Analysis Overview
SHA256
b550a1e40fb269d8bf54ecfb7615d3eca1d926bcafed4acadf272634a07abb29
Threat Level: Known bad
The file downloader.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
SectopRAT payload
RedLine payload
SectopRAT
RedLine
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-24 06:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-24 06:52
Reported
2024-08-24 06:53
Platform
win7-20240729-en
Max time kernel
13s
Max time network
32s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2648 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\downloader.exe | C:\Windows\system32\cmd.exe |
| PID 2648 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\downloader.exe | C:\Windows\system32\cmd.exe |
| PID 2648 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\downloader.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | imoveisabc.com | udp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-24 06:52
Reported
2024-08-24 06:55
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Apocalypse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\downloader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1028 set thread context of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Apocalypse.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe""
C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe
"C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Apocalypse.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Apocalypse.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\downloader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
"C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | imoveisabc.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.180.245.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 8.8.8.8:53 | 19.68.49.194.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 8.8.8.8:53 | securedosqpsn.shop | udp |
| US | 104.21.56.9:443 | securedosqpsn.shop | tcp |
| US | 8.8.8.8:53 | potentioallykeos.shop | udp |
| US | 104.21.95.208:443 | potentioallykeos.shop | tcp |
| US | 8.8.8.8:53 | 9.56.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.95.21.104.in-addr.arpa | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| US | 194.49.68.19:4483 | 194.49.68.19 | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BR | 185.245.180.242:443 | imoveisabc.com | tcp |
| SE | 192.229.221.95:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\notepadd.exe
| MD5 | a1ca4bebcd03fafbe2b06a46a694e29a |
| SHA1 | ffc88125007c23ff6711147a12f9bba9c3d197ed |
| SHA256 | c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65 |
| SHA512 | 6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e |
C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe
| MD5 | ae346157ae99b564e458b345859aaa30 |
| SHA1 | 8320c250a6501c158a155ab1c7b79421caf9835c |
| SHA256 | 334eb7b5f11d321b6d687b139af2aab847e9e3333d46a8c0bc76f87ba547895b |
| SHA512 | 3f6e2dec3472acb02c17d19c8ba5e9738a1f02aa15196dd7c846cb2143a0978ceb56a991b8228e4ef0f6918cb2bcb15708466572cc2bb8081aab05790ff6f36d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Configs\up.dll
| MD5 | f643e6ddd7afeed1c03ca69a8e71b66a |
| SHA1 | a2c6655ead23c3c4dea9171c5aff4adfeb15ea47 |
| SHA256 | 5733dc037491e1fbbd639131ee462afb69a8fe10680e72a240eed268878bdac4 |
| SHA512 | ad599fbeac0fdbd86ab6e2395c3d82a589e66bdfbef24870122580da4aaf534d610425da8cc82181b326b0fcb65972957c2e74430f6f950c1bc3cdc0da93671f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
| MD5 | 174ea6d7029a1d6da818f682a48a16a7 |
| SHA1 | 63b28bb32b323bcd4bd0c9b633be52d9afc0a3f1 |
| SHA256 | 83cfea955b8e775a3ec2b6925bf80d830c81ecc0cd364a01993b954374d57688 |
| SHA512 | 821cceadd53b510f5dd7488d37081836b6916c90d47c0aaf5ccefffdb5d45ed5fbc685d21424e46f794ba2d19b03130e4d4f7a8815acb744b5a2355a47d4aad9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe
| MD5 | c9fff06d7427543315b792ae31c9b2f2 |
| SHA1 | 517ce37e0aac209869588729fa1a571a12299eaa |
| SHA256 | 61ac4ba546fa0d8863f100570924994636ab73c0266590d937383736e923fca3 |
| SHA512 | 1e0b2593e8403bd3d9f5514bb30e24adb530e9aa5876c7c2deed5f523b501356f1cab5ae765d4dd0a0382823c0fd71c4f261169552370ea425456153f494eacd |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs
| MD5 | eee990ccf51da35c3a6109db037f64ce |
| SHA1 | 4e80d6c324e0220b1da42e98ef71b40f20877911 |
| SHA256 | b9cef8f58514e3a136c7f3c6a860a76573af22e42836dcfe17dac4ee036613cf |
| SHA512 | 364b1ba4ed94bbec77ff9fb42f66eed8b3a5ee429554caebc26690e2c85f022d1dd62e08aa41d83a0b59e7ed50e39e705af1d01fa6924a52b0639124c171dcb9 |
C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
| MD5 | 5ea90dcd703ccbbb22a574f5cb87e787 |
| SHA1 | 8db264cfb4f20abe2cf2fa53292dd1e93e569499 |
| SHA256 | c56c9659ded43499a8c5b918458ce92a348f321866c5e424b568a11ff323b495 |
| SHA512 | 9e90c94aa0619e79a1ea9012a91545e05b19d2187c5bd1035abd806bf226cbfacb82bd49e80b9d16a9d3fe68c123babd96ae5f59db68bc3609e33bea753f7175 |
memory/4848-66-0x0000000000180000-0x00000000001A0000-memory.dmp
memory/4848-67-0x0000000005170000-0x0000000005788000-memory.dmp
memory/4848-68-0x0000000004A10000-0x0000000004A22000-memory.dmp
memory/4848-69-0x0000000004A70000-0x0000000004AAC000-memory.dmp
memory/4848-70-0x0000000004AB0000-0x0000000004AFC000-memory.dmp
memory/4848-71-0x0000000004D10000-0x0000000004E1A000-memory.dmp
memory/4848-75-0x0000000006020000-0x00000000061E2000-memory.dmp
memory/4848-76-0x0000000006720000-0x0000000006C4C000-memory.dmp
memory/1028-81-0x00007FF718440000-0x00007FF71C8B9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Obfuscasted.exe.log
| MD5 | 505861fca24126e2089d7e02f3935a3b |
| SHA1 | eb560579af7bdf7a61c6eb222f84c03f5e517e40 |
| SHA256 | 9e668271632cc2f203099b0ff3f8872b2004a7fa01f020dafb807355c6d189ec |
| SHA512 | 15794393eced500ed655deebba3bb1205a7aac996c4a78a6eca2121f58dca25273336a1db7be414694eac16b03320e0ee427469f79f7d763a0320eddf0a53d26 |
memory/1900-87-0x0000000005410000-0x000000000545C000-memory.dmp
memory/1028-99-0x00007FF718440000-0x00007FF71C8B9000-memory.dmp
memory/436-100-0x0000000000980000-0x00000000009CC000-memory.dmp
memory/436-102-0x0000000000980000-0x00000000009CC000-memory.dmp
memory/1028-101-0x00007FF718440000-0x00007FF71C8B9000-memory.dmp