Malware Analysis Report

2024-10-19 06:52

Sample ID 240125-b5bx2adee3
Target ttd_scam_tool_api.exe
SHA256 7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
Tags
xworm agilenet rat trojan stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a

Threat Level: Known bad

The file ttd_scam_tool_api.exe was found to be: Known bad.

Malicious Activity Summary

xworm agilenet rat trojan stealerium stealer

Xworm

Contains code to disable Windows Defender

Stealerium

Detect Xworm Payload

Executes dropped EXE

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 01:43

Reported

2024-01-25 02:03

Platform

win7-20231215-en

Max time kernel

426s

Max time network

447s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap29248:86:7zEvent13485

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\blank.txt

C:\Users\Admin\Desktop\Umbral.builder.exe

"C:\Users\Admin\Desktop\Umbral.builder.exe"

Network

Country Destination Domain Proto
US 147.185.221.16:40164 tcp
US 147.185.221.16:40164 tcp
US 147.185.221.16:40164 tcp

Files

memory/2072-0-0x0000000000A50000-0x0000000000A64000-memory.dmp

memory/2072-1-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

memory/1960-7-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

memory/1960-6-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/1960-9-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1960-8-0x0000000002250000-0x0000000002258000-memory.dmp

memory/1960-10-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

memory/1960-11-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1960-12-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1960-13-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

memory/3064-19-0x000000001B690000-0x000000001B972000-memory.dmp

memory/3064-20-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3KADOMZQCQZU4GJ3A7B.temp

MD5 836305a37453aaec21ef04c593da2a0b
SHA1 efeda13e302a6226cefabdb24a26ace7490f20bd
SHA256 481382a7c2c1771c2438ef2e4d62445bb87d33ebb1a57d6aeeeb23d8a44c9e89
SHA512 ac26807b8f8199461ff7b1fe855e7ddf53478c6f4cf5dac533fa6efa8f667d1d64d52e8707901c53d2d58c1f5f4667ca37fdf0d3f78dda2d29300bb69c8aa5f3

memory/3064-21-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

memory/3064-22-0x0000000002BA0000-0x0000000002C20000-memory.dmp

memory/3064-24-0x0000000002BA0000-0x0000000002C20000-memory.dmp

memory/3064-23-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

memory/3064-25-0x0000000002BA0000-0x0000000002C20000-memory.dmp

memory/3064-26-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

memory/2072-27-0x0000000000660000-0x00000000006E0000-memory.dmp

memory/2072-28-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

memory/2072-29-0x0000000000660000-0x00000000006E0000-memory.dmp

memory/2072-30-0x000000001BA40000-0x000000001BAF0000-memory.dmp

C:\Users\Admin\Desktop\Umbral.Stealer.zip

MD5 f355889db3ff6bae624f80f41a52e619
SHA1 47f7916272a81d313e70808270c3c351207b890f
SHA256 8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0
SHA512 bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb

C:\Users\Admin\Desktop\blank.txt

MD5 4f10bf483c9fe7cb6834229399b10573
SHA1 21665c74392b32fda4931d621c84530046f0d624
SHA256 e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105
SHA512 60d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048

memory/2788-134-0x0000000000010000-0x0000000000032000-memory.dmp

memory/2788-136-0x0000000000540000-0x0000000000560000-memory.dmp

memory/2788-150-0x00000000005A0000-0x00000000005BE000-memory.dmp

memory/2788-152-0x000000001B400000-0x000000001B54A000-memory.dmp

memory/2788-154-0x000000001A700000-0x000000001A730000-memory.dmp

memory/2788-153-0x000000001B9F0000-0x000000001BB06000-memory.dmp

C:\Users\Admin\Desktop\Bunifu.Licensing.dll

MD5 42aa8513af781468cfec62f71a16d678
SHA1 a94efb7b524cc053a1662464580dc66f144805ad
SHA256 19e293b1ced37a7e42d03c892cc8e5c4cd580a7e00301c674451905a4e57991c
SHA512 0d143f51a8f8ea4793b8e6548e95f35ddb7665635559b6766c27ffc92997ba896b423f1c52c97d4f2ba6028b425583a4f45f0494d92d945b73e06b88330acc41

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuCheckBox.dll

MD5 ef11f59a9381df17d7ab94434f79f260
SHA1 ec11e46a636fe3927fd5fa7c30be65b958853ef0
SHA256 390252aeb6fd76a954a03853c3d883e0360dc8b3f2cf8cfed5ba94e4e5a24da4
SHA512 612b1b0f9204c605ff5e9b91816e674cdaea71fa69f81a5a7f475bf1cc8d5e12687deb1b0118b07b3d7e4764adede0576f8fc799f8155a65a70e5dafff50f73d

memory/2788-148-0x0000000000590000-0x00000000005A0000-memory.dmp

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuShadowPanel.dll

MD5 ebaf1a6efa8c7a04d174be7e0df602a7
SHA1 ce08c80e52b6cf3f62ba82408d8f32ae6bcef0d8
SHA256 1858b16074d7f9b73f462e3adcc77309800594fa96f2e0904c810eda4eaf5e86
SHA512 4ffd5dcb59a4a03273c4e88047c7d398f098302b9485d07cf5549ca0d72467102aafa69298e248250df154a8b09f7560e634cca9cb1af2838baf3965aa645b31

memory/2788-146-0x0000000001F00000-0x0000000001F5A000-memory.dmp

memory/2788-155-0x000000001B090000-0x000000001B110000-memory.dmp

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.1.5.3.dll

MD5 41c216d27c71a227774e680e95e99f31
SHA1 0a2a93d4ecbf4bbec2faf110066c6b4472b0dbf5
SHA256 012d717b4ac00c3686a772757f49c1908e223624e3974314cdb9fc9291073305
SHA512 e355ba11e41b668e4459f709e87c3e212c8986ea894791d9155791ea9d7315372fb51531eb69204ed2ee38e242de7629e4a2f090c05bf9deeea9ea965ffaf651

memory/2788-144-0x0000000000580000-0x000000000058E000-memory.dmp

memory/2788-156-0x000000001B090000-0x000000001B110000-memory.dmp

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuColorTransition.dll

MD5 539d803013c0b1592d0e17a740d72687
SHA1 b0ce15e0f096d027b1d1482afa9d93bafd160f7a
SHA256 500adece1fba76dfb2fa628de9886a2661ed1a4e58a7717a5fee607206bb1d81
SHA512 77d8ab7a949db41a79371cf2ebd5d67bd4a38dd040de0073c878f50b2a6409fae2dc5db7cbf375fbc1bc571838b0a6d4848bdecc1420d91633b878585c94b9dd

memory/2788-142-0x000000001A580000-0x000000001A5EE000-memory.dmp

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuLabel.dll

MD5 aab3c7e66fef3d991a5de0d33f3db9a4
SHA1 5f70bd9b6a975f7f743511cf13d4f8a40cd11687
SHA256 a9704c8aa965a9a13eba9ec0933046bc3f9c276e2ded942225bdae7607ca7cf8
SHA512 e3e27de898ad816993130c6ad9fd116211c082836012d54bfb5be2800d1df9784e5f3a762dfe8d0568ebd00f52cf624d32a6aa23366666c2c1e09eb09b5b4ad4

memory/2788-140-0x000000001B090000-0x000000001B110000-memory.dmp

memory/2788-139-0x0000000000560000-0x0000000000580000-memory.dmp

memory/2788-138-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuTextBox.dll

MD5 fd2042c49df3e74e096b8cee8cc9fe43
SHA1 4ccdb0e13c24fb71f502d50e34f00c39bcacf307
SHA256 4569393e1aad7498c6a7c8a84f79d0cd7a1d0656e912d0ddb607b61163673976
SHA512 c93ad9cb411c311b0feeefdf2089c0c13098c7d2bab56345f4e9a7fc515965a3893c613d494adbbb066801eeb3dc32237a8322f7a5f876284a06b447efdad641

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.BunifuButton.dll

MD5 21f999e5ac72a16077511d41590822de
SHA1 d8bb1a8a291f73cdf2b5658b2b65736c87db19dd
SHA256 2a62c78f1f0db2e3258135b50f7885e6734c31c74a8f2f5782f285aa268c2f71
SHA512 e04fe31870f266d772829053a6bb210a9513ff5c8c0f9a3a267ddbe1875125496caa602baf44a4e241ef84d933bd55b79af43d5871ed10c81711adecee78b8e3

C:\Users\Admin\Desktop\Umbral.builder.exe

MD5 d91fb6867df7e4303d98b5e90faae73c
SHA1 496f53ad8cd9381f1c1b577a73e978081002c1db
SHA256 bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344
SHA512 5dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9

memory/2788-157-0x000000001B090000-0x000000001B110000-memory.dmp

C:\Users\Admin\Desktop\Umbral.builder.exe.config

MD5 dccd44fb11b8e4ebdfb822e809a54b6f
SHA1 1889d5ae8c7c70c051cbde104af6e0f31f8c1b63
SHA256 6862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158
SHA512 dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50

memory/2788-158-0x000007FEF5AE0000-0x000007FEF64CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 01:43

Reported

2024-01-25 02:28

Platform

win10v2004-20231215-en

Max time kernel

300s

Max time network

340s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealerium

stealer stealerium

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Builder.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe

"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap31003:78:7zEvent10203

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt

C:\Users\Admin\Desktop\Builder.exe

"C:\Users\Admin\Desktop\Builder.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.16:40164 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp

Files

memory/1864-0-0x00000000002C0000-0x00000000002D4000-memory.dmp

memory/1864-1-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dg2cmpt2.bnq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1616-11-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp

memory/1616-12-0x0000020558400000-0x0000020558410000-memory.dmp

memory/1616-14-0x0000020558370000-0x0000020558392000-memory.dmp

memory/1616-13-0x0000020558400000-0x0000020558410000-memory.dmp

memory/1616-15-0x0000020558400000-0x0000020558410000-memory.dmp

memory/1616-18-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

memory/1368-30-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp

memory/1368-31-0x00000130A32B0000-0x00000130A32C0000-memory.dmp

memory/1368-33-0x00000130A32B0000-0x00000130A32C0000-memory.dmp

memory/1368-32-0x00000130A32B0000-0x00000130A32C0000-memory.dmp

memory/1368-35-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp

memory/1864-36-0x000000001B050000-0x000000001B060000-memory.dmp

memory/1864-37-0x00007FFE36CF0000-0x00007FFE377B1000-memory.dmp

memory/1864-38-0x000000001B050000-0x000000001B060000-memory.dmp

memory/1864-39-0x000000001D1F0000-0x000000001D2A0000-memory.dmp

memory/1864-40-0x000000001D9D0000-0x000000001DEF8000-memory.dmp

C:\Users\Admin\Desktop\Stealerium.zip

MD5 c956487c81dc16555e9232408efbe44d
SHA1 9272088c2dc913b3c6e779a091755b07e7fa3050
SHA256 49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722
SHA512 1d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c

C:\Users\Admin\Desktop\New Text Document.txt

MD5 4f10bf483c9fe7cb6834229399b10573
SHA1 21665c74392b32fda4931d621c84530046f0d624
SHA256 e8f023aa53cd2f329d30b87a1a4b255b4fcec776d58b9399edffb28370f04105
SHA512 60d2042b9131a22c355f683733cfba008a69cdf96ae89473e7452eb1a88cf5a44e96973b365ef2b5c7f75c2fe172498e620ea76010b0bfd20f0e675177d66048

C:\Users\Admin\Desktop\Builder.exe

MD5 6c898b9e5467f6d3442a579b7856bdaf
SHA1 9522f2f219deaf4bb52262c2a5d23393037ec35f
SHA256 8bf6beb962bf051de009059554aa265012342bd6ec841abd2aa94ba1335a333f
SHA512 df35d776b2df079a9440ac1b0435e0fe9e4f1c17ee0790b1057ede8f146d90889c1fe727cd5112b27b2f4e96903c83f8ef7d61bc359aa762b708d17ad7676c41

C:\Users\Admin\Desktop\Builder.runtimeconfig.json

MD5 24e4653829de1022d01cd7ddd26e2f22
SHA1 9160a009cb381e044ba4c63e4435da6bfeb9dc6d
SHA256 ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91
SHA512 efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820

C:\Users\Admin\Desktop\Builder.deps.json

MD5 d41bff259e1ebb625fc788fa681377ad
SHA1 b5c8b7725d6f885db30e9237682abfec72aa65be
SHA256 d6a04809c3737f76818082a2caf9b80ac7f0e14bc73b2fabdea2df46d9e25a52
SHA512 8aaed8b1b2e40c5a631753789fcf34dadf95a4aab29f852a98ecb3dc30dc5c1df11d69081fb17282c78e0310e65567ab7339bc58efba6fc7b6f729f31fc040e3

memory/5000-77-0x00007FFE33640000-0x00007FFE33B3E000-memory.dmp

C:\Users\Admin\Desktop\Builder.dll

MD5 41dd506cd0525197e69d9c8592aed2a7
SHA1 5d04b134c8f1800fbcd664898d34dee8d10d8fa8
SHA256 dcd0162524ce4ae11f5c5e9b496e35ce6a096e5dea8e63b45fa835069737f87c
SHA512 16ba073d871eb9a244b8e733c101e9fec98699d881440e0dfa661e9f331fda0789f232e4abd70dcff3649a5428049590461da83ab7f0078e3ed9c7fc2fbfb28b

C:\Users\Admin\Desktop\Spectre.Console.ImageSharp.dll

MD5 099edbe28aaacada8a7a12a414a1d68b
SHA1 0cc1b8ed4448f4c7246dc859a6359fda20c2d927
SHA256 52fef316879f90a3897ec33b8a6ca955bd720c8fe53b4479be01b70fcb7d26ee
SHA512 07995720bc9e5d3b253b5cbe3f2700978950a81819d5064c25fbb6fe860c1cd1b32379136a390ab85f4612d82d4b256ba2d8c46cccdf9de04aab16135c2d6fe5

C:\Users\Admin\Desktop\Spectre.Console.dll

MD5 46684228e7c345a3368e8a475ec573b7
SHA1 aef278fbd7b3f6a65227c7b6b64eb6d88f6cc433
SHA256 b9617847d85b8efe32d07c4c28f1d16cadd4bfe45a09fd1e24eb82505f913257
SHA512 ce3ca4c8250bca3e97713d4047d0d874b3b6430014fbc3078b34a9f701a9eaa4b5e990ff99864c19b41eba1dfad74e0f6f1a464bef7b3d5ad825dfcb91b3da31

C:\Users\Admin\Desktop\SixLabors.ImageSharp.dll

MD5 523dced95fcb0120698fc194b159a5cd
SHA1 9f6e4c7269caaf2e09b6961551102b1ec16e60a0
SHA256 0d19e3bc90153b7d0360360422355daa569209180dd1e4337f2431148d1d7219
SHA512 325c9c3a316852ea6156a07317a64e369048dc7cfea21e9ea87f8723cf37515f0dfc0a31ab3bf07155ea27938d426c9832c1fcba1ab6c96573cc44eacfa05255

C:\Users\Admin\Desktop\Mono.Cecil.dll

MD5 6d8d43c5d7dbe36ec01ff8b951cf1e0a
SHA1 d6b8214419870770e1ce398ca06a6a9f0e9e62a3
SHA256 9c2908709da6761e9b5b9d4d46102d65851145bac987787d6c5a05ffe5689487
SHA512 221955b05d83513fadcb79721c96fd467ea871cfa401b279dc8ade426c88df4cadc884dae7a9c418c1012af202263f31ce8b63ca919e1f725eb7c7e8008c3a57

C:\Users\Admin\Desktop\Stub\stub.exe

MD5 6627adf7167ee571e8fd6c8b1a0e8ae3
SHA1 03b9112660ee73c59d84e219f15bf24ae9df48db
SHA256 6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f
SHA512 e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60

memory/5000-85-0x00007FFE33640000-0x00007FFE33B3E000-memory.dmp

C:\Users\Admin\Desktop\Stub\build.exe

MD5 be2f3202f1b8c74620ab1b5e83ff1ce4
SHA1 9a0b4ac36b2fc6b21a99ee150b175a1fc4ac0ee6
SHA256 0803e42cecd8aea57d7b6ab5ea3662bbfa2aa2d2a6dfe4c819a39174bf7952d9
SHA512 526f6fc76037cb8a60010ab7bfb113eda3ab1044866908c5dc7547290c70eb974424078c30115703ad3752ee2ed2d844a8564d9be5484e7fa112a57fee8be853

memory/1864-87-0x0000000000B20000-0x0000000000B2E000-memory.dmp