	chrome.exe	113
PID 1776 wrote to memory of 2196	1776	chrome.exe	113
PID 1776 wrote to memory of 3840	1776	chrome.exe	115
PID 1776 wrote to memory of 3840	1776	chrome.exe	115
PID 1776 wrote to memory of 2348	1776	chrome.exe	114
PID 1776 wrote to memory of 2348	1776	chrome.exe	114
PID 1776 wrote to memory of 1820	1776	chrome.exe	116
PID 1776 wrote to memory of 1820	1776	chrome.exe	116
PID 1776 wrote to memory of 1564	1776	chrome.exe	117
PID 1776 wrote to memory of 1564	1776	chrome.exe	117
PID 1776 wrote to memory of 4360	1776	chrome.exe	118
PID 1776 wrote to memory of 4360	1776	chrome.exe	118
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119
PID 1916 wrote to memory of 2128	1916	stub.exe	119

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\BIRAT\svchost
  -c -o "C:\Users\Admin\AppData\Local\c8ee2ae3\plg\M99d7XKj.xml"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  --profile-directory=Default --no-first-run --run-without-sandbox-for-testing --no-default-browser-check --enable-native-gpu-memory-buffers --no-sandbox --ash-force-desktop --allow-no-sandbox-job --use-gl=desktop --noerrdialogs --log-level=0 --test-type --disable-gpu-sandbox --new-window about:blank
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff10609758,0x7fff10609768,0x7fff10609778
    3⤵
    PID:972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --log-level=0 --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=desktop --log-level=0 --mojo-platform-channel-handle=1776 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:2
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=2028 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=1796 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:2560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --no-sandbox --log-level=0 --test-type --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2736 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --no-sandbox --log-level=0 --test-type --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2708 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:1
    3⤵
    PID:3232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --log-level=0 --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=desktop --log-level=0 --mojo-platform-channel-handle=3124 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:2
    3⤵
    PID:4032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --log-level=0 --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-level=0 --mojo-platform-channel-handle=3152 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:2
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --no-sandbox --log-level=0 --test-type --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4156 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:1
    3⤵
    PID:2372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --no-sandbox --log-level=0 --test-type --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4396 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:1
    3⤵
    PID:2196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=4480 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:2348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=4468 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:3840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=4720 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:1820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=4740 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:1564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --log-level=0 --use-gl=desktop --noerrdialogs --log-level=0 --mojo-platform-channel-handle=4716 --field-trial-handle=1788,i,10503282310473470597,9845376440604629999,131072 /prefetch:8
    3⤵
    PID:4360
- C:\Users\Admin\AppData\Local\BIRAT\svchost
  -a "C:\Users\Admin\AppData\Local\c8ee2ae3\plg\AsXsOrOg.json"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Local\BIRAT\svchost
    -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Users\Admin\AppData\Local\BIRAT\svchost
  -a "C:\Users\Admin\AppData\Local\c8ee2ae3\plg\k6P5JSRD.json"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2128
- - C:\Users\Admin\AppData\Local\BIRAT\svchost
    -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Suspicious behavior: EnumeratesProcesses
    PID:808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BIRAT\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\License.XenArmor

Filesize
104B

MD5
4f3bde9212e17ef18226866d6ac739b6

SHA1
732733bec8314beb81437e60876ffa75e72ae6cd

SHA256
212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

SHA512
10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\License.XenArmor

Filesize
104B

MD5
bf5da170f7c9a8eae88d1cb1a191ff80

SHA1
dd1b991a1b03587a5d1edc94e919a2070e325610

SHA256
e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

SHA512
9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\Unknown.dll

Filesize
793KB

MD5
86114faba7e1ec4a667d2bcb2e23f024

SHA1
670df6e1ba1dc6bece046e8b2e573dd36748245e

SHA256
568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

SHA512
d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\svchost

Filesize
3.8MB

MD5
d5cad087973fab0104f92810bbf16871

SHA1
ced93e48beea62c6e444cdb8ae5ea2fbed72085d

SHA256
0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9

SHA512
1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\svchost

Filesize
3.8MB

MD5
d5cad087973fab0104f92810bbf16871

SHA1
ced93e48beea62c6e444cdb8ae5ea2fbed72085d

SHA256
0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9

SHA512
1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\svchost

Filesize
3.8MB

MD5
d5cad087973fab0104f92810bbf16871

SHA1
ced93e48beea62c6e444cdb8ae5ea2fbed72085d

SHA256
0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9

SHA512
1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\svchost

Filesize
3.8MB

MD5
d5cad087973fab0104f92810bbf16871

SHA1
ced93e48beea62c6e444cdb8ae5ea2fbed72085d

SHA256
0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9

SHA512
1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b

Download Submit
C:\Users\Admin\AppData\Local\BIRAT\svchost

Filesize
3.8MB

MD5
d5cad087973fab0104f92810bbf16871

SHA1
ced93e48beea62c6e444cdb8ae5ea2fbed72085d

SHA256
0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9

SHA512
1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
86b8113a40c6ff8b29fb0dc4ba2ff5c7

SHA1
fba210bdf7713ffaa2be3b59f0183db4814e744d

SHA256
8f4f2d11457895db719d7da07cb739bf44b47d54782b3e57871b0a626388195b

SHA512
3a4de4f2b8d7069de6c31e2ae23072de5507968d927d8f79d73d77c76679013f905afa06bfe73e070d92f8c2bf078763fb43dee2ee6018866af709e87ccf06fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
c907cbff1f108df605028b3f155edfcd

SHA1
7aa2e6697f43b97fc059b76823098b7a792e2fd9

SHA256
644f911865d311eb90b1bcb1539549e7f7913fa11b9692ffde3b0fde31593c82

SHA512
ba1bcc269accb304c51da13b2085c226f4a17f7f28ea01079c810d290842b7e73686067b102318056165b35461f3e7d9d532fc12ae6e3230e7d4ca244645b44f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0d67efdfd210c160c79ba2ed3cdcbb13

SHA1
fd418397903a7f4d4a12805d4c9f2e03a8d06742

SHA256
e5b0be4e4fad084e2354ed0f62d383c1a2184aaf23f1ed5d65de81d565985cd0

SHA512
5f2845429fc80f2c54e13782a8eddc92dada244a18c09f5f58c8542b44c3775aa27d52d2c320b3304f21ee273401a81daca6b9f96033771250fb9490100bea2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0df378e517b44e7676bfecc8a5cbce9d

SHA1
b1d4f00a9b56722d3c960ef8b5da87713e867366

SHA256
35f9959ec189d92f380b4a3340ff91aafe2b66af70ba96f8e7b8aa4b8b885881

SHA512
62017f185395356ec7816b9ebc9031f68b249037ae275f7f1695528457f5111ce75a7b68404af67a888dd54abc753355a3be785fb9e710aab3f4034e12115e97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9054db0559532068dc1442a0959012b7

SHA1
22f07dead1d66ecc9da9729fc5130f1be84603e2

SHA256
82be0435d5828f7b1503ad467ed21be75eb0d3db59213cf4bcbb5c40464c7c62

SHA512
235d29a7165445907d4964285b6e63e49374800ff533060ea4cf8a7d8972cf1bf3e4d0401780dfcd9dba66e8182a12900af8e2f7179ad724a8e1bc2c6163a3bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3fe1182e34270fb9b110995d3cbeb1d2

SHA1
aaaff46e2fff3427d3a30058be762e38db73624e

SHA256
9ce5d144c1e288dcecf2a36fad5f154952d06eebecfb0916543644dc1e3e7bbe

SHA512
1bbe02690a2bc88a06035239b0eb59b8fd3dc21f26cb00b5f00c0c3cca8b52bfbb76aa0387a4bf24fd2a7276ec6bf88bac65073d5f0ff0e904214635d81fe5f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6790b02c6b446e359aa25537a492d010

SHA1
299c642ce5c555d6217f097e99e5a985fb6c5e07

SHA256
1854afc4410191bada91647c96fff97c372e35ea7eaea52fa303cf2a1e988071

SHA512
560ae2fd4c1df5cc8914134610a8bbdfb3ba5548d1a25da7842935505a54b42c9b8c6bd46cbcce34940d6e1f48d475e66e9491cc8e678c759162ccdca5e4a135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8572be53b8533e086a3718de020c553

SHA1
48a2aadaf170d9cf1fe480632d8d8171f84350f0

SHA256
e56122a5ede0f8e9e6c03d520a4385c210708fac83f9064b56effa511771c319

SHA512
a975b2619a1f8b243f284baedb1106ca94c32b643587f0419059ce19366b5ba0290330602b80fe5f313d13a32a5a37ca7eb081b10d21ba9373fdcaa44b5b03d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
8048b1ec9ec6e60317af99a9ac3f86bb

SHA1
b117111d990e0751783d0ef826cd4012adbd275a

SHA256
49d28f06a7c338838ec062c56b2e24ed213ed7eb22225869931e87bb837cd36f

SHA512
a70451a9e5dd31cbcf94ea29374b042c605981f30fa5c84aeac04605381e345ef5773745485fe8bc2c3b1eaefb5e05bfefe08e794d1bcf2f73de1d4f6d81d5e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
8772fb554e4efb5cb4fa74d8af8aa9af

SHA1
5e4513570f07517f7f4cad431ebd8f04e452030c

SHA256
c50488a778cf49ae966181b3c474f20ed03030d0b8e29e3ddff940dc9caf0025

SHA512
499f274bc9cd79360a4f4caca48d433d2ce367dd26ca801ce82aaa0a26186ef6c3dff2affdeb6ad645f9629d5f48497240577c4c9001c9e2479127597dca186c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
8bf22ae2bf2b84a2dc88b22c44d5447c

SHA1
08f866fe304984568b1c4c8b8af7c5ec37dcfdbd

SHA256
8a6198d4b6329c493ce72efb9a2480892640e30e3fbe13d4c8da649d879feadf

SHA512
211b139e7e4f036ccc272e0d97a5ba4c47d1aa0991b32ab482ba4c387e36c5a6db9e417b4a1afea4fee2161aeecd7b6f11406346e83a8802f6cbc3915596f28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
8772fb554e4efb5cb4fa74d8af8aa9af

SHA1
5e4513570f07517f7f4cad431ebd8f04e452030c

SHA256
c50488a778cf49ae966181b3c474f20ed03030d0b8e29e3ddff940dc9caf0025

SHA512
499f274bc9cd79360a4f4caca48d433d2ce367dd26ca801ce82aaa0a26186ef6c3dff2affdeb6ad645f9629d5f48497240577c4c9001c9e2479127597dca186c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\Temp\unk.xml

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\c8ee2ae3\plg\AsXsOrOg.json

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\c8ee2ae3\plg\M99d7XKj.xml

Filesize
7KB

MD5
e095fafc4af8b0296fbfe63119be460b

SHA1
d53dec46bdf7a7398dac7f7a9c871765d35ca1cf

SHA256
29b5b1bc0ffd86949a3f0241c1fee1965e82ceb4d3e9afae181bd2b934bf1038

SHA512
96914ad33025b70cb1cc68358a573a4533409cf508b14ea2354eea4615b1b496aff5ef22455bce0d21182847c0809bc2dc0f051beee8cf96b39e44f726d1eb62

Download Submit
C:\Users\Admin\AppData\Local\c8ee2ae3\plg\k6P5JSRD.json

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
C:\Users\Admin\AppData\Local\c8ee2ae3\plg\k6P5JSRD.json

Filesize
1KB

MD5
ce3e2f5f04eff81b3b7130a90a8e3a6e

SHA1
fe9ac39d1db0a28aeef54741003d3f639125dc1c

SHA256
b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631

SHA512
8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

Download Submit
memory/808-459-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/808-479-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/808-477-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/808-475-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/808-454-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/808-455-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1028-138-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1028-143-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1028-142-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1028-140-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1028-144-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1028-147-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1916-150-0x0000000074C00000-0x0000000074C39000-memory.dmp

Filesize
228KB

Download
memory/1916-257-0x0000000073B20000-0x0000000073B59000-memory.dmp

Filesize
228KB

Download
memory/1916-149-0x0000000074F40000-0x0000000074F79000-memory.dmp

Filesize
228KB

Download
memory/1916-151-0x0000000073B20000-0x0000000073B59000-memory.dmp

Filesize
228KB

Download
memory/1916-134-0x0000000074F40000-0x0000000074F79000-memory.dmp

Filesize
228KB

Download
memory/1916-135-0x0000000074C00000-0x0000000074C39000-memory.dmp

Filesize
228KB

Download
memory/1916-133-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2128-503-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2128-457-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/3136-188-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3136-187-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3136-215-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/3136-186-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3136-193-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3136-184-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/3136-220-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/3136-217-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/4692-191-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4692-254-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4692-160-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4692-159-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4692-156-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download