Analysis Overview
SHA256
7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
Threat Level: Known bad
The file ttd_scam_tool_api.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Stealerium
Contains code to disable Windows Defender
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 00:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 00:54
Reported
2024-01-25 01:29
Platform
win7-20231129-en
Max time kernel
1523s
Max time network
1562s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1652 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1652 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1652 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1652 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1652 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1652 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe
"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.16:40164 | tcp | |
| US | 147.185.221.16:40164 | tcp | |
| US | 147.185.221.16:40164 | tcp |
Files
memory/1652-0-0x0000000000F90000-0x0000000000FA4000-memory.dmp
memory/1652-1-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp
memory/2968-6-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2968-7-0x0000000001F00000-0x0000000001F08000-memory.dmp
memory/2968-9-0x0000000002C40000-0x0000000002CC0000-memory.dmp
memory/2968-8-0x000007FEF2240000-0x000007FEF2BDD000-memory.dmp
memory/2968-10-0x000007FEF2240000-0x000007FEF2BDD000-memory.dmp
memory/2968-13-0x0000000002C40000-0x0000000002CC0000-memory.dmp
memory/2968-12-0x0000000002C40000-0x0000000002CC0000-memory.dmp
memory/2968-11-0x0000000002C40000-0x0000000002CC0000-memory.dmp
memory/2968-14-0x000007FEF2240000-0x000007FEF2BDD000-memory.dmp
memory/2604-20-0x000000001B650000-0x000000001B932000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3G8JDFMUNIKLXV6Y8EH.temp
| MD5 | 5b1903b19946c3db6820fbf0b43e9a73 |
| SHA1 | 41b840d326e26f6ff249967a90fe5808acb62a37 |
| SHA256 | 582b2dbee88f3674c9b547082970ecd881ebeabf88da85f6b55944839fd7d0f3 |
| SHA512 | e9b142c483109eed32ed168fd82f61addac38d8283c0b7f5849cfaaa52d6577ba32ea8089eb42dbca5b45d6cd6d18c6a60c9677d599bc6e221a403e17f6e5a51 |
memory/2604-22-0x0000000002340000-0x0000000002348000-memory.dmp
memory/2604-21-0x000007FEEFC90000-0x000007FEF062D000-memory.dmp
memory/2604-23-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/2604-24-0x000007FEEFC90000-0x000007FEF062D000-memory.dmp
memory/2604-27-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/2604-26-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/2604-28-0x000007FEEFC90000-0x000007FEF062D000-memory.dmp
memory/1652-29-0x000000001B1B0000-0x000000001B230000-memory.dmp
memory/2604-25-0x0000000002C60000-0x0000000002CE0000-memory.dmp
memory/1652-30-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp
memory/1652-31-0x000000001B1B0000-0x000000001B230000-memory.dmp
memory/1652-32-0x000000001C0F0000-0x000000001C1A0000-memory.dmp
memory/1652-34-0x00000000005E0000-0x00000000005EC000-memory.dmp
memory/1652-35-0x0000000000B40000-0x0000000000B4E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 00:54
Reported
2024-01-25 01:30
Platform
win10v2004-20231215-en
Max time kernel
1471s
Max time network
1501s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealerium
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Builder.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2192 wrote to memory of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2192 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2192 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe
"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap28960:78:7zEvent5209
C:\Users\Admin\Desktop\Builder.exe
"C:\Users\Admin\Desktop\Builder.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
C:\Users\Admin\Desktop\Builder.exe
"C:\Users\Admin\Desktop\Builder.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 147.185.221.16:40164 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
Files
memory/2192-0-0x00000000000E0000-0x00000000000F4000-memory.dmp
memory/2192-1-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp
memory/3708-12-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp
memory/3708-11-0x000001F49BE90000-0x000001F49BEB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnenuoa2.xuq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3708-13-0x000001F4B4520000-0x000001F4B4530000-memory.dmp
memory/3708-14-0x000001F4B4520000-0x000001F4B4530000-memory.dmp
memory/3708-15-0x000001F4B4520000-0x000001F4B4530000-memory.dmp
memory/3708-18-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 440cb38dbee06645cc8b74d51f6e5f71 |
| SHA1 | d7e61da91dc4502e9ae83281b88c1e48584edb7c |
| SHA256 | 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe |
| SHA512 | 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6 |
memory/4364-29-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp
memory/4364-30-0x0000022238910000-0x0000022238920000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4d8567f2d1c8a09bbfe613145bf78577 |
| SHA1 | f2af10d629e6d7d2ecec76c34bd755ecf61be931 |
| SHA256 | 7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c |
| SHA512 | 89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea |
memory/4364-32-0x0000022238910000-0x0000022238920000-memory.dmp
memory/2192-34-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp
memory/4364-35-0x00007FF9C9420000-0x00007FF9C9EE1000-memory.dmp
memory/2192-36-0x000000001AD80000-0x000000001AD90000-memory.dmp
memory/2192-37-0x000000001AD80000-0x000000001AD90000-memory.dmp
memory/2192-38-0x000000001CED0000-0x000000001CF80000-memory.dmp
memory/2192-39-0x000000001D6B0000-0x000000001DBD8000-memory.dmp
C:\Users\Admin\Desktop\Stealerium.zip
| MD5 | c956487c81dc16555e9232408efbe44d |
| SHA1 | 9272088c2dc913b3c6e779a091755b07e7fa3050 |
| SHA256 | 49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722 |
| SHA512 | 1d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c |
C:\Users\Admin\Desktop\Builder.exe
| MD5 | 6c898b9e5467f6d3442a579b7856bdaf |
| SHA1 | 9522f2f219deaf4bb52262c2a5d23393037ec35f |
| SHA256 | 8bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f |
| SHA512 | df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41 |
C:\Users\Admin\Desktop\Builder.runtimeconfig.json
| MD5 | 24e4653829de1022d01cd7ddd26e2f22 |
| SHA1 | 9160a009cb381e044ba4c63e4435da6bfeb9dc6d |
| SHA256 | ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91 |
| SHA512 | efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820 |
C:\Users\Admin\Desktop\Builder.deps.json
| MD5 | d41bff259e1ebb625fc788fa681377ad |
| SHA1 | b5c8b7725d6f885db30e9237682abfec72aa65be |
| SHA256 | d6a04809c3737f76818082a2caf9b80ac7f0e14bc73b2fabdea2df46d9e25a52 |
| SHA512 | 8aaed8b1b2e40c5a631753789fcf34dadf95a4aab29f852a98ecb3dc30dc5c1df11d69081fb17282c78e0310e65567ab7339bc58efba6fc7b6f729f31fc040e3 |
memory/4448-74-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp
C:\Users\Admin\Desktop\Builder.dll
| MD5 | 41dd506cd0525197e69d9c8592aed2a7 |
| SHA1 | 5d04b134c8f1800fbcd664898d34dee8d10d8fa8 |
| SHA256 | dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c |
| SHA512 | 16ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b |
C:\Users\Admin\Desktop\Spectre.Console.dll
| MD5 | 46684228e7c345a3368e8a475ec573b7 |
| SHA1 | aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433 |
| SHA256 | b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257 |
| SHA512 | ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31 |
C:\Users\Admin\Desktop\Spectre.Console.ImageSharp.dll
| MD5 | 099edbe28aaacada8a7a12a414a1d68b |
| SHA1 | 0cc1b8ed4448f4c7246dc859a6359fda20c2d927 |
| SHA256 | 52fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee |
| SHA512 | 07995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5 |
C:\Users\Admin\Desktop\SixLabors.ImageSharp.dll
| MD5 | 523dced95fcb0120698fc194b159a5cd |
| SHA1 | 9f6e4c7269caaf2e09b6961551102b1ec16e60a0 |
| SHA256 | 0d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219 |
| SHA512 | 325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255 |
memory/4448-79-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp
memory/2192-80-0x0000000000950000-0x000000000095C000-memory.dmp
C:\Users\Admin\Desktop\New Text Document.txt
| MD5 | 4f10bf483c9fe7cb6834229399b10573 |
| SHA1 | 21665c74392b32fda4931d621c84530046f0d624 |
| SHA256 | e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105 |
| SHA512 | 60d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048 |
memory/4448-83-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp
memory/4756-85-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp
memory/4756-86-0x00007FF9C9FB0000-0x00007FF9CA4AE000-memory.dmp
C:\Users\Admin\Desktop\Mono.Cecil.dll
| MD5 | 6d8d43c5d7dbe36ec01ff8b951cf1e0a |
| SHA1 | d6b8214419870770e1ce398ca06a6a9f0e9e62a3 |
| SHA256 | 9c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487 |
| SHA512 | 221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57 |
C:\Users\Admin\Desktop\Stub\stub.exe
| MD5 | 6627adf7167ee571e8fd6c8b1a0e8ae3 |
| SHA1 | 03b9112660ee73c59d84e219f15bf24ae9df48db |
| SHA256 | 6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f |
| SHA512 | e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60 |
memory/2192-90-0x000000001A700000-0x000000001A70E000-memory.dmp