Malware Analysis Report

2025-01-22 18:56

Sample ID 240309-v8wldsec6t
Target mapper.exe
SHA256 0ec4ddc14b405e679b7d84cf497b37eea9d7fceab795a575d54d3a37e5a2bfe6
Tags
gozi banker isfb spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ec4ddc14b405e679b7d84cf497b37eea9d7fceab795a575d54d3a37e5a2bfe6

Threat Level: Known bad

The file mapper.exe was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb spyware stealer trojan

Gozi

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-09 17:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-09 17:40

Reported

2024-03-09 17:42

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\playpear19954641.vbs" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 4920 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 4920 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 1520 wrote to memory of 4292 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 1520 wrote to memory of 4292 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 1520 wrote to memory of 4292 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 4292 wrote to memory of 4540 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 4540 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 4540 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe
PID 1360 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\mapper.exe

"C:\Users\Admin\AppData\Local\Temp\mapper.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\playpear19954641.vbs" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C computerdefaults.exe

C:\Windows\SysWOW64\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\playpear19954641.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN SpotifyUpdateService_iFeRcipGml0K2C2no050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\iFeRcipGml0K2C2no050MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC ONLOGON /TN SpotifyUpdateService_iFeRcipGml0K2C2no050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\iFeRcipGml0K2C2no050MX.exe" /RL HIGHEST /IT

C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe

"C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe" explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5028 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 textpubshiers.top udp
US 188.114.97.2:443 textpubshiers.top tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.73.45.31:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.45.73.54.in-addr.arpa udp
US 188.114.97.2:443 textpubshiers.top tcp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

memory/1360-0-0x00000000006F0000-0x00000000006FC000-memory.dmp

memory/1360-1-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1360-2-0x0000000004B20000-0x0000000004B3A000-memory.dmp

memory/1360-3-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1360-4-0x0000000000920000-0x000000000092A000-memory.dmp

memory/1360-5-0x0000000004C00000-0x0000000004C92000-memory.dmp

memory/1360-6-0x0000000005250000-0x00000000057F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\playpear19954641.vbs

MD5 a34267102c21aff46aecc85598924544
SHA1 77268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256 eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA512 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

memory/1360-10-0x000000000AB10000-0x000000000B710000-memory.dmp

memory/1360-11-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1360-12-0x00000000128B0000-0x0000000013552000-memory.dmp

memory/1360-13-0x0000000004B50000-0x0000000004B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll

MD5 6f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1 fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA256 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512 fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

memory/1360-24-0x0000000007770000-0x0000000007782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agek0k4n.exe

MD5 e898826598a138f86f2aa80c0830707a
SHA1 1e912a5671f7786cc077f83146a0484e5a78729c
SHA256 df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA512 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

memory/3544-29-0x0000000000340000-0x0000000000348000-memory.dmp

memory/3544-30-0x0000000002800000-0x0000000002801000-memory.dmp

memory/3544-33-0x0000000000340000-0x0000000000348000-memory.dmp

memory/3544-31-0x0000000000340000-0x0000000000348000-memory.dmp

memory/3544-34-0x0000000000340000-0x0000000000348000-memory.dmp

memory/1360-40-0x0000000000BA0000-0x0000000000C06000-memory.dmp

memory/1360-41-0x0000000000770000-0x000000000077A000-memory.dmp

memory/1360-42-0x0000000007760000-0x000000000776A000-memory.dmp

memory/1360-43-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1360-44-0x0000000009D90000-0x0000000009D9C000-memory.dmp

memory/1360-45-0x0000000009DB0000-0x0000000009DB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Gongle\aRGU8PWJGZ\f97d9gc7.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

MD5 c8583d963ffc8caf7850a320228bd779
SHA1 f54fdc7391977bdddfca0101407ad7973f64b1a7
SHA256 21ed68046ef1d19feb7ce12064661ef0496e8764b8da9f7b0bc9fa2d1bf0d45e
SHA512 d815e6395249bb5f40be87725339db3678ddb62e67e04b12d013cd5ca3f8cac0a4a1d65328ce46cf52f1b3eedcd312b0532b86147250750f5db61ebcce06b1d7

C:\Users\Admin\AppData\Roaming\Gongle\aBCVUWPZXC\LOG

MD5 6f7bb35416fa4a8788bbf12783ba7a63
SHA1 b7380627dfef54dc65e31758f3ac7b120af2e3df
SHA256 50907c8696ba2da78d3f286e0396d1561758de8226314df8e4cefc3d78c1f0ed
SHA512 dae3b7ac11a656ef58bbfd382a1af4e39b939331a76daacd3d830c610ab08c416e4e40139f0721ef2f9e75e1f38863b88ce69742953c19a01e69d9d3e57eb348

C:\Users\Admin\AppData\Roaming\Gongle\aBCVUWPZXC\LOG.old

MD5 1f5bbfa9fdbec8eedb49dfa1cfde15de
SHA1 aee0ac0f31590099127d3f522b7e60f301a4de44
SHA256 4f5f18bcf9645193e20650a3583bec9d142367bd54adb0f787cb54d8b65a6216
SHA512 db3acb46433b59e256537d9c1af07b60576f793795a02e61dfd54573f028ada5199fcb40d72d6427170ad40c8733718a3a65311cd2e86bfdfa16e88d5eadb20e

C:\Users\Admin\AppData\Roaming\Gongle\aBCVUWPZXC\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Gongle\aBCVUWPZXC\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Gongle\aN3SZMG4TX\LOG

MD5 8a5a3f29dce7ca9a23d35ab4071cb931
SHA1 94f8b56e312e8fd16593b825df1582dab9b9b9dd
SHA256 c31505e165d680a7fa679c098711d2846cc8d0f2e3f3644c706a1d1c4a76876a
SHA512 c4bc02ace3581e947f4784790756235637d94570796e7f5c63c2a352fd27877970fd3643ca14de2593283492f1bf093e6fb26322a22632cf4d8bf7ce6d987289

C:\Users\Admin\AppData\Roaming\Gongle\aN3SZMG4TX\LOG.old

MD5 865d9a415c84411d5c3afffb9b25757d
SHA1 34f47e74c4bea08fea562433839b149e71150d79
SHA256 72af45d6c448ce351dbf6760473f82a9b2555aa79d0416ef84a7346c79bc16d6
SHA512 98c56fbeb75d2b27abd78e6352d7fc2c66f740735e35f4a92c20e8f9a4c1815c6894a011455aaa7a61056956201d8f90a2bf2baa97452ec63913af10f0f3be73

memory/1360-173-0x0000000009DC0000-0x0000000009E72000-memory.dmp

memory/1360-174-0x0000000009EC0000-0x0000000009EE2000-memory.dmp

memory/1360-175-0x0000000009F70000-0x0000000009FE6000-memory.dmp

memory/1360-176-0x0000000009F30000-0x0000000009F4E000-memory.dmp

memory/1360-177-0x000000000A040000-0x000000000A090000-memory.dmp

memory/1360-178-0x000000000A090000-0x000000000A0FA000-memory.dmp

memory/1360-179-0x000000000D310000-0x000000000D664000-memory.dmp

memory/1360-180-0x000000000A100000-0x000000000A14C000-memory.dmp

memory/1360-184-0x000000000A1D0000-0x000000000A20C000-memory.dmp

memory/1360-185-0x000000000A190000-0x000000000A1B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\03c8abeefe384f4d8f6933b6886027f2

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\0f5cdfad8b184f7d865cd753f1fe5819

MD5 1c77edf93605993ce370216e7060dc56
SHA1 4ea199448c8936c1400c166c6c40a553a82b796b
SHA256 369b1890a91340720fba36bfe233f203bc686e21d93184bbf3ccd6a5c2af7e11
SHA512 5e277aea674ab97c67cd7eda0f086399060ee8b4fbea52dd7cf13323b10b63376f724032aea237fbc632dc13bdae83d2a1dc90d2834de2ac460a925eccd737f5

memory/1360-200-0x0000000006100000-0x000000000610A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\514d20c4ce8e4d2b98961e8ea3d048bf

MD5 6478037002a1b1fafdaece55ca238be1
SHA1 a69a5975d41e884c5cbbc82ec003ea2ae02d8b98
SHA256 6bc8072a364889ec9df9d094c6528350ef17c9a718d1ab53288a273fa24b1965
SHA512 de779be59c79e3163420132b4de4a887da0b9fb2ae6ce14740d7183c6b04e175e903e0457da6dd94c2666d7f61729e65051c4209bd94b699754d11acc8eb0f47

memory/1360-206-0x0000000004B50000-0x0000000004B60000-memory.dmp