Malware Analysis Report

2025-06-16 05:12

Sample ID 230120-lkxzwafc91
Target U prilogu nova lista narudzbi.exe
SHA256 040a34e5884c29dd12452d342e344fe0d40f8dc1ea161d93c2a6c35b0a7da08b
Tags
modiloader trojan formbook xloader euv4 loader persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

040a34e5884c29dd12452d342e344fe0d40f8dc1ea161d93c2a6c35b0a7da08b

Threat Level: Known bad

The file U prilogu nova lista narudzbi.exe was found to be: Known bad.

Malicious Activity Summary

modiloader trojan formbook xloader euv4 loader persistence rat spyware stealer

ModiLoader, DBatLoader

Xloader

Formbook

ModiLoader Second Stage

Xloader payload

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-20 09:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-20 09:36

Reported

2023-01-20 09:38

Platform

win7-20220812-en

Max time kernel

131s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe

"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 onedrive.live.com udp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 13.107.42.13:443 onedrive.live.com tcp

Files

memory/580-54-0x0000000075931000-0x0000000075933000-memory.dmp

memory/580-55-0x0000000000290000-0x00000000002BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-20 09:36

Reported

2023-01-20 09:38

Platform

win10v2004-20221111-en

Max time kernel

152s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

ModiLoader, DBatLoader

trojan modiloader

Xloader

loader xloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\cscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZZG4TXTXPV = "C:\\Program Files (x86)\\Aut7pyh\\kfrlo8tevh4.exe" C:\Windows\SysWOW64\cscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teiejegx = "C:\\Users\\Public\\Libraries\\xgejeieT.url" C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2676 set thread context of 2688 N/A C:\Windows\SysWOW64\iexpress.exe C:\Windows\Explorer.EXE
PID 3348 set thread context of 2688 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe C:\Windows\SysWOW64\cscript.exe N/A
File opened for modification C:\Program Files (x86)\Aut7pyh C:\Windows\Explorer.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\cscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe N/A
N/A N/A C:\Windows\SysWOW64\iexpress.exe N/A
N/A N/A C:\Windows\SysWOW64\iexpress.exe N/A
N/A N/A C:\Windows\SysWOW64\iexpress.exe N/A
N/A N/A C:\Windows\SysWOW64\iexpress.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\iexpress.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe C:\Windows\SysWOW64\iexpress.exe
PID 4540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe C:\Windows\SysWOW64\iexpress.exe
PID 4540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe C:\Windows\SysWOW64\iexpress.exe
PID 4540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe C:\Windows\SysWOW64\iexpress.exe
PID 4540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe C:\Windows\SysWOW64\iexpress.exe
PID 4540 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe C:\Windows\SysWOW64\iexpress.exe
PID 2688 wrote to memory of 3348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 3348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 2688 wrote to memory of 3348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 3348 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2224 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe
PID 2688 wrote to memory of 2224 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe
PID 2688 wrote to memory of 2224 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe
PID 3348 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3348 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3348 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe

"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"

C:\Windows\SysWOW64\iexpress.exe

C:\Windows\System32\iexpress.exe

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\SysWOW64\cscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\iexpress.exe"

C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe

"C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 onedrive.live.com udp
N/A 13.107.42.13:443 onedrive.live.com tcp
N/A 8.8.8.8:53 mi4zkw.bn.files.1drv.com udp
N/A 13.107.42.12:443 mi4zkw.bn.files.1drv.com tcp
N/A 8.8.8.8:53 www.alifdanismanlik.com udp
N/A 65.109.63.101:80 www.alifdanismanlik.com tcp
N/A 8.8.8.8:53 www.leatherman-neal.com udp
N/A 20.50.80.209:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 www.uschargeport.com udp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 8.8.8.8:53 www.encludemedia.com udp
N/A 34.102.136.180:80 www.encludemedia.com tcp
N/A 8.8.8.8:53 www.oprimanumerodos.com udp
N/A 8.8.8.8:53 www.rematedeldia.com udp
N/A 23.227.38.74:80 www.rematedeldia.com tcp
N/A 8.247.210.254:80 tcp
N/A 8.8.8.8:53 www.spbutoto.com udp
N/A 188.114.97.0:80 www.spbutoto.com tcp
N/A 8.8.8.8:53 www.drimev.com udp
N/A 8.8.8.8:53 www.laidbackfurniture.store udp
N/A 8.8.8.8:53 www.nathanmartinez.digital udp
N/A 8.8.8.8:53 www.librairie-adrienne.com udp
N/A 192.0.78.141:80 www.librairie-adrienne.com tcp
N/A 8.8.8.8:53 www.lankasirinspa.com udp
N/A 8.8.8.8:53 www.bendyourtongue.com udp
N/A 34.102.136.180:80 www.bendyourtongue.com tcp
N/A 8.8.8.8:53 www.turkcuyuz.com udp
N/A 8.8.8.8:53 www.mehfeels.com udp
N/A 34.98.99.30:80 www.mehfeels.com tcp
N/A 8.8.8.8:53 www.kuechenpruefer.com udp
N/A 217.160.0.95:80 www.kuechenpruefer.com tcp
N/A 8.8.8.8:53 www.ahmadfaizlajis.com udp
N/A 8.8.8.8:53 www.1207rossmoyne.com udp
N/A 8.8.8.8:53 www.bubu3cin.com udp
N/A 31.187.72.243:80 www.bubu3cin.com tcp
N/A 8.8.8.8:53 www.jasabacklinkweb20.com udp

Files

memory/4540-132-0x0000000002500000-0x000000000252C000-memory.dmp

memory/2676-134-0x0000000000000000-mapping.dmp

memory/4540-135-0x0000000010410000-0x0000000010439000-memory.dmp

memory/4540-136-0x0000000010410000-0x0000000010439000-memory.dmp

memory/2676-138-0x0000000003C40000-0x0000000003F8A000-memory.dmp

memory/2676-139-0x0000000003B90000-0x0000000003BA1000-memory.dmp

memory/2688-140-0x0000000002EC0000-0x0000000002FEF000-memory.dmp

memory/3348-141-0x0000000000000000-mapping.dmp

memory/2676-142-0x0000000010410000-0x0000000010439000-memory.dmp

memory/3468-143-0x0000000000000000-mapping.dmp

memory/3348-144-0x00000000008E0000-0x0000000000907000-memory.dmp

memory/3348-145-0x0000000002790000-0x0000000002ADA000-memory.dmp

memory/3348-146-0x00000000003D0000-0x00000000003F9000-memory.dmp

memory/2688-147-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-148-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-149-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-150-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-151-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-152-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-153-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-154-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-155-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-156-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-158-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-157-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-160-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-159-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-161-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-163-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-164-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-165-0x0000000007B00000-0x0000000007B10000-memory.dmp

memory/2688-166-0x0000000007B00000-0x0000000007B10000-memory.dmp

memory/3348-167-0x00000000025D0000-0x0000000002660000-memory.dmp

memory/2688-168-0x0000000008230000-0x000000000830F000-memory.dmp

memory/3348-169-0x00000000003D0000-0x00000000003F9000-memory.dmp

memory/2688-170-0x0000000007B00000-0x0000000007B10000-memory.dmp

memory/2688-171-0x0000000007B00000-0x0000000007B10000-memory.dmp

memory/2688-172-0x0000000008230000-0x000000000830F000-memory.dmp

memory/2688-173-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-174-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-175-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-176-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-177-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-178-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-179-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-180-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-181-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-182-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-183-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-184-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-185-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-186-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-187-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-188-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-189-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-190-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2688-191-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2688-192-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2688-193-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2688-194-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2688-195-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2688-196-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2688-197-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2224-198-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe

MD5 d594b2a33efafd0eabf09e3fdc05fcea
SHA1 06845890c783abb305a8c9bbd119df5de0a17e6f
SHA256 dd2c185deae89d41f42fb9903aa274ae70b103ea2285184c4565f39b69df945f
SHA512 20e26f7ceb672a4b64cf05ca5595611b9fa561b6c141bd0e9fdc777836af1e343dffed81b07d8f3636d1e21a1fe42176c0a090dfb711eacd56006f85551e9a43

C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe

MD5 d594b2a33efafd0eabf09e3fdc05fcea
SHA1 06845890c783abb305a8c9bbd119df5de0a17e6f
SHA256 dd2c185deae89d41f42fb9903aa274ae70b103ea2285184c4565f39b69df945f
SHA512 20e26f7ceb672a4b64cf05ca5595611b9fa561b6c141bd0e9fdc777836af1e343dffed81b07d8f3636d1e21a1fe42176c0a090dfb711eacd56006f85551e9a43

memory/4736-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/2688-203-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-204-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-205-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-206-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-207-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-208-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-209-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-210-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-211-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-212-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-214-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-213-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-215-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-216-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-217-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-218-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-219-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2688-220-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/2688-221-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/2688-222-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/2688-223-0x0000000007B10000-0x0000000007B20000-memory.dmp