gozi_ifsb | c513c300dd29b821c87623a3718a5d29186fb9bdabb61e42abe5c42cb944bb5f

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
09-12-2020 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YyIUwQv.dll
Size

565KB
MD5

7099df90d162654fa9e3effa97279f51
SHA1

605233409966904822a2e356d662ef837f778396
SHA256

c513c300dd29b821c87623a3718a5d29186fb9bdabb61e42abe5c42cb944bb5f
SHA512

0623038f073dcb8930228f6866a073e9b6bbfaa79fc0f4ee652cb2b2fc2cb65f91028c33d38597504ad62adca00d477804a908034e82796fdf8e32cb378b8b53

Score

10^/10

gozi_ifsb ursnif banker spyware trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

612 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
612	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1496 set thread context of 1236	1496	powershell.exe	Explorer.EXE
PID 1236 set thread context of 612	1236	Explorer.EXE	cmd.exe
PID 612 set thread context of 1596	612	cmd.exe	PING.EXE
PID 1236 set thread context of 1052	1236	Explorer.EXE	cmd.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1644 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1844 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

592 systeminfo.exe

pid	process
1644	net.exe

pid	process
1844	tasklist.exe

pid	process
592	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 85 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6910C731-3A55-11EB-A476-76BCB60B883E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08d0a1862ced601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000289122f063f2c60051adf5b1a9aec858c30bb37af0c83f4b07786cec3113119b000000000e80000000020000200000001af957b67e6c926a80a7304d09493b688d103d068e53176c0f05de29fd99df94900000002bf6b167bdd148eef14f23ed4d6de5e95d356f639a456a17b046844d9c5696d658aa14c4fae81d58216f7d12a49a93ba8e2ffb464408774e8c8571315cfee27b2d039489f6983cd9189068d14754c84b9f90952afd3980a783e924ee2862c7cf362515d355eb50364b6221f40550ce99114204bff4d237da9ff576a7aaff03f7be59a32d5b264ed6a3c32596f0c928e940000000d92a75917de03ba1a69abb088c17a0584e73d705c6bd24738fbfefd10c388255a982db420947611c2f3cc5974c532b9575f3d8eaf0cb5c7e2fc06dc6a7a670d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1596 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1596 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid process

1784 rundll32.exe
1496 powershell.exe
1496 powershell.exe
1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1496 powershell.exe
1236 Explorer.EXE
612 cmd.exe
1236 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1496 powershell.exe
Token: SeDebugPrivilege 1844 tasklist.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1304 iexplore.exe
1016 iexplore.exe
1312 iexplore.exe
1312 iexplore.exe
1312 iexplore.exe

pid	process
1596	PING.EXE

pid	process
1596	PING.EXE

pid	process
1784	rundll32.exe
1496	powershell.exe
1496	powershell.exe
1236	Explorer.EXE

pid	process
1496	powershell.exe
1236	Explorer.EXE
612	cmd.exe
1236	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1844	tasklist.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
1304	iexplore.exe
1304	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1016	iexplore.exe
1016	iexplore.exe
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
1312	iexplore.exe
1312	iexplore.exe
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1312	iexplore.exe
1312	iexplore.exe
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1312	iexplore.exe
1312	iexplore.exe
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 129 IoCs

Processes:

rundll32.exeiexplore.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1784	1208	rundll32.exe	rundll32.exe
PID 1304 wrote to memory of 1800	1304	iexplore.exe	IEXPLORE.EXE
PID 1304 wrote to memory of 1800	1304	iexplore.exe	IEXPLORE.EXE
PID 1304 wrote to memory of 1800	1304	iexplore.exe	IEXPLORE.EXE
PID 1304 wrote to memory of 1800	1304	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1504	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1504	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1504	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1504	1016	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1012	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1012	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1012	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1012	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1720	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1720	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1720	1312	iexplore.exe	IEXPLORE.EXE
PID 1312 wrote to memory of 1720	1312	iexplore.exe	IEXPLORE.EXE
PID 1340 wrote to memory of 1496	1340	mshta.exe	powershell.exe
PID 1340 wrote to memory of 1496	1340	mshta.exe	powershell.exe
PID 1340 wrote to memory of 1496	1340	mshta.exe	powershell.exe
PID 1496 wrote to memory of 1652	1496	powershell.exe	csc.exe
PID 1496 wrote to memory of 1652	1496	powershell.exe	csc.exe
PID 1496 wrote to memory of 1652	1496	powershell.exe	csc.exe
PID 1652 wrote to memory of 776	1652	csc.exe	cvtres.exe
PID 1652 wrote to memory of 776	1652	csc.exe	cvtres.exe
PID 1652 wrote to memory of 776	1652	csc.exe	cvtres.exe
PID 1496 wrote to memory of 1604	1496	powershell.exe	csc.exe
PID 1496 wrote to memory of 1604	1496	powershell.exe	csc.exe
PID 1496 wrote to memory of 1604	1496	powershell.exe	csc.exe
PID 1604 wrote to memory of 1648	1604	csc.exe	cvtres.exe
PID 1604 wrote to memory of 1648	1604	csc.exe	cvtres.exe
PID 1604 wrote to memory of 1648	1604	csc.exe	cvtres.exe
PID 1496 wrote to memory of 1236	1496	powershell.exe	Explorer.EXE
PID 1496 wrote to memory of 1236	1496	powershell.exe	Explorer.EXE
PID 1496 wrote to memory of 1236	1496	powershell.exe	Explorer.EXE
PID 1236 wrote to memory of 612	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 612	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 612	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 612	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 612	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 612	1236	Explorer.EXE	cmd.exe
PID 612 wrote to memory of 1596	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1596	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1596	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1596	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1596	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1596	612	cmd.exe	PING.EXE
PID 1236 wrote to memory of 520	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 520	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 520	1236	Explorer.EXE	cmd.exe
PID 520 wrote to memory of 1516	520	cmd.exe	nslookup.exe
PID 520 wrote to memory of 1516	520	cmd.exe	nslookup.exe
PID 520 wrote to memory of 1516	520	cmd.exe	nslookup.exe
PID 1236 wrote to memory of 852	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 852	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 852	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1796	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 1796	1236	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\YyIUwQv.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\YyIUwQv.dll,#1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\B3914E35-76AB-5DAC-1897-0AE1CCBBDEA5\\\Adtsgsvc'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\B3914E35-76AB-5DAC-1897-0AE1CCBBDEA5").apiMbrkr))
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\12vyij4i\12vyij4i.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47AA.tmp" "c:\Users\Admin\AppData\Local\Temp\12vyij4i\CSCEB4DC31767FC40DCA1846C41F5D0416A.TMP"
        5⤵
        
        PID:776
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3acrfsr\o3acrfsr.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4827.tmp" "c:\Users\Admin\AppData\Local\Temp\o3acrfsr\CSC39D9C03A419A4E939725E888D79E4017.TMP"
        5⤵
        
        PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\YyIUwQv.dll"
  2⤵
  - Deletes itself
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\67B4.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\67B4.bi1"
  2⤵
  PID:852
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1796
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:592
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1052
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1208
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:980
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1820
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:2016
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1408
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:592
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:848
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1048
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:1780
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5708.bin1 > C:\Users\Admin\AppData\Local\Temp\5708.bin & del C:\Users\Admin\AppData\Local\Temp\5708.bin1"
  2⤵
  PID:736
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\91A2.bin"
  2⤵
  PID:1248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1304 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:1848323 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat

MD5
172b14d59025e00f5261f9721641d4c4

SHA1
26247f97a4b3c6f2d676ec5ace481ed632eb5432

SHA256
f20ee77852e246363531ec5f2f27e86c42fbe27523bff3b1b89e50d817c93611

SHA512
294b9a46a2069535af5ba50195793fd909bde6d465be92b523f9fd6b84dd8a845e2a5e7a37ed4aa4b1802549a491ffabe83e89cb9e22b76c846e63c613dc1b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IK0XRGX9\favicon[1].ico

MD5
f74755b4757448d71fdcb4650a701816

SHA1
0bcbe73d6a198f6e5ebafa035b734a12809cefa6

SHA256
e78286d0f5dfa2c85615d11845d1b29b0bfec227bc077e74cb1ff98ce8df4c5a

SHA512
e0fb5f740d67366106e80cbf22f1da3cf1d236fe11f469b665236ec8f7c08dea86c21ec8f8e66fc61493d6a8f4785292ce911d38982dbfa7f5f51dadebcc8725

Download Submit
C:\Users\Admin\AppData\Local\Temp\12vyij4i\12vyij4i.dll

MD5
c744e9491f84073960394c3913e90c5d

SHA1
74eda00a60ab95130719e4be396a668638f0a021

SHA256
7061c1894bc948e6444d6fc6a48b196b511a8ab00f1e0fb0905b2d9fc72fd196

SHA512
05ccff2512d4eede1e518237658fa1e75ec40f6d1a02ef123e0c6315405085f1f4b374ed54f67e9a09f1ab30e5db9b48ed0bfe115d94a907687e6a1fc7c1a167

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin

MD5
2d8d23f8d84c218f182224c68e93dd61

SHA1
fdd5f553ce5c7aed1d32e4825cb6f51bdbfd7ce2

SHA256
fcafa31ea5c133ab4fefcc535c2180995966a42b20caee5811e6785a36b87401

SHA512
f7de9ce2e5d9ac8b0d35afe5b8e6e945fdef58c928d708252ed7c77377fe6f6e6cdf2ef3824fce6e82123cc5283fb7b560068648cb88f74e4811338e5a25f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin

MD5
2d8d23f8d84c218f182224c68e93dd61

SHA1
fdd5f553ce5c7aed1d32e4825cb6f51bdbfd7ce2

SHA256
fcafa31ea5c133ab4fefcc535c2180995966a42b20caee5811e6785a36b87401

SHA512
f7de9ce2e5d9ac8b0d35afe5b8e6e945fdef58c928d708252ed7c77377fe6f6e6cdf2ef3824fce6e82123cc5283fb7b560068648cb88f74e4811338e5a25f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
cba41d2264557cb01bae1fd0d826d5d4

SHA1
96536b2d7e1ed900d6b884e437a4cc0b9f6409c2

SHA256
df2b97531feca0751f1956daea5cce78f2130ad0f31b21b40d9b7b6320cd7556

SHA512
d10f7feac3ae78a7607c60cef1b54a25daf4bf8f0feb57ecac5ebcd8f1482788ab9b7082d80520aacacaf42d81d1ae8832a094187b4d789699c321d96239fd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
cba41d2264557cb01bae1fd0d826d5d4

SHA1
96536b2d7e1ed900d6b884e437a4cc0b9f6409c2

SHA256
df2b97531feca0751f1956daea5cce78f2130ad0f31b21b40d9b7b6320cd7556

SHA512
d10f7feac3ae78a7607c60cef1b54a25daf4bf8f0feb57ecac5ebcd8f1482788ab9b7082d80520aacacaf42d81d1ae8832a094187b4d789699c321d96239fd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
e12b7c10a419221bd7a917f951c67882

SHA1
a425eecc78e38b8ce0fc7f17fbd0b4a1c1abe12f

SHA256
9bc2fce27956ff6e11c722a6091700a5d965be4ec621cb59e2140371fe19bbc7

SHA512
f4e8b78cc7fa604f85c2e619d3a88e655440ce9d9f1294ccd1d058f15861a197e125254829a9e9aa7208fba7e49fff1ecf9734952332fa247edb8fa0565b4d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
82cdaee7ef3efcf0ec49098e468264be

SHA1
776605f2a3f7b00931f4d42ff3b5ad08f344c8eb

SHA256
e698519d43d7d81ee0c04c6d67ec193a79c1de7eb6f192bebe0ca4e7eb29ac20

SHA512
b6603df16c60b5ba9940839855a0aa7a2b7e60a4021c671a583af04f899423cf6b71ab87d269b2948a55d5f8cbcf44e2583a898fd51858833f1dff46d60e9189

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
82cdaee7ef3efcf0ec49098e468264be

SHA1
776605f2a3f7b00931f4d42ff3b5ad08f344c8eb

SHA256
e698519d43d7d81ee0c04c6d67ec193a79c1de7eb6f192bebe0ca4e7eb29ac20

SHA512
b6603df16c60b5ba9940839855a0aa7a2b7e60a4021c671a583af04f899423cf6b71ab87d269b2948a55d5f8cbcf44e2583a898fd51858833f1dff46d60e9189

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
0a8258176654a9bb02247380a0409a71

SHA1
7aab94095429cf3d2212c598f65dad8aed05c382

SHA256
3758ca8df79949b6df837d39f928f27a7730d1118d4df665e2ba79647bd351bf

SHA512
ecae318be63f535e9be83074cba24bdb39f915285523d5269d6c8651c1a352ddc796f946444f3bd58142f060ddca3cae95485333cbff1a547c18f0e56976ac35

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
0a8258176654a9bb02247380a0409a71

SHA1
7aab94095429cf3d2212c598f65dad8aed05c382

SHA256
3758ca8df79949b6df837d39f928f27a7730d1118d4df665e2ba79647bd351bf

SHA512
ecae318be63f535e9be83074cba24bdb39f915285523d5269d6c8651c1a352ddc796f946444f3bd58142f060ddca3cae95485333cbff1a547c18f0e56976ac35

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
2a78d960acea293d2b650c6e8251d22c

SHA1
e661a286c6baf60b9a401744f15139c4eb2163e8

SHA256
b83fbc4bd190957c5d51b8ba599f34a128fcaa87ae40d8c4cd35d86042e90227

SHA512
71294f4ae765603b98890b99ed1e68c95d95c552844a279343c5587eb221e4e679e7e826113eb87e4f44d6528b9f91b9611414300af2e67ff9b64ae6b5351bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
2a78d960acea293d2b650c6e8251d22c

SHA1
e661a286c6baf60b9a401744f15139c4eb2163e8

SHA256
b83fbc4bd190957c5d51b8ba599f34a128fcaa87ae40d8c4cd35d86042e90227

SHA512
71294f4ae765603b98890b99ed1e68c95d95c552844a279343c5587eb221e4e679e7e826113eb87e4f44d6528b9f91b9611414300af2e67ff9b64ae6b5351bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
2d8d23f8d84c218f182224c68e93dd61

SHA1
fdd5f553ce5c7aed1d32e4825cb6f51bdbfd7ce2

SHA256
fcafa31ea5c133ab4fefcc535c2180995966a42b20caee5811e6785a36b87401

SHA512
f7de9ce2e5d9ac8b0d35afe5b8e6e945fdef58c928d708252ed7c77377fe6f6e6cdf2ef3824fce6e82123cc5283fb7b560068648cb88f74e4811338e5a25f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\5708.bin1

MD5
2d8d23f8d84c218f182224c68e93dd61

SHA1
fdd5f553ce5c7aed1d32e4825cb6f51bdbfd7ce2

SHA256
fcafa31ea5c133ab4fefcc535c2180995966a42b20caee5811e6785a36b87401

SHA512
f7de9ce2e5d9ac8b0d35afe5b8e6e945fdef58c928d708252ed7c77377fe6f6e6cdf2ef3824fce6e82123cc5283fb7b560068648cb88f74e4811338e5a25f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\67B4.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\67B4.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\91A2.bin

MD5
13cb4ef74eb9d2573ccfe6f015e34f43

SHA1
7476b38d37a0e4a1b1191ac737c969d9036fa217

SHA256
11a729a0450f93873d9b0c2a2291a225943d69362adc8f8deb30b06217546ece

SHA512
f49680738a390ee66bfc4c42ee691ce63781b9ec8fc948f7be26316b30d2dd6b761c52a9a20f2f2d76e0b2d36fe66c83166149b52fb9a628360c13f0a8be4182

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A46.bin

MD5
ca4f2aa222a107a4c24c614380bd003e

SHA1
9551ba5e6b9dadd0ff9d3ce09fb92930c813725d

SHA256
0aca87887e77a823dbb09c811de42c789cb151096f8749e63fdd17093ad3469d

SHA512
f6ccc9675b31fa0308aa0ca16446c152e103f72bb8d7adf38f69052cb26a4b29627762cfc73e1eda34f97a69ea2b43cc7addd515c0a46e59fc95a34489a96cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES47AA.tmp

MD5
3dff08942dfb4f6afc1a2dc6a10e8ff7

SHA1
6094769bf0998d8985305b2c003f5a8cb8b9d902

SHA256
91576e874d41e9327cd33111183b084ee6fcbbb432df7e5a2b823f8c8cc97d39

SHA512
b7baa9abab041da6509889b016abc7ab6ffaad4deee0335a54efd8e989babc9836ebb2d5d7490abc242d0787ff26cfe5b109c19b56126496516c1899246c6dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4827.tmp

MD5
7af13ac2e19790370a9f3503f7eb0652

SHA1
5e0d67a524ded2aaec1cddeff33154df03035606

SHA256
928421b2296e143f1008aefd0f6d9251a77e8bee03a0e57ecf9f66cb85d6a91a

SHA512
cef1268ee4ff67e9d5f8414a9f7815400e05ae38f219b9593ad1b1cf5bf7e10f37777978400794a0f4a8229588160ff786a89a7c17c4d0769477687e42aa0b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3acrfsr\o3acrfsr.dll

MD5
de1800a36925f1611764ebf7d2df8260

SHA1
042c2d63b921463d625e05b77eaf47de3c9b660f

SHA256
ecf7ad24166f1a15761de11d9792fe8a08b033422f4c0a0350ea48bc18036267

SHA512
ddd3b045da208501924d4bfa30065a1bac1fa7bb2537055af5df95d95a72516c4f9ba299e530c354531c10ddaff7b526e88b38fea21407a1e7a8b352b3906fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
f4293d1163d6b1baf65fdc58918de5b6

SHA1
3ee95b896f26504706973ae2edb52416f4d4dcc2

SHA256
803b4b6a1b4b3b88d190f8e4dfe2d36927bedd2fbf6eb100311a21d2e6d58cc4

SHA512
94d830602870dcd4dfb63a259aaabb67c254e0dac9be0bcd2e2597b6cb6dbc042f1141a089c1f3818f6393fd473cc7461bda5f64216ad825fb84f559aa3a4346

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
510722cdeb2b96e152df63420d5d45ea

SHA1
cc3d6caf79ac20163cfc1f3f3acf5f0e96d0bc83

SHA256
c2b84cf1adfde7867d16746663e1ddbbc0220b378f7204540e6c58789aa17925

SHA512
e5cbd7734009f316f86e8ab45fe06a949ef0e5318d5353d1fdaf0d1c3a696ee1f30b4e608fd5bf8439fb46b71f4cb07f7e8641c018bb676e23c2b6d412590c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\USQEG3TA.txt

MD5
71d4f806f78ec8b4f494cfc7f34e00ed

SHA1
44a0e3554907c10a46581f748d9c9cdc8b55485f

SHA256
9a37d15290843e05808ae8d015e34cf5d9df5b66a9d9cdd99c874ad0732d8f64

SHA512
1ff5caf6452dc903e7a8a01de9df09c078d26e81fa0bf79b192f47eb29b46c0f1389481e6665dc3e099e93723073282fe5093409483e935ddbf1ac678453d543

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\12vyij4i\12vyij4i.0.cs

MD5
655283ef891d5b9c591abe78702b0670

SHA1
3f237a5f247a04c17e8ba74a2e6dc3d57bcfc27d

SHA256
e3a387cca453522a3be7b0f258b49f7b56e9baf62bb1ef6fec6233ebde53001a

SHA512
f5c6452841da5a56e6865db14f1a628513e565c1030627f011cfdd91784fb5ab1a1ba0e8f26d879132281775ad3d8681638c49ce6e45929506c966623198e2c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\12vyij4i\12vyij4i.cmdline

MD5
d8851497e786b89c53511913bda821f3

SHA1
415de8d7a4e28e7e6f146c1f32522ac213a2601a

SHA256
82e913686892af001bcfa691b5cc364536f40adcd46f7f3a386a986b5543f563

SHA512
cb2be5d166c4545d3138b52ec75cab5e7ed968827d011e591f08d047f560d72225b80a2150e3f49061ae7d5213d9d0d13ae0a63566816b16a2a6a720c0501410

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\12vyij4i\CSCEB4DC31767FC40DCA1846C41F5D0416A.TMP

MD5
a4698300195cba870849317a799d730c

SHA1
3fd0c7892d8df5ab4aa83fc8b014096681b082c1

SHA256
64e13f7b324bccee1de4d7e23a0e6c6af1b6423084710e638cc70da946f13b1d

SHA512
9e2d61a838148d804e0d2668722dab7adc958894030a355bcb5774f08c2e4cbba5a560935c710219134696b796e117d2721268a6765b39e8fc82b37ba4045bca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3acrfsr\CSC39D9C03A419A4E939725E888D79E4017.TMP

MD5
a2631d796e89dc3cef515161c19d545a

SHA1
fefecf8c9939a1b7fb2627d78276c482d35ccae4

SHA256
ff3a6f96fbe64d69e73a7c364e37764605dddb047d8364584f3e1685588d5245

SHA512
96044023747b9ed99f8fce9947203b9e963dc93505ef04aa1bcb25b37c6ddca96dc2e6ea61ecb3aa052bd2ecc8195e7eeabd8cc6b4586f526508ecc3e651d38d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3acrfsr\o3acrfsr.0.cs

MD5
5b17b009281a3c8c532b0bb82b8b44f0

SHA1
bb6c2dded8ae33ab8d0ab7a01feafc11c0ec0d4c

SHA256
4bafa02a0d8f4179effd80c32d96c3dc700e83002effeaa97794b80e083cfa33

SHA512
a45f45c2f466ca2f203c54c3c11fd8e77add590f3f72a6d6395f3df3612899d54db789fa047c326ca1e34a29760d9d55e86d081419179d3204d6c9776ea487ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3acrfsr\o3acrfsr.cmdline

MD5
c5f579d081aab4c79b0a550e3ff08e77

SHA1
f1fc9ec9e5b6a9421fe8eec3fb4061b2e5c96adc

SHA256
065f46aada7b1b4e2c8fc819c51c3ba49e2eefa7e4ca825ff98e71111cc92929

SHA512
fbb3365821cb6ac1c271a22b609e5f5bb8723f2f32aa943c56d17390296c1ae684002f3df6fe222591540d1d7057de3b06194eb99e9249751d436d333127b4bd

Download Submit
memory/520-46-0x0000000000000000-mapping.dmp

Download
memory/592-52-0x0000000000000000-mapping.dmp

Download
memory/592-72-0x0000000000000000-mapping.dmp

Download
memory/612-44-0x0000000001C70000-0x0000000001D0C000-memory.dmp

Filesize
624KB

Download
memory/612-39-0x0000000000000000-mapping.dmp

Download
memory/612-41-0x000007FFFFFDF000-mapping.dmp

Download
memory/736-82-0x0000000000000000-mapping.dmp

Download
memory/776-24-0x0000000000000000-mapping.dmp

Download
memory/848-75-0x0000000000000000-mapping.dmp

Download
memory/852-48-0x0000000000000000-mapping.dmp

Download
memory/980-62-0x0000000000000000-mapping.dmp

Download
memory/1012-12-0x0000000005B60000-0x0000000005B83000-memory.dmp

Filesize
140KB

Download
memory/1012-7-0x0000000000000000-mapping.dmp

Download
memory/1048-77-0x0000000000000000-mapping.dmp

Download
memory/1052-53-0x0000000000000000-mapping.dmp

Download
memory/1052-55-0x0000000000000000-mapping.dmp

Download
memory/1208-58-0x0000000000000000-mapping.dmp

Download
memory/1236-40-0x0000000004970000-0x0000000004A0C000-memory.dmp

Filesize
624KB

Download
memory/1236-54-0x0000000007CD0000-0x0000000007D61000-memory.dmp

Filesize
580KB

Download
memory/1248-85-0x0000000000000000-mapping.dmp

Download
memory/1408-70-0x0000000000000000-mapping.dmp

Download
memory/1476-3-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmp

Filesize
2.5MB

Download
memory/1496-13-0x0000000000000000-mapping.dmp

Download
memory/1496-17-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1496-15-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1496-18-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1496-19-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1496-20-0x000000001C350000-0x000000001C351000-memory.dmp

Filesize
4KB

Download
memory/1496-36-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1496-16-0x000000001AD30000-0x000000001AD31000-memory.dmp

Filesize
4KB

Download
memory/1496-38-0x000000001C420000-0x000000001C4BC000-memory.dmp

Filesize
624KB

Download
memory/1496-28-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1496-14-0x000007FEF33B0000-0x000007FEF3D9C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-6-0x0000000000000000-mapping.dmp

Download
memory/1508-79-0x0000000000000000-mapping.dmp

Download
memory/1516-47-0x0000000000000000-mapping.dmp

Download
memory/1564-61-0x0000000000000000-mapping.dmp

Download
memory/1596-42-0x0000000000000000-mapping.dmp

Download
memory/1596-45-0x000007FFFFFD7000-mapping.dmp

Download
memory/1604-29-0x0000000000000000-mapping.dmp

Download
memory/1640-64-0x0000000000000000-mapping.dmp

Download
memory/1644-60-0x0000000000000000-mapping.dmp

Download
memory/1648-32-0x0000000000000000-mapping.dmp

Download
memory/1652-21-0x0000000000000000-mapping.dmp

Download
memory/1660-56-0x0000000000000000-mapping.dmp

Download
memory/1720-9-0x0000000000000000-mapping.dmp

Download
memory/1780-80-0x0000000000000000-mapping.dmp

Download
memory/1784-74-0x0000000000000000-mapping.dmp

Download
memory/1784-2-0x0000000000000000-mapping.dmp

Download
memory/1784-43-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/1796-51-0x0000000000000000-mapping.dmp

Download
memory/1800-5-0x0000000005B60000-0x0000000005B83000-memory.dmp

Filesize
140KB

Download
memory/1800-4-0x0000000000000000-mapping.dmp

Download
memory/1820-65-0x0000000000000000-mapping.dmp

Download
memory/1844-69-0x0000000000000000-mapping.dmp

Download
memory/2016-67-0x0000000000000000-mapping.dmp

Download