Malware Analysis Report

2024-10-18 21:03

Sample ID 231219-zzad1sccer
Target 9fbb8a90e9b971800f4bdb85e1bf8f7c
SHA256 b6afb4c2d094c9e803015e65043ee6a48bbf0e31bdd66963078ca1454195b1c6
Tags
azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6afb4c2d094c9e803015e65043ee6a48bbf0e31bdd66963078ca1454195b1c6

Threat Level: Known bad

The file 9fbb8a90e9b971800f4bdb85e1bf8f7c was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d infostealer spyware stealer trojan

Azorult

Raccoon

Oski

Raccoon Stealer V1 payload

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 21:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 21:08

Reported

2023-12-20 04:25

Platform

win7-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\faame.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faame.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2632 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2632 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2632 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2632 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2632 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2160 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2160 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2160 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2160 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2160 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Windows\SysWOW64\WerFault.exe
PID 2696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Windows\SysWOW64\WerFault.exe
PID 2696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Windows\SysWOW64\WerFault.exe
PID 2696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe

"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"

C:\Users\Admin\AppData\Local\Temp\ssme.exe

"C:\Users\Admin\AppData\Local\Temp\ssme.exe"

C:\Users\Admin\AppData\Local\Temp\faame.exe

"C:\Users\Admin\AppData\Local\Temp\faame.exe"

C:\Users\Admin\AppData\Local\Temp\ssme.exe

"C:\Users\Admin\AppData\Local\Temp\ssme.exe"

C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe

"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"

C:\Users\Admin\AppData\Local\Temp\faame.exe

"C:\Users\Admin\AppData\Local\Temp\faame.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 ailsom.ac.ug udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 milsom.ug udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ailsom.ac.ug udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

memory/2632-2-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\ssme.exe

MD5 59337e167d10c145b4907027b618ae62
SHA1 8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b
SHA256 b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4
SHA512 40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52

C:\Users\Admin\AppData\Local\Temp\faame.exe

MD5 2618de7ce265814bb7c9db2d040a648c
SHA1 8124cdb548ade9b39c84cc3d87de270e46bd0496
SHA256 0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622
SHA512 925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253

memory/2632-24-0x00000000005A0000-0x00000000005A7000-memory.dmp

memory/2160-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2644-30-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2696-37-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2796-29-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2832-38-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2832-42-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2796-43-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2696-45-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2796-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2832-48-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2832-49-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2796-50-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2696-51-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2796-58-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2696-60-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2696-61-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 21:08

Reported

2023-12-20 04:26

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\faame.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faame.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2016 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2016 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2016 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2016 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 2016 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 3572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 3572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 3572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 3572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ssme.exe C:\Users\Admin\AppData\Local\Temp\ssme.exe
PID 2016 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2016 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2016 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2016 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 4872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 4872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 4872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe
PID 4872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\faame.exe C:\Users\Admin\AppData\Local\Temp\faame.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe

"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"

C:\Users\Admin\AppData\Local\Temp\ssme.exe

"C:\Users\Admin\AppData\Local\Temp\ssme.exe"

C:\Users\Admin\AppData\Local\Temp\faame.exe

"C:\Users\Admin\AppData\Local\Temp\faame.exe"

C:\Users\Admin\AppData\Local\Temp\ssme.exe

"C:\Users\Admin\AppData\Local\Temp\ssme.exe"

C:\Users\Admin\AppData\Local\Temp\faame.exe

"C:\Users\Admin\AppData\Local\Temp\faame.exe"

C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe

"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2616 -ip 2616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1308

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ailsom.ac.ug udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 milsom.ug udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ailsom.ac.ug udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2016-2-0x0000000077512000-0x0000000077513000-memory.dmp

memory/2016-3-0x0000000000630000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssme.exe

MD5 59337e167d10c145b4907027b618ae62
SHA1 8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b
SHA256 b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4
SHA512 40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52

C:\Users\Admin\AppData\Local\Temp\faame.exe

MD5 2618de7ce265814bb7c9db2d040a648c
SHA1 8124cdb548ade9b39c84cc3d87de270e46bd0496
SHA256 0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622
SHA512 925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253

memory/3572-29-0x0000000000910000-0x0000000000911000-memory.dmp

memory/4872-31-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/3572-32-0x0000000000920000-0x0000000000927000-memory.dmp

memory/2076-33-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2076-36-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2616-38-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3148-40-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3148-37-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2076-43-0x0000000077512000-0x0000000077513000-memory.dmp

memory/2076-46-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2616-50-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3148-49-0x0000000077512000-0x0000000077513000-memory.dmp

memory/3148-54-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/3148-53-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2616-52-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2616-51-0x0000000077512000-0x0000000077513000-memory.dmp

memory/2616-45-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3148-44-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2616-42-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2076-56-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2076-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2616-60-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2616-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3148-61-0x0000000000400000-0x0000000000493000-memory.dmp