Malware Analysis Report

2025-01-03 05:23

Sample ID 230918-k2gtjsgc5x
Target 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
Tags
bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

Threat Level: Known bad

The file 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943 was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password recovery spyware stealer trojan upx

BitRAT

XenArmor Suite

UPX packed file

Reads user/profile data of local email clients

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

Reads local data of messenger clients

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-18 09:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 09:05

Reported

2023-09-18 09:08

Platform

win10-20230915-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 4372 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 4104 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 2988 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 2988 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 2988 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe
PID 208 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

"C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe"

C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

"C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

"C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hope\hope.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\unWsqhdG.json"

C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\unWsqhdG.json"

C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

"C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hope\hope.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 180

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

"C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hope\hope.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

Network

Country Destination Domain Proto
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 68.75.225.185.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
US 8.8.8.8:53 128.94.64.69.in-addr.arpa udp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp

Files

memory/4372-0-0x00000000737C0000-0x0000000073EAE000-memory.dmp

memory/4372-1-0x0000000000970000-0x0000000001104000-memory.dmp

memory/4372-2-0x0000000005DF0000-0x00000000062EE000-memory.dmp

memory/4372-3-0x0000000001890000-0x00000000018A0000-memory.dmp

memory/4372-4-0x00000000072F0000-0x0000000007A7A000-memory.dmp

memory/2988-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-7-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-9-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4372-10-0x00000000737C0000-0x0000000073EAE000-memory.dmp

memory/2988-14-0x0000000073BB0000-0x0000000073BEA000-memory.dmp

memory/2988-15-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-16-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-17-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-18-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-19-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-20-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-21-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-22-0x0000000073B80000-0x0000000073BBA000-memory.dmp

memory/2988-23-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-26-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/4104-31-0x0000000072E80000-0x000000007356E000-memory.dmp

memory/4104-32-0x00000000058C0000-0x00000000058D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/3348-35-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3348-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3348-37-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4104-39-0x0000000072E80000-0x000000007356E000-memory.dmp

memory/2988-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-43-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-44-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3348-48-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-49-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3348-51-0x0000000073B00000-0x0000000073B3A000-memory.dmp

memory/3348-52-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-53-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-54-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-55-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-56-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-57-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-58-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-59-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-61-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-63-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-65-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-66-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/208-70-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/208-74-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/208-75-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/208-76-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1652-100-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unWsqhdG.exe

MD5 ca42e05f9d53c7ec9383307c1ea282bb
SHA1 ed0efa1b59b461dcda08121a39411bee72f6b4cb
SHA256 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade
SHA512 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196

memory/1652-102-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1652-103-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1652-105-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/1652-109-0x0000000010000000-0x0000000010227000-memory.dmp

\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/1652-118-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/1652-120-0x0000000010000000-0x0000000010227000-memory.dmp

memory/2988-121-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/208-146-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 77e6621fd939338d3f19f3dd948ecf43
SHA1 53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA256 9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA512 6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

C:\Users\Admin\AppData\Local\f9be9104\plg\unWsqhdG.json

MD5 77e6621fd939338d3f19f3dd948ecf43
SHA1 53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA256 9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA512 6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

memory/2988-150-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-149-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2988-153-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/3568-163-0x0000000072E80000-0x000000007356E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hope.exe.log

MD5 807cb75397a3a9fc38e9fb5f8566eb2d
SHA1 367e151fab5a5a80e60202d287ae522ea53e2563
SHA256 3e5056b73303b361e6b7b52f5edb2ed1a7e9dc2c762bb91d18046f42bc2ffcf3
SHA512 49efef0401ba0e0dc0b30bdff5d414da5494e4194c6269da2cb40b1ab7dc53e7858d29d2b9982bf3ee60ebc9638b5ed2b5ddcbb536bcc57729e79fc81f59f13d

memory/3568-165-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/3568-176-0x0000000072E80000-0x000000007356E000-memory.dmp

memory/2988-177-0x0000000073BB0000-0x0000000073BEA000-memory.dmp

memory/2988-180-0x0000000073B80000-0x0000000073BBA000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/5048-202-0x0000000072490000-0x0000000072B7E000-memory.dmp

memory/5048-203-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/3292-208-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/5048-211-0x0000000072490000-0x0000000072B7E000-memory.dmp

memory/3292-213-0x0000000072A10000-0x0000000072A4A000-memory.dmp

memory/3292-215-0x0000000000400000-0x00000000007CE000-memory.dmp