Analysis Overview
SHA256
93bc7f1b5d2a85a77ba29298e84743e4cb965a41bdcdfd387e870d83028b2f72
Threat Level: Known bad
The file SubZeroEra.exe was found to be: Known bad.
Malicious Activity Summary
Gozi
Stops running service(s)
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 14:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 14:35
Reported
2024-03-15 14:37
Platform
win10-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Gozi
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\en-US\efi.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\en-US\EraHack_saturn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\en-US\efi.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows NT\Accessories\en-US\efi.exe | C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\en-US\EraHack_saturn.exe | C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\en-US\imgui.ini | C:\Program Files\Windows NT\Accessories\en-US\EraHack_saturn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\japanbrowse75328.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\en-US\EraHack_saturn.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows NT\Accessories\en-US\efi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\en-US\efi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe
"C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SubZeroEra.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im UD.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im UD.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im x32dbg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Finddler.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Finddler.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FileGrab.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FileGrab.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BrocessRacker.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im BrocessRacker.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Cheat Engine.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im epicgameslauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicWebHelper.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteLauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im FortniteClient - Win64 - Shipping.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im EpicGamesLauncher.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im EasyAntiCheat.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im BEService.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im BEServices.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe > nul
C:\Windows\system32\taskkill.exe
taskkill /f /im BattleEye.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop BattlEye Service
C:\Windows\system32\sc.exe
sc stop BattlEye Service
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
C:\Windows\system32\sc.exe
sc stop EasyAntiCheat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start efi.exe
C:\Program Files\Windows NT\Accessories\en-US\efi.exe
efi.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start EraHack_saturn.exe
C:\Program Files\Windows NT\Accessories\en-US\EraHack_saturn.exe
EraHack_saturn.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\japanbrowse75328.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN SpotifyUpdateService_1aGC9t5OwSGNhOLO5eEh040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\1aGC9t5OwSGNhOLO5eEh040MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN SpotifyUpdateService_1aGC9t5OwSGNhOLO5eEh040MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\1aGC9t5OwSGNhOLO5eEh040MX.exe" /RL HIGHEST /IT
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe
"C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe" Taskmgr.exe
C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe
"C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe" explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| N/A | 127.0.0.1:49779 | tcp | |
| N/A | 127.0.0.1:49781 | tcp | |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49787 | tcp | |
| N/A | 127.0.0.1:49789 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| N/A | 127.0.0.1:49792 | tcp | |
| N/A | 127.0.0.1:49794 | tcp | |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49802 | tcp | |
| N/A | 127.0.0.1:49804 | tcp | |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49808 | tcp | |
| N/A | 127.0.0.1:49810 | tcp | |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49813 | tcp | |
| N/A | 127.0.0.1:49815 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | textpubshiers.top | udp |
| US | 188.114.97.2:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 52.215.63.165:80 | checkip.amazonaws.com | tcp |
| US | 188.114.97.2:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 165.63.215.52.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
C:\Program Files\Windows NT\Accessories\en-US\efi.exe
| MD5 | 95b79ddfc8419f61fd7ccb3d5f6daf3c |
| SHA1 | 10e8a2e5d34fc78ddeb9f52e540afcb2f8f62e20 |
| SHA256 | c2581919e80ea219c8940b03fe567bf4e82df7e5d4b29424ee7da259715ac936 |
| SHA512 | 181e555d84f154d7099765e3c058e0218d701cbdfe4caef843459d3c0720d667663895dbe8966c664b3a2f32f584ca739ae5182ef4fc8005d2563772634d9def |
C:\Program Files\Windows NT\Accessories\en-US\EraHack_saturn.exe
| MD5 | 7b1bf7b62529e9ba68bbd9fa7f301a62 |
| SHA1 | f16a8f4de40020c86ccbe77bc59568ebbca1a900 |
| SHA256 | 709ca836f341d219e727973d5cec0baa4105568ff62bb36d1b53675856291b5d |
| SHA512 | 3c72526e81da177621a90c3dd566343ad11bf0fe6774872261ee63f36755479c8bcc3fae4e2e20393c1ac47719b1e1c8e3551960605c30b222e438c3222314f9 |
memory/4452-13-0x0000000000870000-0x000000000087C000-memory.dmp
memory/4452-15-0x0000000000D10000-0x0000000000D2A000-memory.dmp
memory/4452-16-0x0000000000D00000-0x0000000000D0A000-memory.dmp
memory/4452-17-0x0000000004CD0000-0x0000000004D62000-memory.dmp
memory/4452-18-0x0000000073300000-0x00000000739EE000-memory.dmp
memory/4452-19-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/4452-20-0x0000000005280000-0x000000000577E000-memory.dmp
memory/4452-24-0x000000000A7D0000-0x000000000B3D0000-memory.dmp
memory/4452-25-0x0000000011530000-0x00000000121D2000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
| MD5 | 6f2fdecc48e7d72ca1eb7f17a97e59ad |
| SHA1 | fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056 |
| SHA256 | 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809 |
| SHA512 | fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b |
memory/4452-31-0x0000000073300000-0x00000000739EE000-memory.dmp
memory/524-38-0x000001E3BDB60000-0x000001E3BDB68000-memory.dmp
memory/524-39-0x000001E3BDB80000-0x000001E3BDB81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jp0amxhr.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/524-42-0x000001E3BDB60000-0x000001E3BDB68000-memory.dmp
memory/524-44-0x00007FF64E8F0000-0x00007FF64EA1C000-memory.dmp
memory/524-45-0x000001E3BDB60000-0x000001E3BDB68000-memory.dmp
memory/524-47-0x000001E3BDB60000-0x000001E3BDB68000-memory.dmp
memory/524-46-0x00007FF9DE470000-0x00007FF9DEB62000-memory.dmp
memory/4452-58-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/3400-59-0x0000000000820000-0x0000000000828000-memory.dmp
memory/3400-61-0x0000000000820000-0x0000000000828000-memory.dmp
memory/3400-62-0x0000000000820000-0x0000000000828000-memory.dmp
memory/4452-68-0x00000000077F0000-0x0000000007802000-memory.dmp
memory/4452-69-0x00000000061F0000-0x0000000006256000-memory.dmp
memory/4452-70-0x00000000062A0000-0x00000000062AA000-memory.dmp
memory/4452-72-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/4452-71-0x000000000A4D0000-0x000000000A4DA000-memory.dmp
memory/4452-73-0x0000000008D20000-0x0000000008D2C000-memory.dmp
memory/4452-74-0x0000000008D50000-0x0000000008D58000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\aXPUVFFYZ6\cswg9rdm.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
| MD5 | 4f6bbd171295c4d616050637699811c1 |
| SHA1 | 55574b843c5be70e163eaafa27c6d8cbac68954a |
| SHA256 | c4ca63aa6a75a9811236e9bf9ca4c8287016ef4f176262fa4fe1af97c6703249 |
| SHA512 | 9b812d70342d777948df814f53bcc46a73c2de884cf6c9ae23f178e443f9d0023a006cc75b93f16cffe43046b1b697430cebf4e88d171c5e3cf1c023945f486a |
C:\Users\Admin\AppData\Roaming\Gongle\aOBO93I83S\LOG
| MD5 | 3dd9d022bc33e5ac98134e97fb60c4f3 |
| SHA1 | 36fd8005ca448539109ce93aec46304e020ab0c7 |
| SHA256 | 8674831d2c2cf3efad526910e8c4230cd54dd193d4c218459e1d9a69b50d037c |
| SHA512 | 3612b45d8b5822967b3625ee4dbc48953e967887379ba3d13eb6345ce2c046fa4e007609d20010be9df3e1fb2cb0e30eaf58a3b1b8e69f68debbefdfa250b12e |
C:\Users\Admin\AppData\Roaming\Gongle\aOBO93I83S\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Gongle\aOBO93I83S\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/4452-181-0x000000000C710000-0x000000000C7C2000-memory.dmp
memory/4452-182-0x000000000C7C0000-0x000000000C7E2000-memory.dmp
memory/4452-183-0x000000000C870000-0x000000000C8E6000-memory.dmp
memory/4452-184-0x000000000C7F0000-0x000000000C80E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\aOBO93I83S\LOG.old
| MD5 | 7960150527f04d2607ecee87122d0c0e |
| SHA1 | f5863037ec50b9486834529d5e69dfdc13985a27 |
| SHA256 | 519a3de070d556e5b9d7c18fe73c97afc05e602b0837fa24ecc784c5cde84d8e |
| SHA512 | 81a6fd7605ef3beeb224fe828b15be337029869b262df3a91c8f70a16f0d2d27004cf79481d66c3d9fdb6ce2307e09fbfdf4aaab6e4abb571710d044940e9391 |
memory/4452-186-0x000000000C8F0000-0x000000000C940000-memory.dmp
memory/4452-187-0x000000000C940000-0x000000000C9AA000-memory.dmp
memory/4452-188-0x000000000C9B0000-0x000000000CD00000-memory.dmp
memory/4452-189-0x000000000CD00000-0x000000000CD4B000-memory.dmp
memory/4452-193-0x000000000CDE0000-0x000000000CE1C000-memory.dmp
memory/4452-194-0x000000000CDA0000-0x000000000CDC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0251d6002df24832b94c6ae3fb837b51
| MD5 | 1684853b9f2e574750311ddc200b9981 |
| SHA1 | 96c494be3eceb642be2bdeb1e11ad547ce7408a1 |
| SHA256 | 1b4f1a9a9d2ccc76756770c98aa6113efeecc3821e8b1c6f1f8c27ac1b65cdde |
| SHA512 | c2e779117f020604018c515895f536892b7a7bd5366daa507d0aa52a937afd850a85fcaf5ffa9ffb78e57f59b9fe2957e1721b891fc0c61b7b119ab077cf522a |
memory/4452-201-0x000000000CE40000-0x000000000CE4A000-memory.dmp