Analysis Overview
SHA256
c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
Threat Level: Known bad
The file pay2.bin was found to be: Known bad.
Malicious Activity Summary
Xloader
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
Xloader family
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
Executes dropped EXE
Adds policy Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 09:20
Signatures
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 09:20
Reported
2022-06-21 09:23
Platform
win7-20220414-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Nljod5z\user7nmtbv.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\systray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JX4LG0T0V6 = "C:\\Program Files (x86)\\Nljod5z\\user7nmtbv.exe" | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 800 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | C:\Windows\Explorer.EXE |
| PID 2024 set thread context of 1212 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Nljod5z\user7nmtbv.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Nljod5z\user7nmtbv.exe | C:\Windows\SysWOW64\systray.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Nljod5z\user7nmtbv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\pay2.exe
"C:\Users\Admin\AppData\Local\Temp\pay2.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\pay2.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\Nljod5z\user7nmtbv.exe
"C:\Program Files (x86)\Nljod5z\user7nmtbv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.annaleslie.com | udp |
| US | 34.102.136.180:80 | www.annaleslie.com | tcp |
| US | 8.8.8.8:53 | www.sl6.ltd | udp |
| CN | 123.58.47.20:80 | www.sl6.ltd | tcp |
| US | 8.8.8.8:53 | www.ukkrarzw.xyz | udp |
| US | 8.8.8.8:53 | www.akigno.com | udp |
| HK | 154.212.67.210:80 | www.akigno.com | tcp |
| US | 8.8.8.8:53 | www.comment2020.com | udp |
| US | 66.29.135.202:80 | www.comment2020.com | tcp |
| US | 8.8.8.8:53 | www.cedarbyles.com | udp |
| US | 198.54.117.215:80 | www.cedarbyles.com | tcp |
| US | 198.54.117.215:80 | www.cedarbyles.com | tcp |
| US | 8.8.8.8:53 | www.zhongjialawfirm.com | udp |
| CN | 106.75.176.239:80 | www.zhongjialawfirm.com | tcp |
| CN | 106.75.176.239:80 | www.zhongjialawfirm.com | tcp |
| US | 8.8.8.8:53 | www.honghr.com | udp |
| US | 142.234.171.119:80 | www.honghr.com | tcp |
| US | 142.234.171.119:80 | www.honghr.com | tcp |
| US | 8.8.8.8:53 | www.kingscapitalfunding.com | udp |
| US | 34.117.168.233:80 | www.kingscapitalfunding.com | tcp |
| US | 34.117.168.233:80 | www.kingscapitalfunding.com | tcp |
| US | 8.8.8.8:53 | www.askirlofsinclairs.com | udp |
| US | 8.8.8.8:53 | www.shoppersformula.com | udp |
| US | 34.102.136.180:80 | www.shoppersformula.com | tcp |
| US | 34.102.136.180:80 | www.shoppersformula.com | tcp |
| US | 8.8.8.8:53 | www.pakujwalize.xyz | udp |
| FR | 213.186.33.5:80 | www.pakujwalize.xyz | tcp |
| FR | 213.186.33.5:80 | www.pakujwalize.xyz | tcp |
| US | 8.8.8.8:53 | www.trucksolarkit.com | udp |
| DE | 5.22.145.121:80 | www.trucksolarkit.com | tcp |
| DE | 5.22.145.121:80 | www.trucksolarkit.com | tcp |
| US | 8.8.8.8:53 | www.maxsun-solar.com | udp |
| US | 8.8.8.8:53 | www.propagandefilms.com | udp |
| US | 34.117.168.233:80 | www.propagandefilms.com | tcp |
| US | 34.117.168.233:80 | www.propagandefilms.com | tcp |
| CN | 123.58.47.20:80 | www.sl6.ltd | tcp |
| US | 8.8.8.8:53 | www.theyorkshiregiftsco.com | udp |
| HK | 154.212.67.210:80 | www.akigno.com | tcp |
| HK | 154.212.67.210:80 | www.akigno.com | tcp |
Files
memory/800-54-0x0000000000A50000-0x0000000000D53000-memory.dmp
memory/800-55-0x0000000000170000-0x0000000000181000-memory.dmp
memory/1212-56-0x0000000004A40000-0x0000000004B7A000-memory.dmp
memory/2024-57-0x0000000000000000-mapping.dmp
memory/2024-58-0x0000000000E00000-0x0000000000E05000-memory.dmp
memory/1744-59-0x0000000000000000-mapping.dmp
memory/2024-60-0x0000000002210000-0x0000000002513000-memory.dmp
memory/2024-61-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/2024-62-0x0000000000960000-0x00000000009F0000-memory.dmp
memory/1212-63-0x0000000003A30000-0x0000000003AE7000-memory.dmp
memory/2024-64-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/1212-65-0x0000000003A30000-0x0000000003AE7000-memory.dmp
memory/2024-66-0x00000000765F1000-0x00000000765F3000-memory.dmp
memory/872-67-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Nljod5z\user7nmtbv.exe
| MD5 | 4b052ae067d179b1e9626c250771002e |
| SHA1 | a37c079cc492f9ebcb5fefc440db929007e3f409 |
| SHA256 | c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005 |
| SHA512 | ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2 |
memory/872-69-0x00000000007E0000-0x0000000000AE3000-memory.dmp
C:\Program Files (x86)\Nljod5z\user7nmtbv.exe
| MD5 | 4b052ae067d179b1e9626c250771002e |
| SHA1 | a37c079cc492f9ebcb5fefc440db929007e3f409 |
| SHA256 | c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005 |
| SHA512 | ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 09:20
Reported
2022-06-21 09:23
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\msdt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\K6ADFTBP = "C:\\Program Files (x86)\\D9r0tsbm\\8pxdufwvxg4rtb.exe" | C:\Windows\SysWOW64\msdt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1868 set thread context of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | C:\Windows\Explorer.EXE |
| PID 664 set thread context of 3168 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe | C:\Windows\SysWOW64\msdt.exe | N/A |
| File opened for modification | C:\Program Files (x86)\D9r0tsbm | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe | C:\Windows\Explorer.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pay2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\pay2.exe
"C:\Users\Admin\AppData\Local\Temp\pay2.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\pay2.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe
"C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.gasandmore-koeln.com | udp |
| DE | 81.169.145.92:80 | www.gasandmore-koeln.com | tcp |
| NL | 104.97.14.81:80 | tcp | |
| US | 8.8.8.8:53 | www.nonniesessentials.com | udp |
| US | 8.8.8.8:53 | www.allnetplayer.com | udp |
| US | 8.8.8.8:53 | www.pulsaindo.store | udp |
| US | 198.54.116.247:80 | www.pulsaindo.store | tcp |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | www.botree.info | udp |
| US | 34.102.136.180:80 | www.botree.info | tcp |
| US | 8.8.8.8:53 | www.maxsun-solar.com | udp |
| US | 8.8.8.8:53 | www.okna-step.site | udp |
| RU | 194.58.112.173:80 | www.okna-step.site | tcp |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| US | 8.8.8.8:53 | www.plantonio.com | udp |
| CA | 23.227.38.74:80 | www.plantonio.com | tcp |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | www.propagandefilms.com | udp |
| US | 34.117.168.233:80 | www.propagandefilms.com | tcp |
| US | 8.8.8.8:53 | www.hexiya.com | udp |
| US | 104.21.28.82:80 | www.hexiya.com | tcp |
| US | 8.8.8.8:53 | www.bigabid.engineering | udp |
| US | 34.102.136.180:80 | www.bigabid.engineering | tcp |
| US | 8.8.8.8:53 | www.honghr.com | udp |
| US | 142.234.171.119:80 | www.honghr.com | tcp |
| US | 8.8.8.8:53 | www.comment2020.com | udp |
| US | 66.29.135.202:80 | www.comment2020.com | tcp |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | www.ditiya.space | udp |
| US | 98.124.224.17:80 | www.ditiya.space | tcp |
| US | 98.124.224.17:80 | www.ditiya.space | tcp |
| US | 98.124.224.17:80 | www.ditiya.space | tcp |
| US | 8.8.8.8:53 | www.ukkrarzw.xyz | udp |
| US | 8.8.8.8:53 | www.shoppersformula.com | udp |
| US | 34.102.136.180:80 | www.shoppersformula.com | tcp |
| US | 8.8.8.8:53 | www.naknadastete.net | udp |
| DE | 142.132.249.38:80 | www.naknadastete.net | tcp |
| DE | 142.132.249.38:80 | www.naknadastete.net | tcp |
| DE | 142.132.249.38:80 | www.naknadastete.net | tcp |
| US | 8.8.8.8:53 | www.jzcrjyw.com | udp |
| HK | 121.127.239.53:80 | www.jzcrjyw.com | tcp |
| HK | 121.127.239.53:80 | www.jzcrjyw.com | tcp |
| HK | 121.127.239.53:80 | www.jzcrjyw.com | tcp |
| US | 8.8.8.8:53 | www.newcarreleasedate.net | udp |
| US | 192.64.119.254:80 | www.newcarreleasedate.net | tcp |
| US | 192.64.119.254:80 | www.newcarreleasedate.net | tcp |
| US | 192.64.119.254:80 | www.newcarreleasedate.net | tcp |
| US | 8.8.8.8:53 | www.rusvogue.com | udp |
| US | 104.21.48.159:80 | www.rusvogue.com | tcp |
| US | 104.21.48.159:80 | www.rusvogue.com | tcp |
| US | 104.21.48.159:80 | www.rusvogue.com | tcp |
| US | 8.8.8.8:53 | www.gastreatmentinfo.site | udp |
| DE | 64.190.62.22:80 | www.gastreatmentinfo.site | tcp |
| DE | 64.190.62.22:80 | www.gastreatmentinfo.site | tcp |
| DE | 64.190.62.22:80 | www.gastreatmentinfo.site | tcp |
Files
memory/1868-130-0x0000000000D60000-0x00000000010AA000-memory.dmp
memory/1868-131-0x0000000000D10000-0x0000000000D21000-memory.dmp
memory/3168-132-0x0000000002820000-0x0000000002908000-memory.dmp
memory/664-133-0x0000000000000000-mapping.dmp
memory/664-134-0x0000000000C00000-0x0000000000C57000-memory.dmp
memory/664-135-0x0000000000F30000-0x0000000000F5C000-memory.dmp
memory/4548-136-0x0000000000000000-mapping.dmp
memory/664-137-0x0000000003420000-0x000000000376A000-memory.dmp
memory/3168-138-0x0000000002820000-0x0000000002908000-memory.dmp
memory/664-139-0x0000000000F30000-0x0000000000F5C000-memory.dmp
memory/664-140-0x0000000002FB0000-0x0000000003040000-memory.dmp
memory/3168-141-0x0000000007EF0000-0x000000000802F000-memory.dmp
memory/3168-142-0x0000000007EF0000-0x000000000802F000-memory.dmp
memory/2444-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/3712-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/952-147-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe
| MD5 | 4b052ae067d179b1e9626c250771002e |
| SHA1 | a37c079cc492f9ebcb5fefc440db929007e3f409 |
| SHA256 | c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005 |
| SHA512 | ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2 |
C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe
| MD5 | 4b052ae067d179b1e9626c250771002e |
| SHA1 | a37c079cc492f9ebcb5fefc440db929007e3f409 |
| SHA256 | c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005 |
| SHA512 | ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2 |
memory/952-150-0x00000000016C0000-0x0000000001A0A000-memory.dmp