Malware Analysis Report

2025-01-03 05:30

Sample ID 230916-b5j9eagb9y
Target 6d4c3a4ff3637ec34f820172f897d476.bin
SHA256 91b808215c26b4b5cc6fedb6de78daa6b3a1bc0c5dfa20870bca2300905d70ba
Tags
bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91b808215c26b4b5cc6fedb6de78daa6b3a1bc0c5dfa20870bca2300905d70ba

Threat Level: Known bad

The file 6d4c3a4ff3637ec34f820172f897d476.bin was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password recovery spyware stealer trojan upx

XenArmor Suite

BitRAT

Executes dropped EXE

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Reads data files stored by FTP clients

UPX packed file

Reads user/profile data of local email clients

Reads local data of messenger clients

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-16 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-16 01:43

Reported

2023-09-16 01:46

Platform

win7-20230831-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2876 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2900 wrote to memory of 588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2900 wrote to memory of 588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2900 wrote to memory of 588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 588 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2616 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2616 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 2616 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe"

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\system32\taskeng.exe

taskeng.exe {2523C91C-724C-4E47-BEBE-EFF720834179} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\5hG1wvq5.json"

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

Network

Country Destination Domain Proto
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
NL 185.225.75.68:3569 tcp

Files

memory/2876-1-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2876-0-0x00000000011E0000-0x00000000015B8000-memory.dmp

memory/2876-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2876-3-0x00000000050A0000-0x0000000005468000-memory.dmp

memory/2616-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-10-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-12-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-14-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-18-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-20-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2876-21-0x0000000074000000-0x00000000746EE000-memory.dmp

memory/2616-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-26-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-28-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-30-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-29-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-31-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-33-0x0000000000150000-0x000000000015A000-memory.dmp

memory/2616-34-0x0000000000150000-0x000000000015A000-memory.dmp

memory/2616-35-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-37-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-39-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-43-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-46-0x0000000000150000-0x000000000015A000-memory.dmp

memory/2616-45-0x0000000000150000-0x000000000015A000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/588-52-0x0000000000AD0000-0x0000000000EA8000-memory.dmp

memory/588-53-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/588-51-0x0000000073960000-0x000000007404E000-memory.dmp

memory/2616-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-58-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2616-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1928-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/1928-75-0x0000000000430000-0x00000000007FE000-memory.dmp

memory/1928-79-0x0000000000430000-0x00000000007FE000-memory.dmp

memory/588-80-0x0000000073960000-0x000000007404E000-memory.dmp

memory/1928-81-0x0000000000430000-0x00000000007FE000-memory.dmp

memory/2864-104-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1116-141-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/1116-146-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/1116-160-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1116-161-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

memory/2864-185-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\5hG1wvq5.json

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/3028-205-0x0000000073910000-0x0000000073FFE000-memory.dmp

memory/3028-206-0x0000000000160000-0x0000000000538000-memory.dmp

memory/3028-207-0x0000000004D00000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/3028-228-0x0000000073910000-0x0000000073FFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/2288-258-0x0000000004B20000-0x0000000004B60000-memory.dmp

memory/2288-257-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/2288-256-0x0000000000040000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/2288-279-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-16 01:43

Reported

2023-09-16 01:46

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 5084 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2040 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2040 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Roaming\pint\pint.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2040 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Roaming\pint\pint.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe
PID 2016 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe"

C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe

"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3668 -ip 3668

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 188

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Users\Admin\AppData\Roaming\pint\pint.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\fNxDDOJC.json"

C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\fNxDDOJC.json"

C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

C:\Users\Admin\AppData\Roaming\pint\pint.exe

"C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1584 -ip 1584

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 188

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 68.75.225.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
US 8.8.8.8:53 128.94.64.69.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/5064-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/5064-1-0x0000000000CD0000-0x00000000010A8000-memory.dmp

memory/5064-2-0x0000000006020000-0x00000000065C4000-memory.dmp

memory/5064-3-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/5064-4-0x0000000005AE0000-0x0000000005EA8000-memory.dmp

memory/3668-5-0x0000000000E00000-0x00000000011CE000-memory.dmp

memory/3668-9-0x0000000000E00000-0x00000000011CE000-memory.dmp

memory/3668-13-0x0000000000E00000-0x00000000011CE000-memory.dmp

memory/5064-15-0x0000000074FD0000-0x0000000075780000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/5084-20-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/5084-21-0x0000000004F60000-0x0000000004F70000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/2040-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5084-27-0x0000000074FD0000-0x0000000075780000-memory.dmp

memory/2040-28-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-29-0x0000000074EE0000-0x0000000074F19000-memory.dmp

memory/2040-30-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-34-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-37-0x0000000075260000-0x0000000075299000-memory.dmp

memory/2040-38-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-39-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-41-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-48-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-49-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-53-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-54-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-55-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-56-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-57-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-58-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-59-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-61-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-63-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-64-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/2016-71-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/2016-75-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2016-76-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEZoajWz.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/8-100-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/8-102-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/8-103-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/8-104-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/8-109-0x0000000010000000-0x0000000010227000-memory.dmp

memory/8-123-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/8-125-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 ce3e2f5f04eff81b3b7130a90a8e3a6e
SHA1 fe9ac39d1db0a28aeef54741003d3f639125dc1c
SHA256 b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631
SHA512 8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

memory/2016-149-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2040-151-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\fNxDDOJC.json

MD5 ce3e2f5f04eff81b3b7130a90a8e3a6e
SHA1 fe9ac39d1db0a28aeef54741003d3f639125dc1c
SHA256 b45d1dda071c8ee6b1078e8f71661ee1511887daf491a9f81415232a3c3bd631
SHA512 8cd831f9231cc30eeed546b47401459a2737d160faf0eacc823d286de22f79d68a95b994dce1f1eb6e7fa96e24aadeac50659115afe74148a33e6d31012ed357

memory/2040-154-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pint.exe.log

MD5 03febbff58da1d3318c31657d89c8542
SHA1 c9e017bd9d0a4fe533795b227c855935d86c2092
SHA256 5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA512 3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

memory/4208-163-0x00000000739F0000-0x00000000741A0000-memory.dmp

memory/4208-164-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/5064-169-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4208-170-0x00000000739F0000-0x00000000741A0000-memory.dmp

memory/5064-174-0x0000000074F50000-0x0000000074F89000-memory.dmp

memory/5064-176-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2040-183-0x0000000075260000-0x0000000075299000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/1656-201-0x00000000739F0000-0x00000000741A0000-memory.dmp

memory/1656-202-0x0000000004F20000-0x0000000004F30000-memory.dmp

C:\Users\Admin\AppData\Roaming\pint\pint.exe

MD5 6d4c3a4ff3637ec34f820172f897d476
SHA1 d53fe8f0ecb0536088ec9be5247ab6627baf31cb
SHA256 c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
SHA512 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894

memory/1656-214-0x00000000739F0000-0x00000000741A0000-memory.dmp