Malware Analysis Report

2025-01-22 18:57

Sample ID 240310-w7behaac2x
Target updater.exe
SHA256 f94342f97c194dc2d475c4bb5cf4626d6f935b2e0208a61e0f655a5ca0c88f4c
Tags
gozi banker isfb spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f94342f97c194dc2d475c4bb5cf4626d6f935b2e0208a61e0f655a5ca0c88f4c

Threat Level: Known bad

The file updater.exe was found to be: Known bad.

Malicious Activity Summary

gozi banker isfb spyware stealer trojan

Gozi

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 18:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 18:33

Reported

2024-03-10 18:35

Platform

win11-20240221-en

Max time kernel

150s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\italypear9209580.vbs" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\updater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\reg.exe
PID 3968 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\reg.exe
PID 3968 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\reg.exe
PID 3968 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\reg.exe
PID 3968 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\reg.exe
PID 3968 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\reg.exe
PID 3968 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 1568 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 1568 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ComputerDefaults.exe
PID 2616 wrote to memory of 3940 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 2616 wrote to memory of 3940 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 2616 wrote to memory of 3940 N/A C:\Windows\SysWOW64\ComputerDefaults.exe C:\Windows\SysWOW64\wscript.exe
PID 3940 wrote to memory of 1608 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1608 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 1608 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3968 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe
PID 3968 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\updater.exe C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe C:\Windows\Explorer.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\updater.exe

"C:\Users\Admin\AppData\Local\Temp\updater.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\italypear9209580.vbs" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C computerdefaults.exe

C:\Windows\SysWOW64\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\italypear9209580.vbs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN EpicGamesUpdater_IQMKOq8RoYR3WW1Ig050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\IQMKOq8RoYR3WW1Ig050MX.exe" /RL HIGHEST /IT

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC ONLOGON /TN EpicGamesUpdater_IQMKOq8RoYR3WW1Ig050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\IQMKOq8RoYR3WW1Ig050MX.exe" /RL HIGHEST /IT

C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe

"C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe" explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 172.67.146.76:443 textpubshiers.top tcp
US 162.159.128.233:443 discord.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
IE 52.211.130.173:80 checkip.amazonaws.com tcp
US 172.67.146.76:443 textpubshiers.top tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp

Files

memory/3968-0-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

memory/3968-1-0x0000000002BD0000-0x0000000002BEA000-memory.dmp

memory/3968-2-0x0000000074FE0000-0x0000000075791000-memory.dmp

memory/3968-3-0x0000000005100000-0x0000000005110000-memory.dmp

memory/3968-4-0x0000000002A00000-0x0000000002A0A000-memory.dmp

memory/3968-5-0x0000000005110000-0x00000000051A2000-memory.dmp

memory/3968-6-0x0000000005760000-0x0000000005D06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\italypear9209580.vbs

MD5 a34267102c21aff46aecc85598924544
SHA1 77268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256 eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA512 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

memory/3968-9-0x000000000ADA0000-0x000000000B9A0000-memory.dmp

memory/3968-10-0x0000000011B20000-0x00000000127C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll

MD5 6f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1 fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA256 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512 fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe

MD5 e898826598a138f86f2aa80c0830707a
SHA1 1e912a5671f7786cc077f83146a0484e5a78729c
SHA256 df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA512 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

memory/3296-24-0x0000000000670000-0x0000000000678000-memory.dmp

memory/3296-25-0x0000000000690000-0x0000000000691000-memory.dmp

memory/3296-26-0x0000000000670000-0x0000000000678000-memory.dmp

memory/3296-28-0x0000000000670000-0x0000000000678000-memory.dmp

memory/3968-30-0x0000000074FE0000-0x0000000075791000-memory.dmp

memory/3296-29-0x0000000000670000-0x0000000000678000-memory.dmp

memory/3968-36-0x00000000091B0000-0x00000000091C2000-memory.dmp

memory/3968-37-0x0000000005100000-0x0000000005110000-memory.dmp

memory/3968-38-0x0000000007E80000-0x0000000007EE6000-memory.dmp

memory/3968-39-0x0000000008D80000-0x0000000008D8A000-memory.dmp

memory/3968-41-0x0000000009310000-0x000000000931A000-memory.dmp

memory/3968-40-0x0000000005100000-0x0000000005110000-memory.dmp

memory/3968-42-0x0000000009370000-0x000000000937C000-memory.dmp

memory/3968-43-0x0000000009600000-0x0000000009608000-memory.dmp

C:\Users\Admin\AppData\Roaming\Gongle\aH22Q4XCG7\d8xutbrp.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

MD5 d9e1e97ddb87b15911ec55814c490890
SHA1 b849942433f87a6584891bfaba400a563ecc9c39
SHA256 c3b6213b24c423b8e6d80e8a2356fcff80b3c89c47583c0f679ae8405c8cfe61
SHA512 9ee646fbcd7010ea9c156d8b92f3de97505aa31eab96d2382be1c9223687d837e56274bf92414f73c1a07f84002f42fce89fe1d4627d5302ddd7ec347956a534

C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\LOG

MD5 a0b9f93e1ef956197a5eaccf3b047f2b
SHA1 5a9d624d058cbff732f541ba0003705eae0ee4de
SHA256 ff4e5f6192853b8791e22c6038c447bcfbc771a98175ffe1b7f111a08ee86b04
SHA512 21d699ee8b5480b6680450b4bb959cac2dffe65022385beb12eae7eef216580c23d4bac2e9aafc9479ba1e64f6de48b2a48991734af140d7419771add4adb0f2

C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\LOG.old

MD5 daa36c973d0b6c36325c85766b98222f
SHA1 c608612a6f3ba26ea112139a08cceea21defc5b4
SHA256 1c14985e225407d0f6a215330fa6fcbc8cf77359353323c21b2938353c24e5f9
SHA512 ecef9e833d32076f973ff6dde80ac3c17260fb11261745d22769b43e4fcc336d3bb73ff0019c29580b7eb68118b831063a59e135853784588f6bf4be18555d7b

C:\Users\Admin\AppData\Roaming\Gongle\aTZ1Y40P98\LOG

MD5 193946a7ac1cfeec1f3aca3c88a831ce
SHA1 3450b937af7b470ff49329e773dcbd17bb7a9fe8
SHA256 ebd84e2b558af50da68954c3f69c382b8f3bb367524360a38d2b8f133e390aaa
SHA512 541ba79ea39dff6c8d453ee3d46a34cf7712ed8e49c563e2dc0ab6281ac4a3bf5a948f6896846e1536e0a9f8b17feb31d7b2f43dc89450ae32b1a7eda4c033b9

C:\Users\Admin\AppData\Roaming\Gongle\aTZ1Y40P98\LOG.old

MD5 7b29089738ed5dae5f166c2b68b37ffd
SHA1 dda409e0d91b60a5df11ee39872091d0f0ed450c
SHA256 99428899961da93d601d5839c0bc03d952cc83298bac963fc4429cf1cee602d6
SHA512 e34225c462ff6c6bdfde200f4b071e3b4b400355b185deabb35bd32f5316eefad3ca53aeb696a82a93718fd8fc15fda0a54d99088cf2ac72502803ae42b5768b

memory/3968-171-0x0000000006840000-0x00000000068F2000-memory.dmp

memory/3968-172-0x0000000006950000-0x0000000006972000-memory.dmp

memory/3968-173-0x000000000DDE0000-0x000000000DE56000-memory.dmp

memory/3968-174-0x0000000007F30000-0x0000000007F4E000-memory.dmp

memory/3968-175-0x000000000DEB0000-0x000000000DF00000-memory.dmp

memory/3968-176-0x000000000DF00000-0x000000000DF6A000-memory.dmp

memory/3968-177-0x000000000DF70000-0x000000000E2C7000-memory.dmp

memory/3968-178-0x000000000E2D0000-0x000000000E31C000-memory.dmp

memory/3968-182-0x000000000E390000-0x000000000E3CC000-memory.dmp

memory/3968-183-0x000000000E350000-0x000000000E371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d7cda0b92b54a30b905eade8a19c091

MD5 e5e8a9a76a935750894088ce3cd50b7f
SHA1 8b28c604d2dd440cf3cc1890d1b2fe7b69295a2a
SHA256 872b33fbe9772a1a2d8b2e116b2cfcbc0b1d3f54e71c85260944ae25b56d9de8
SHA512 bed5373de1f3a1f6fd2705fb548c1eacb773523d165efd15ce252ddbbb9fa05ab461504c65708bab9f3bcdcb418da5de84a59c3b2d16d6b1c3b934a477fc0925

C:\Users\Admin\AppData\Local\Temp\6883574786654106ad21173ff79309df

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/3968-198-0x000000000E420000-0x000000000E42A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61898dd936c6414c8d07f9d23e26cec4

MD5 4e7d153e64569884f71e68f8864053b5
SHA1 1a3111816c024e93dab39a8eaaf9aa1932f123e2
SHA256 46fa5beb32190b0eb38af53b350c01a0892a802293c6a99d660fa33a7b47fdf0
SHA512 9e5f16ad50ee0d3d4e11eda771e9ea8a8b2da28694a377d773e4e529f7a015f3141d0087a02c90f0c803c3c9b5aab8a80d1a70fca6e19f2e83481a96db3a112d

memory/3968-202-0x0000000005100000-0x0000000005110000-memory.dmp