gozi_ifsb | d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

Analysis

max time kernel
90s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
25-11-2020 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9d954b3f1c512e6804fd8f5637b58b6.dll
Size

234KB
MD5

c9d954b3f1c512e6804fd8f5637b58b6
SHA1

b452040d8072117ddbe1adf9e1eab5e4bdb150bd
SHA256

d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
SHA512

a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

772 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
772	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

regsvr32.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1600 set thread context of 1252	1600	powershell.exe	Explorer.EXE
PID 1252 set thread context of 772	1252	Explorer.EXE	cmd.exe
PID 772 set thread context of 816	772	cmd.exe	PING.EXE
PID 1252 set thread context of 848	1252	Explorer.EXE	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

948 1564 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1904 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1544 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1316 systeminfo.exe

pid	pid_target	process	target process
948	1564	WerFault.exe	regsvr32.exe

pid	process
1904	net.exe

pid	process
1544	tasklist.exe

pid	process
1316	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEmshta.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000deda4fc0c9790364b7f7121c8c362ee6dd2d0c9f2b4b545d4916323d25552664000000000e80000000020000200000009dda4c440c5b537bed09538030b3147dccb207cdf1308e1c01dabfe22fdc9c5f2000000065e14db25701bd81790490253ee0f68ca2eeeaf29568d348bc8c27172736679440000000b89548944b09b3659f401eac7dc6f356961bfd32cedafc64652111ae3ff345729f16387d40a02df69ce594652042c557aa8acdbb1b86cabac040cd0d985d031c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a11dfa64c3d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000046cf174d8fd78a3b8122cedb37d295e21558c30a77940c59084cf8ad4453e53c000000000e80000000020000200000002a1d8ac8feeb83f8d5ddd53bd22f4b9d4ff44b6b0e77652b950500602a806f96900000009dc62e010b331f884448b7faf3d8c4c5e27f23f1ce01f709f57e1a00941f97aad9e5376785aced67909e384cfbf75f07e0fdb51933b0a466995a3cf9854c4be8e4030b3be7ffbc9c0ce39fb460f929f1c4dfce9cc4765f9c82f08d219f911d0b791ea8250d8c8cdeb1762cc39ac5c826b5e7f77d8d875e33aa7cd19041ee8e681aa5f506062b8abfe49b47a43c9d1b56400000003a1cb0a08a7a47220b51e0917402f807c541fa3f7774f4ea72482a5b93b64f648ce5c848212c0b53fde7492648d438696e5e999354c4d24133ba1502cc32096f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E4EF101-2F58-11EB-BA33-6280D915632E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21C59521-2F58-11EB-BA33-6280D915632E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

816 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

816 PING.EXE

pid	process
816	PING.EXE

pid	process
816	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXEWerFault.exe

pid	process
1564	regsvr32.exe
1600	powershell.exe
1600	powershell.exe
1252	Explorer.EXE
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1600 powershell.exe
1252 Explorer.EXE
772 cmd.exe
1252 Explorer.EXE

pid	process
1600	powershell.exe
1252	Explorer.EXE
772	cmd.exe
1252	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeWerFault.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	948	WerFault.exe
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeDebugPrivilege	1544	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exeExplorer.EXE

pid process

1820 iexplore.exe
1532 iexplore.exe
1532 iexplore.exe
1532 iexplore.exe
1252 Explorer.EXE
1252 Explorer.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
1820	iexplore.exe
1820	iexplore.exe
976	IEXPLORE.EXE
976	IEXPLORE.EXE
1532	iexplore.exe
1532	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
1532	iexplore.exe
1532	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1532	iexplore.exe
1532	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 135 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exeregsvr32.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1564	2036	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 976	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 976	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 976	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 976	1820	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1344	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1344	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1344	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1344	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1208	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1208	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1208	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 1208	1532	iexplore.exe	IEXPLORE.EXE
PID 2044 wrote to memory of 1600	2044	mshta.exe	powershell.exe
PID 2044 wrote to memory of 1600	2044	mshta.exe	powershell.exe
PID 2044 wrote to memory of 1600	2044	mshta.exe	powershell.exe
PID 1600 wrote to memory of 844	1600	powershell.exe	csc.exe
PID 1600 wrote to memory of 844	1600	powershell.exe	csc.exe
PID 1600 wrote to memory of 844	1600	powershell.exe	csc.exe
PID 844 wrote to memory of 1608	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 1608	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 1608	844	csc.exe	cvtres.exe
PID 1600 wrote to memory of 672	1600	powershell.exe	csc.exe
PID 1600 wrote to memory of 672	1600	powershell.exe	csc.exe
PID 1600 wrote to memory of 672	1600	powershell.exe	csc.exe
PID 672 wrote to memory of 924	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 924	672	csc.exe	cvtres.exe
PID 672 wrote to memory of 924	672	csc.exe	cvtres.exe
PID 1600 wrote to memory of 1252	1600	powershell.exe	Explorer.EXE
PID 1600 wrote to memory of 1252	1600	powershell.exe	Explorer.EXE
PID 1600 wrote to memory of 1252	1600	powershell.exe	Explorer.EXE
PID 1252 wrote to memory of 772	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 772	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 772	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 772	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 772	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 772	1252	Explorer.EXE	cmd.exe
PID 772 wrote to memory of 816	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 816	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 816	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 816	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 816	772	cmd.exe	PING.EXE
PID 772 wrote to memory of 816	772	cmd.exe	PING.EXE
PID 1564 wrote to memory of 948	1564	regsvr32.exe	WerFault.exe
PID 1564 wrote to memory of 948	1564	regsvr32.exe	WerFault.exe
PID 1564 wrote to memory of 948	1564	regsvr32.exe	WerFault.exe
PID 1564 wrote to memory of 948	1564	regsvr32.exe	WerFault.exe
PID 1252 wrote to memory of 1728	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 1728	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 1728	1252	Explorer.EXE	cmd.exe
PID 1728 wrote to memory of 1032	1728	cmd.exe	nslookup.exe
PID 1728 wrote to memory of 1032	1728	cmd.exe	nslookup.exe
PID 1728 wrote to memory of 1032	1728	cmd.exe	nslookup.exe
PID 1252 wrote to memory of 820	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 820	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 820	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 600	1252	Explorer.EXE	cmd.exe
PID 1252 wrote to memory of 600	1252	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 304
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:948
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\CB4B3BAF-AEAE-3526-102F-C23944D3167D\\\Auxisext'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\CB4B3BAF-AEAE-3526-102F-C23944D3167D").aepiesrv))
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c11woszc\c11woszc.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B.tmp" "c:\Users\Admin\AppData\Local\Temp\c11woszc\CSC7ABF99EE0CA476084BA81AE85CF39D.TMP"
        5⤵
        
        PID:1608
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pfrjuzmu\pfrjuzmu.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10F2.tmp" "c:\Users\Admin\AppData\Local\Temp\pfrjuzmu\CSC1E47F659D06E4512A6CBD8D0E63B1FED.TMP"
        5⤵
        
        PID:924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll"
  2⤵
  - Deletes itself
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:816
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D668.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D668.bi1"
  2⤵
  PID:820
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:600
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1316
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:848
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\B40E.bin"
  2⤵
  PID:1544
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\387E.bin"
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:848
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:676
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:1332
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:280
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:848
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:2020
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:1200
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:676
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1316
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:280
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:1976
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:960
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\DB94.bin1 > C:\Users\Admin\AppData\Local\Temp\DB94.bin & del C:\Users\Admin\AppData\Local\Temp\DB94.bin1"
  2⤵
  PID:908
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\568E.bin"
  2⤵
  PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:537611 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
1d5c6a470b92e85b2733b2dcd26c7f07

SHA1
a932c6f5d8cb4fcfe963f62e59b37c8e145168e3

SHA256
5967735b7344bff806acf9c87dbbaeed17c49c04ef64968a6003132fb84bf9d1

SHA512
1e05f29dd7fcbcf072c2abf539dcbe2d01545107817f4392b306fa9b3a0d6eef0848257f55657c25c4fb0da781e2d754ee21e10239de425313cf7f9c23cd7fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
ebf0c11639e64195b763b4fa23575b81

SHA1
716e40d3ab4d7c37e26b52705cb5541aa0eb74d9

SHA256
b258de3561c602a88efff1515754c0c73da74f2dc7fb3080667fdceb0a35632a

SHA512
55f867f0bd31ed7ba9a177c286839a5004e3185a34dae4e8acea06dff9390b9370d638edd3cf7df2350cc791e5e44569cdc66a8d0ecfac73a535ec77e01f24b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
1bd2586891b403761cf7790911dc7122

SHA1
709a3ccc7a3c7e6a04323c1aee0c8510094d1eba

SHA256
0400774650d6492fc2f08a53b8c792f4251f89335b31e76a38ef9b415853cde9

SHA512
9b46a79f1b850b96d7ff2d9018d5fb449a69440e4aa35841daaea5f455ba58c92cae8a4e166815a361f2ecc88190416588c256f811f935fa74e355951ae2e9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

MD5
35224d8a6ecf03fa0e7024f4775a0a3b

SHA1
e69fcf318a9c2be23af78fa8822bb06b709e1b8e

SHA256
bb38e53627d0fa432be1207b352514e83eae670a008553c2f6f130e0b94b7591

SHA512
a3857ccefb0a8c1ced37bffe5d31f33499a32a50a8396fd2e5ef2c62cffc437794d8420bccf2c080dc40b1d2c9307487ec0fc872b692112b08d72164d73cb80a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\favicon[1].ico

MD5
f74755b4757448d71fdcb4650a701816

SHA1
0bcbe73d6a198f6e5ebafa035b734a12809cefa6

SHA256
e78286d0f5dfa2c85615d11845d1b29b0bfec227bc077e74cb1ff98ce8df4c5a

SHA512
e0fb5f740d67366106e80cbf22f1da3cf1d236fe11f469b665236ec8f7c08dea86c21ec8f8e66fc61493d6a8f4785292ce911d38982dbfa7f5f51dadebcc8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\387E.bin

MD5
b5a908671d339ccddbf20ab3ab5f4fdc

SHA1
f46b0a86316aa719ad3b5b7a4d3264cb072782ac

SHA256
44b24ab6356ebcc09ad3bbd7434978c1996d709f972ac6dd7f7f43d404435f7c

SHA512
d7379357c2338e701687ba891bae9e8524f0a19e64815f17714713250412cf1a47c0b2df6fcc3a9b8277c068a01b541c9f7c77ee5a3112cdaff0378cd518ea39

Download Submit
C:\Users\Admin\AppData\Local\Temp\4122.bin

MD5
6b30351beb6378ef469695a02a41e160

SHA1
81bc68be633f231469b4259d3131f481e756329f

SHA256
510c19c5b434c43a17c528f3272a6205b6d364fc3a5b04884521511c6c855158

SHA512
924a06e2649b21fd2b70eb47d7d69168711135bac071983d7ee410f8bee6896121d207426e1ef26d8b0d70c908f2a73e0da94dd68d48bdc05b050b9f8ce69dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\568E.bin

MD5
5a4e8465d0ef25f4d57d6db15fd2a492

SHA1
4baf963d8b5a8fc6c8175cb68fec154ba3959023

SHA256
0f1fec178f6d1eed9facc2fdfac46924154ec94dc38e084e4e0dff0c5d40d43c

SHA512
70d427f4462e3b13178fbaa93eb2045ff8232b00354ed7dad7057f5d6b539dee29ce9f9e242d535bc7622f37922e76e1909c41f42f00f1f1a935587a222041d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F32.bin

MD5
415e0d5f8f242d4109f1d7e5a324277e

SHA1
a1143d72f658d33dd78526b00bf1297ce2efa967

SHA256
cb44a8850108296803e3da246906f3d131a71579101e3092d350a99a2efc346c

SHA512
67879283e8cc4fd68fd03c475f326fab50573a826841dca86c55efcb879cd08344499f0a02b5de4bbd33c4050e37021d9ab68544652cdce6302a1aa06862d23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B40E.bin

MD5
49f6810953583438c9f77a59effdc9e1

SHA1
fe67acf3e97f6fd836c37ebb818a8dbc36fbc34b

SHA256
27993f6631b8d022cf43b8c786cad7455dc200d54925a4854000470d545e5e9a

SHA512
c00c93f4452dcc2f6753b1a72db25bf20696a566ea34171fa01e88fb79a3da9c37cb60624a6d42b982d8786b98bb63620b6057e1adcafc980cbdbf5646bbb1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCB2.bin

MD5
f318d2ff5169d203f71529fc25f11b52

SHA1
8644fd954f7ca86af72900f4d1ffa0e5da1dc6cf

SHA256
6127afe19932974c769b0d779c7b1938a58a20cd9a160de0fee842603a6525b3

SHA512
2a3345a2a693b1cefbc3dbf5c3a6f498783871d9ac4904225f5c987d882a882cf48eb056ba03527c226b5d2316f429987ba92e44f6782ea456e863cc61841e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDE2.bin\AuthRoot.pfx

MD5
63d0065bc8f186cb0fe0dad39d305980

SHA1
a91bc5e44fc2f263068790d3ff07357d2b47256b

SHA256
4e2b5464aa85e66b815ef394d9d510111fe94b0aca75e67ef0771dc6a2821bc3

SHA512
2203e1598a87c1404f9354f22db13cacd6a30903a0a85bfa47f80b83331fc9fcab83867ff351fadbb61e361fa7ccef256d6b441b4836d1bd2b1782b070414230

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDE2.bin\Disallowed.pfx

MD5
3304b86c2ac023a94f5cb41e2cd608b7

SHA1
244dc7b537259858257112b1d79face77078c466

SHA256
7c8a49a9bc419d5fc055f9e9a691053af92ae42bfa8156a013b474c68e56d84b

SHA512
ceaa3e65d6ca7a85f7e4bb4fff2f7b6e7e3fa110ff0260af3e85c48e306ca2064c347754afd1ca2f5c11ad73e61784f1cb2342fef371a1391eeaa81eb131f027

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDE2.bin\Root.pfx

MD5
39de88d62e2b3b7d1f6b59b2e8e1f421

SHA1
74152f2f8b0679ed7c24ea1c870165e3b2d77286

SHA256
c206ee5993463676177ae784073be073280563452126b28a9515e6bc306e4e45

SHA512
4a3a05d01c81b932546398cab7c35f6a678e7a7a60b186265143b119c5ee0688d084a47245f1c1e5b33d0f3aa45edc8999577665160a97eb66210afeea0c8e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDE2.bin\setup.inf

MD5
32cb148d31ec996ded480868089d27f6

SHA1
27cb72e79939ca6a5153e761cfbd3a3bce364474

SHA256
ad0124f26e373f2972f2ac2fdc53ad85a3b8d49017555e84e69b2638a0559cd8

SHA512
81503c75ce1825fb1c5032dfdfd612051b56f205c559018a76de52ececa6684a24738ecc4e0ce441b63841f6909aef0e9d54297b85a5e41c43d49ebac60a14c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDE2.bin\setup.rpt

MD5
fbd4722550586a2dcb5cc653687bec6c

SHA1
4b9dd3e3d72f230d2f4f0220aec666ea2ce090eb

SHA256
97df20ffd2203b1c39aea4246b852dc65b002eb521328afad7517184cb6b2119

SHA512
bf7f70ef291d8b9798776cbf61e8727dade768aeda730b3296ea5bb5635d71c56292a8930d700c40d0b52eaac0f60d6a3b0da07bf9fba137be83d4f491087347

Download Submit
C:\Users\Admin\AppData\Local\Temp\D668.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D668.bi1

MD5
c4f77466fa6bb3b7b587745fd51eb73e

SHA1
c9ee49b895e2cec4483b9e3d84e32f0d650edcbb

SHA256
37d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8

SHA512
51c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin

MD5
71c48d231889c3e2e02066d680c4dab6

SHA1
d27ead28a57d61cdac63992875acc1acf0eb3a3a

SHA256
c87f3869b30b2b66813ac179ad03605580c66b5ce96b5de7a53b1fb8a813cb6e

SHA512
7db911fcbd2ae441513e5d22850a2196b8f3c158a8f6a76e2bea383ce1979edc417fdc0a66e96393c6dfa8fa45e9f381032dcc18f927917f86aacd1728228cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin

MD5
71c48d231889c3e2e02066d680c4dab6

SHA1
d27ead28a57d61cdac63992875acc1acf0eb3a3a

SHA256
c87f3869b30b2b66813ac179ad03605580c66b5ce96b5de7a53b1fb8a813cb6e

SHA512
7db911fcbd2ae441513e5d22850a2196b8f3c158a8f6a76e2bea383ce1979edc417fdc0a66e96393c6dfa8fa45e9f381032dcc18f927917f86aacd1728228cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
95137bdf7bc35011400acafd66473990

SHA1
0dcc9f23015d0b5c8a8f7e5dd0964f53d4aebf6f

SHA256
f3ffa5fed93ff858622a4cdb01226e54644fceeb3dfe297780494f8ff561147e

SHA512
26ffc062534e130955a575c01fa8df6efefa9684638476e8df27ef5f39fb6b65e093d66dfce00d5efca3a92439511d7c0253fe2beade3d5917b248c55c56eeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
95137bdf7bc35011400acafd66473990

SHA1
0dcc9f23015d0b5c8a8f7e5dd0964f53d4aebf6f

SHA256
f3ffa5fed93ff858622a4cdb01226e54644fceeb3dfe297780494f8ff561147e

SHA512
26ffc062534e130955a575c01fa8df6efefa9684638476e8df27ef5f39fb6b65e093d66dfce00d5efca3a92439511d7c0253fe2beade3d5917b248c55c56eeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
71c48d231889c3e2e02066d680c4dab6

SHA1
d27ead28a57d61cdac63992875acc1acf0eb3a3a

SHA256
c87f3869b30b2b66813ac179ad03605580c66b5ce96b5de7a53b1fb8a813cb6e

SHA512
7db911fcbd2ae441513e5d22850a2196b8f3c158a8f6a76e2bea383ce1979edc417fdc0a66e96393c6dfa8fa45e9f381032dcc18f927917f86aacd1728228cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
71c48d231889c3e2e02066d680c4dab6

SHA1
d27ead28a57d61cdac63992875acc1acf0eb3a3a

SHA256
c87f3869b30b2b66813ac179ad03605580c66b5ce96b5de7a53b1fb8a813cb6e

SHA512
7db911fcbd2ae441513e5d22850a2196b8f3c158a8f6a76e2bea383ce1979edc417fdc0a66e96393c6dfa8fa45e9f381032dcc18f927917f86aacd1728228cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
12520b902da0b5bd760281928a97e213

SHA1
9748a7ee9939c5ed355c3bcd2f3089052d4fa90f

SHA256
c9f9ded6e30af2ee19cd07770c17a825e7948d66e5abbbf9959df6b4627bc6ad

SHA512
384f0ff9481e79a7b0c78d1d804ac21a903e398bac5ddf12be22786b32fea62812abc80bdafa9cd58d203b50b17ad26de96264e05e2ceee94afc3763f9aac7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
12520b902da0b5bd760281928a97e213

SHA1
9748a7ee9939c5ed355c3bcd2f3089052d4fa90f

SHA256
c9f9ded6e30af2ee19cd07770c17a825e7948d66e5abbbf9959df6b4627bc6ad

SHA512
384f0ff9481e79a7b0c78d1d804ac21a903e398bac5ddf12be22786b32fea62812abc80bdafa9cd58d203b50b17ad26de96264e05e2ceee94afc3763f9aac7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
b21cc952454c3fc77a398cf896231577

SHA1
cd104d08d18da767daf745034f19469267802173

SHA256
c203f66afc054371283f4bf0058050cd45c4133b6d7b3977d4227292e45257fb

SHA512
2a5cb3b64042437ee54df7d96d45b21d576c082e3b2454da6660120a3521aabf38b52fb790cfdd9102bc4524b492400f9cf5e5af71acb3ba797bd8582adf3cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
b21cc952454c3fc77a398cf896231577

SHA1
cd104d08d18da767daf745034f19469267802173

SHA256
c203f66afc054371283f4bf0058050cd45c4133b6d7b3977d4227292e45257fb

SHA512
2a5cb3b64042437ee54df7d96d45b21d576c082e3b2454da6660120a3521aabf38b52fb790cfdd9102bc4524b492400f9cf5e5af71acb3ba797bd8582adf3cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
9c59a1bcb0a40c9c7272dbe3a2e747d8

SHA1
685f5d0649efb1821ea74262c778cb7f976528b2

SHA256
9ac5727e85fbc7e370273c93b796c80e32edcc9eeba0cdaf139d39fda48f52b4

SHA512
f884f1fa57344a60f37c7040492c702b7e1e82615fadd96f3e98c29ac862b1a3880fec399eb37d02f4ff2662f4301fcc689813d9f67b7c9e11f50c354d9835b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
9c59a1bcb0a40c9c7272dbe3a2e747d8

SHA1
685f5d0649efb1821ea74262c778cb7f976528b2

SHA256
9ac5727e85fbc7e370273c93b796c80e32edcc9eeba0cdaf139d39fda48f52b4

SHA512
f884f1fa57344a60f37c7040492c702b7e1e82615fadd96f3e98c29ac862b1a3880fec399eb37d02f4ff2662f4301fcc689813d9f67b7c9e11f50c354d9835b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
6f67c75451f4d6e86b1d7469058e1dbf

SHA1
d97b532db179629a967eb459fbead280b53f298d

SHA256
43d07674baeedc654d8370e765092e74efde69cd71e0ca2dd1b93f884c7c09e3

SHA512
867f0c47057b32a28ea823fc2b80a2f6cf0e6b12143248e821a93a664166cda3393dbd5ff33e4b8b1e230581dc2d0a14ce636f655c518b2f47ad45314c36e638

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB94.bin1

MD5
6f67c75451f4d6e86b1d7469058e1dbf

SHA1
d97b532db179629a967eb459fbead280b53f298d

SHA256
43d07674baeedc654d8370e765092e74efde69cd71e0ca2dd1b93f884c7c09e3

SHA512
867f0c47057b32a28ea823fc2b80a2f6cf0e6b12143248e821a93a664166cda3393dbd5ff33e4b8b1e230581dc2d0a14ce636f655c518b2f47ad45314c36e638

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10F2.tmp

MD5
e52e0a9a8e9c5821672431d7191de54f

SHA1
dd788cb77c64bda45b2e0485ee1ef69980f8dc6b

SHA256
e5880687370a7179243e571352a640ceeb8a66b9a99f5cc2ff09adeb37ce5872

SHA512
1622f6d1d1a81fe0127e4f9db69f636d4cfd66ad604ebefe8370803a6997766b5b7eae7a5a2cb665faa5206dec60d04f6e0e63d188f7c7300a8ca847cc5e7692

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF7B.tmp

MD5
9fba4eec93f85b70abc14f1dd2359196

SHA1
19558b58fdd632faccf2bbb30e25ae3bc88c0e43

SHA256
a069dd6b6a81657755675ac26d802b5835df778979bfd956e37be583da2f101d

SHA512
d56e134bdacbebd5a6cb5c8768dc5bb4da870b712f64da7b26ccc60104c05d8a9d5ba355bb98ac885540dc7d432511b554bb2d4120f810a1f50291dc755d048a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11woszc\c11woszc.dll

MD5
421c7ce0d687b6f8c2598c72e3551eb2

SHA1
fac6de417a6cd087cb767fb5536deb140404fa97

SHA256
2204c5b328b5b55f1a1af2f1f36cea7b1bc5568a6ca8f670fad12333e674a541

SHA512
25e399aa0f52ecf97d471140dc70b4303416293f218fd2568683e5d37463c4a8af40b5badb36cce74e047b08a65c7fbb22c0a492c0cca43afcf97c69dbcbd462

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfrjuzmu\pfrjuzmu.dll

MD5
c3fcf65ff65ee1eb4a5ddefe9075c40f

SHA1
12461b45239d01d96218501576bbde37b46bed4f

SHA256
22527a239a7f3c450f389f921d67ac64c8d918a7708dd133ef4cfa01a394e376

SHA512
e3d4a07e0769ed30806b8c0d540736493447cda58fadd561f0dfafb3cbf3dd534f3178879ef390cd913cae687e4a91128a04a6b6ca49d6178165c6b11b5d5f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
fedd054bc1d366b855b774a0b74abb15

SHA1
6569a06b42d215bf6218047826ed8fd4bd5c9b70

SHA256
d104fadcdeef7bb6dc3691384b8afdf2a1290743774da86bca7ec29c6dc2119a

SHA512
f177bd8dd7c4a648b739a94477ad5f2339ae57156c15f4ed5cddc6cc1d3dd9747c643a5623ffc18e7f1c08ddf3b7b67b131126586077ad6036bef58772b09338

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
1b9eee135dc090d82db8f0bb0751c8ff

SHA1
29b40fbb8efd902039242fd0b498e8aa9207b8b5

SHA256
b0bea9b5b94f042f328823b708165f5097a48bb8b04601b163eb01e1686c23a3

SHA512
7a400c4a695c3c7f673fde52aac27c4abe6532fa6432ee4c13f0d570949964a9eff815be7eda1de7763eb2eac072ae93389c24e5c89f9207267607dbb87c2b5a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\{C2C77~1\cookie.ff\jl56y3z6.default-release\cookies.sqlite.ff

MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\{C2C77~1\sols\macromedia.com\support\flashplayer\sys\settings.sol

MD5
d5e535e4b017c0c5dda171adc1d399b3

SHA1
180937b58f9a60f38012f72d574925b4a5d97da4

SHA256
4b4f70069e2072c81219a465ffeaface0e912569c5efbdfd2e05155def3fe971

SHA512
99cf1b5a44eb9fc9357f70560f10ef11ed977733635b105f9222c728094f23b10b643fee73f7a2cea90b5709ff0b0bd24e91e3ea8986deaac439a36b8e7687a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0X90KETM.txt

MD5
96db650bd095d2b70f03c08b272cf83b

SHA1
de4124b739b4caee108e33a6d6dde0ee6015b04f

SHA256
875a8d9decfb8bd2a40121142ea385f9732795b4a290e662632bbb4c6a095a29

SHA512
24765670976a9dcd17ad4f3a4d65a27153f400dbdc3362b06e49f2a42576459986e6b33e03d0d494826202c7005a318d6ff302cd7ade147737035b55f0857bac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{C2C77CC6-3964-44C0-D316-7DB8B7AA016C}\setup.inf

MD5
14faeeae92fc90bf84e00eefcb7b1045

SHA1
b7043e9efd2289c05dd64bf19888a615c196c5cb

SHA256
3bcc1f9cba04a8e3641add17ba8f3e7b11943983cc3612074da7854718d465cb

SHA512
da5b80bb233f7df96e88a2d2d5bf5b6733eef13862b7aac46a90f269bd483aca65b4dae6df3699b12a3f6579ba388e8023e64e8533b4c4d75c21e0edad680b44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{C2C77CC6-3964-44C0-D316-7DB8B7AA016C}\setup.rpt

MD5
5127bb85611c73f39862076a44ce9add

SHA1
c217b032353f5b99e7fdd87c6e15ecf09fc804bc

SHA256
e36967352907ef4323a4930ba1b720fa710c47f569422c127c0e00272b30ea17

SHA512
9a47581e8f51084403bdf31f08c40ea99726d1cbc50a7acdd2b6a806b9f21176a64757d4c76f01347ac4b01de2255aa8b86d35d1c0081954653c6f6e1baa34b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c11woszc\CSC7ABF99EE0CA476084BA81AE85CF39D.TMP

MD5
32bcdd28c6b5d21a9a8bbc30f119ce85

SHA1
0c51d0f259a298a8df28f2cba70c88c5cef490f9

SHA256
d30b10724224d7a6d5839bebf043d9c6a2b45cc76d85218f79d1364871c25b15

SHA512
f77fe49c43035559df64d2ea1dc577d52c92a5ceb6a28f5f91ec56fe9c999f0918411fc71ac0b198fe0b1206bc66c17c0585f9ff7982e2c41fa381c375b7feb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c11woszc\c11woszc.0.cs

MD5
9374cded96ee09456f8770891f7c7bb0

SHA1
94a8fa474651bf57184b3d4303be784bbee0d3a1

SHA256
2d22a87f2b278e4088d64a7b51bc202fb4fcc09335dfd0e9b1e3fa02c9708916

SHA512
4533522340293e905a62452a17476440acad2b5a34c38d690f5a24b6f14e4f4a8f7dc82ee2d61955554425615588104c1f84d76c6443a8a4252ecf961abeca6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c11woszc\c11woszc.cmdline

MD5
c182d54c57ff4e5dcafd9e4d7e6bd9b8

SHA1
239c87e4661ca01db87c087dd6c7244adb3b1c38

SHA256
6742870106a3bc18d8f0ceff06ecfefd098ad30640ba15ee5ea54f75090b075a

SHA512
59ebda2cfeab73d34075a6db7409dc90e501e0fc10a4d49f95e4a77f5c0726408c38166bf16c5f8614531c864d88ba813a3484c64a56009dcf661cde52808995

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfrjuzmu\CSC1E47F659D06E4512A6CBD8D0E63B1FED.TMP

MD5
82df87b0be15605951869aa41fec7e88

SHA1
f4b64acbffdb8ae1ea8fa87dc0bff3e474c09fdc

SHA256
0fe0d47fd87380c725c6f586bd5e47fc7eaf5a94b54aa84a308030469dedb697

SHA512
6e4956db5d5d376071e12499a31c264ff274c1ed45942a08c70311f332c289afc88894a1e5859db3eb33a891ee413de982da7e1106489579310d4caa1a73d29b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfrjuzmu\pfrjuzmu.0.cs

MD5
eb2d8df6dbf541c77f5579af967a24d2

SHA1
0a54f84d62b331bb66e798e6ab03c226432a4620

SHA256
4262a2b41845425832bd41961054ddb986dbc26824d7e948b983c6792e4a70c5

SHA512
b3f448932f267f7b81ca0e934ecc9509e6601a998bef2545da8c630b689912c699c990f111b66b1761c79f8daeb4686b92e9c516f410000d357cab38bf8363e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfrjuzmu\pfrjuzmu.cmdline

MD5
2015dbfed72a1ff1e5c406593aa388fa

SHA1
5c213d948d5db002661cdde263ba2745e27f9745

SHA256
117caab1c05fa573a9b8b2e3b4e714677d8f5d183cdb8c894dfa20409cd355cd

SHA512
a54d2f743beff5ce6b2fe4b18840299f10963e1584df512b727e850605392427f30a7bddaacb930e3eaa399dcbbf329bc26a0a3f368c864bfe4b9a7d5f5ecf60

Download Submit
memory/280-89-0x0000000000000000-mapping.dmp

Download
memory/280-100-0x0000000000000000-mapping.dmp

Download
memory/532-63-0x0000000000000000-mapping.dmp

Download
memory/532-105-0x0000000000000000-mapping.dmp

Download
memory/600-55-0x0000000000000000-mapping.dmp

Download
memory/672-26-0x0000000000000000-mapping.dmp

Download
memory/676-79-0x0000000000000000-mapping.dmp

Download
memory/676-97-0x0000000000000000-mapping.dmp

Download
memory/772-39-0x0000000002500000-0x000000000259B000-memory.dmp

Filesize
620KB

Download
memory/772-35-0x0000000000000000-mapping.dmp

Download
memory/772-37-0x000007FFFFFDE000-mapping.dmp

Download
memory/816-40-0x000007FFFFFD5000-mapping.dmp

Download
memory/816-38-0x0000000000000000-mapping.dmp

Download
memory/820-51-0x0000000000000000-mapping.dmp

Download
memory/844-18-0x0000000000000000-mapping.dmp

Download
memory/848-57-0x0000000000000000-mapping.dmp

Download
memory/848-90-0x0000000000000000-mapping.dmp

Download
memory/848-77-0x0000000000000000-mapping.dmp

Download
memory/848-61-0x0000000000000000-mapping.dmp

Download
memory/848-59-0x0000000000000000-mapping.dmp

Download
memory/908-107-0x0000000000000000-mapping.dmp

Download
memory/924-29-0x0000000000000000-mapping.dmp

Download
memory/948-53-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download
memory/948-43-0x0000000001E20000-0x0000000001E31000-memory.dmp

Filesize
68KB

Download
memory/948-41-0x0000000000000000-mapping.dmp

Download
memory/960-104-0x0000000000000000-mapping.dmp

Download
memory/976-2-0x0000000000000000-mapping.dmp

Download
memory/976-3-0x0000000008790000-0x00000000087B3000-memory.dmp

Filesize
140KB

Download
memory/976-4-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/1032-44-0x0000000000000000-mapping.dmp

Download
memory/1200-95-0x0000000000000000-mapping.dmp

Download
memory/1208-7-0x0000000000000000-mapping.dmp

Download
memory/1252-36-0x0000000004240000-0x00000000042DB000-memory.dmp

Filesize
620KB

Download
memory/1252-60-0x0000000006CE0000-0x0000000006D71000-memory.dmp

Filesize
580KB

Download
memory/1316-56-0x0000000000000000-mapping.dmp

Download
memory/1316-99-0x0000000000000000-mapping.dmp

Download
memory/1332-87-0x0000000000000000-mapping.dmp

Download
memory/1344-5-0x0000000000000000-mapping.dmp

Download
memory/1544-62-0x0000000000000000-mapping.dmp

Download
memory/1544-94-0x0000000000000000-mapping.dmp

Download
memory/1564-45-0x0000000000000000-mapping.dmp

Download
memory/1564-48-0x0000000000000000-mapping.dmp

Download
memory/1564-49-0x0000000000000000-mapping.dmp

Download
memory/1564-50-0x0000000000000000-mapping.dmp

Download
memory/1564-47-0x0000000000000000-mapping.dmp

Download
memory/1564-0-0x0000000000000000-mapping.dmp

Download
memory/1564-46-0x0000000000000000-mapping.dmp

Download
memory/1600-33-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1600-16-0x000000001AA10000-0x000000001AA11000-memory.dmp

Filesize
4KB

Download
memory/1600-17-0x000000001B4A0000-0x000000001B4A1000-memory.dmp

Filesize
4KB

Download
memory/1600-15-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1600-14-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1600-34-0x000000001C3E0000-0x000000001C47B000-memory.dmp

Filesize
620KB

Download
memory/1600-13-0x000000001AB30000-0x000000001AB31000-memory.dmp

Filesize
4KB

Download
memory/1600-12-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1600-25-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1600-11-0x000007FEF3A50000-0x000007FEF443C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-10-0x0000000000000000-mapping.dmp

Download
memory/1608-21-0x0000000000000000-mapping.dmp

Download
memory/1648-110-0x0000000000000000-mapping.dmp

Download
memory/1704-85-0x0000000000000000-mapping.dmp

Download
memory/1728-42-0x0000000000000000-mapping.dmp

Download
memory/1904-84-0x0000000000000000-mapping.dmp

Download
memory/1976-102-0x0000000000000000-mapping.dmp

Download
memory/2000-1-0x000007FEF6AB0000-0x000007FEF6D2A000-memory.dmp

Filesize
2.5MB

Download
memory/2020-92-0x0000000000000000-mapping.dmp

Download