Malware Analysis Report

2025-06-16 05:13

Sample ID 230127-fdg27agd99
Target d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
SHA256 d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
Tags
formbook xloader poub loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436

Threat Level: Known bad

The file d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436 was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader persistence rat spyware stealer trojan

Formbook

Xloader

Xloader payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-27 04:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-27 04:45

Reported

2023-01-27 04:47

Platform

win10-20220812-en

Max time kernel

149s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZJO04ZIXVF = "C:\\Program Files (x86)\\Fvnu\\regsvcd8tpu.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1724 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2772 set thread context of 3152 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Windows\Explorer.EXE
PID 2772 set thread context of 3152 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Windows\Explorer.EXE
PID 4176 set thread context of 3152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Fvnu C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe C:\Windows\Explorer.EXE N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-3844063266-715245855-4050956231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2248 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2248 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1724 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1724 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1724 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1724 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 3152 wrote to memory of 4176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 4176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 4176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 4176 wrote to memory of 3816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 3816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 4084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 4084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 4084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 4596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4176 wrote to memory of 4596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4176 wrote to memory of 4596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3152 wrote to memory of 4724 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe
PID 3152 wrote to memory of 4724 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe
PID 3152 wrote to memory of 4724 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe

"C:\Users\Admin\AppData\Local\Temp\d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436.exe"

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe" C:\Users\Admin\AppData\Local\Temp\guiaopyy.j

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe

"C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 532

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.648t.com udp
N/A 38.54.132.94:80 www.648t.com tcp
N/A 8.8.8.8:53 www.niply.space udp
N/A 64.190.63.111:80 www.niply.space tcp
N/A 8.8.8.8:53 www.crimsonnight.org udp
N/A 34.117.168.233:80 www.crimsonnight.org tcp
N/A 8.8.8.8:53 www.asu4tqr.icu udp
N/A 38.85.254.111:80 www.asu4tqr.icu tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.advancedsurgery.xyz udp
N/A 3.64.163.50:80 www.advancedsurgery.xyz tcp
N/A 3.64.163.50:80 www.advancedsurgery.xyz tcp
N/A 8.8.8.8:53 www.autarbazar.xyz udp
N/A 198.54.115.141:80 www.autarbazar.xyz tcp
N/A 198.54.115.141:80 www.autarbazar.xyz tcp
N/A 8.8.8.8:53 www.midundao.net udp
N/A 172.247.35.173:80 www.midundao.net tcp
N/A 172.247.35.173:80 www.midundao.net tcp
N/A 8.8.8.8:53 www.bayuerlangga.com udp
N/A 203.175.9.15:80 www.bayuerlangga.com tcp
N/A 203.175.9.15:80 www.bayuerlangga.com tcp
N/A 8.8.8.8:53 www.jojooo.xyz udp
N/A 8.8.8.8:53 www.jojooo.xyz udp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.webbestsec.online udp
N/A 2.57.90.16:80 www.webbestsec.online tcp
N/A 2.57.90.16:80 www.webbestsec.online tcp
N/A 8.8.8.8:53 www.kcgjz.top udp
N/A 188.114.96.0:80 www.kcgjz.top tcp
N/A 188.114.96.0:80 www.kcgjz.top tcp
N/A 8.8.8.8:53 www.orange-foam.com udp
N/A 3.74.205.160:80 www.orange-foam.com tcp
N/A 3.74.205.160:80 www.orange-foam.com tcp
N/A 8.8.8.8:53 www.hollandshirt.online udp
N/A 185.104.28.238:80 www.hollandshirt.online tcp
N/A 185.104.28.238:80 www.hollandshirt.online tcp
N/A 172.247.35.173:80 www.midundao.net tcp
N/A 8.8.8.8:53 www.gaymusclebigblackd.site udp
N/A 8.8.8.8:53 www.anaygus.com udp
N/A 72.167.68.223:80 www.anaygus.com tcp
N/A 72.167.68.223:80 www.anaygus.com tcp
N/A 8.8.8.8:53 www.pmtj013.xyz udp

Files

memory/2248-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/2248-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/1724-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-165-0x0000000000000000-mapping.dmp

memory/1724-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/1724-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/1724-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\guiaopyy.j

MD5 7dd82af1732e277c64b7f580fb68b3f8
SHA1 7f1cac07464b57d03eeba50d4371a6fbcaff1798
SHA256 237438a1c80ff20bb45e9a0b804322f2a3527f849bef2aaf406d18c189a44c0b
SHA512 0a675216d4e0a03165c3f3d11cd3d125b31624d93e4a901799b3066e691fc7dbf81aed86bea23e3167d230d880682c814b77e219f471ad770a43a28a1d496207

C:\Users\Admin\AppData\Local\Temp\lufvp.o

MD5 a69fcb977745da1e8892aed65f6a5a89
SHA1 32b35f70fc0d3686ea4ffc26f70c80a8ede70474
SHA256 108668a80bdff8cc56a95903d011d86410054cadbd4f52530a0ff9f4c0f0e24b
SHA512 21badfef569bfebcabf03ef5ab6061b4c723b241ccf69ff67ad5649ee1dda08b1bb99f43de0b43687841274356dafbe67a799c4cead6dd15309845c253e6a508

memory/2772-209-0x000000000041FF10-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/2772-216-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2772-232-0x0000000000A00000-0x0000000000D20000-memory.dmp

memory/2772-233-0x0000000000870000-0x0000000000A00000-memory.dmp

memory/3152-234-0x0000000005FE0000-0x000000000610D000-memory.dmp

memory/2772-235-0x0000000002770000-0x0000000002781000-memory.dmp

memory/3152-236-0x00000000061E0000-0x0000000006337000-memory.dmp

memory/4176-237-0x0000000000000000-mapping.dmp

memory/2772-240-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3816-278-0x0000000000000000-mapping.dmp

memory/4176-285-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/4176-284-0x0000000000B80000-0x0000000000B93000-memory.dmp

memory/4176-286-0x00000000042D0000-0x00000000045F0000-memory.dmp

memory/4176-288-0x0000000003FA0000-0x000000000412D000-memory.dmp

memory/3152-289-0x00000000063E0000-0x0000000006517000-memory.dmp

memory/4176-290-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/4176-291-0x0000000003FA0000-0x000000000412D000-memory.dmp

memory/3152-292-0x00000000063E0000-0x0000000006517000-memory.dmp

memory/4084-314-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/4724-331-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Program Files (x86)\Fvnu\regsvcd8tpu.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66