Malware Analysis Report

2024-11-13 18:06

Sample ID 241110-a4n1javnat
Target 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da
SHA256 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da

Threat Level: Likely malicious

The file 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:46

Reported

2024-11-10 00:48

Platform

win7-20241010-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\zqnxyuax.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\zqnxyuax.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\vimcq\\nkodcw.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\zqnxyuax.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe N/A
N/A N/A \??\c:\zqnxyuax.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zqnxyuax.exe
PID 3032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zqnxyuax.exe
PID 3032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zqnxyuax.exe
PID 3032 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zqnxyuax.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 2748 N/A \??\c:\zqnxyuax.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe

"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\zqnxyuax.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\zqnxyuax.exe

c:\zqnxyuax.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\vimcq\nkodcw.dll",init c:\zqnxyuax.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp

Files

memory/804-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/804-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/804-3-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\zqnxyuax.exe

MD5 e3e6fb9cccc3915e26bfdcbdb60c97d5
SHA1 2c09b3ebc554e48434cba8d1bd29aad98ae60c5b
SHA256 417f4b0763a2a36145cff32aa3113be9ce6361b283a28f04c1790f78949c0a71
SHA512 1ec3838813ed2cad4f93931bc71f26ac8329aaeefc08a42d9de95303b633b52f5da5e6067dbbc6d42a82e1f114ce27d3b9cd8dc1eecae234bd662dc9ffb0128d

memory/3032-6-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2456-8-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\vimcq\nkodcw.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/2748-14-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2748-15-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2748-17-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2748-16-0x0000000010021000-0x0000000010022000-memory.dmp

memory/2748-18-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2748-19-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2748-20-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2748-21-0x0000000010021000-0x0000000010022000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:46

Reported

2024-11-10 00:48

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\pnrxlofur.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\pnrxlofur.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\pwhclic\\nsoaz.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\pnrxlofur.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe N/A
N/A N/A \??\c:\pnrxlofur.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe

"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\pnrxlofur.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\pnrxlofur.exe

c:\pnrxlofur.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\pwhclic\nsoaz.dll",init c:\pnrxlofur.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/2928-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2928-1-0x0000000000930000-0x0000000000931000-memory.dmp

memory/2928-3-0x0000000000400000-0x0000000000425000-memory.dmp

C:\pnrxlofur.exe

MD5 e926b08ff37a69ef93b18974596f07a8
SHA1 4d6eec391ea269fa4f5ba663f899e8ce1237091f
SHA256 85ad9fe165c030001edc50de1fb4e12cc837206f049f0bb1f94da965ca0e0893
SHA512 4f886a7b3d0426e4c72eccf5f28bbd96a9c7a366686cbb57872ec47dd057c313daaa2e01d0aedcf430d9e60c900fb7af1e7f5b42a93a8a9ac60e475adec512e7

memory/400-7-0x0000000000630000-0x0000000000631000-memory.dmp

memory/400-9-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\pwhclic\nsoaz.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/3968-12-0x0000000010000000-0x000000001002E000-memory.dmp

memory/3968-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/3968-14-0x0000000010000000-0x000000001002E000-memory.dmp

memory/3968-15-0x00000000010C0000-0x00000000010C1000-memory.dmp