gozi_ifsb | 8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d

Analysis

max time kernel
150s
max time network
135s
platform
windows10_x64
resource
win10v20201028
submitted
23-12-2020 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exe
Size

40KB
MD5

0286232c6300bea38235739d04845f57
SHA1

b6e6d215790c97f2a401391366750d2ff9ededa9
SHA256

8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d
SHA512

0c8869392f7d85f50e630706c9e3c32fa68d1ba012ede1aa38cd1ebe467f65ffd2c49dbbb6231f973fef24640a36624c99147ac70d5310f29bb1ca72e496a63f

Score

10^/10

gozi_ifsb ursnif banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

ServiceHost packer 2 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/3184-29-0x000000153E6D1000-mapping.dmp	servicehost
behavioral2/memory/212-56-0x0000000000B76CD0-mapping.dmp	servicehost

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3096 set thread context of 3024	3096	powershell.exe	Explorer.EXE
PID 3024 set thread context of 3184	3024	Explorer.EXE	cmd.exe
PID 3024 set thread context of 3488	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 set thread context of 2516	3024	Explorer.EXE	iexplore.exe
PID 3184 set thread context of 2192	3184	cmd.exe	PING.EXE
PID 3024 set thread context of 2260	3024	Explorer.EXE	WinMail.exe
PID 3024 set thread context of 212	3024	Explorer.EXE	cmd.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3280 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2068 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1932 systeminfo.exe

pid	process
3280	net.exe

pid	process
2068	tasklist.exe

pid	process
1932	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c575d6d3d8d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F674FB6-44C7-11EB-B59A-CA79033726AB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f004b0d5d3d8d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30857427"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3846491210"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3826489762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30857427"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000005a837996217893131150de53ea7ee5d8666bfce2c0f81fac489fee7d36e242cb000000000e8000000002000020000000c67fe5bd21f82926408bf457a204e8df6a4a302df7db26cffe60d33999f589ae20000000f57ebb050edf96f25df5874298ceaef08f0ada9bbbd2edcd4127a5a68aa465d4400000008f0b1b248ff8f1feead23a5a7eb9844c3c2ab135892d63a4c6a5f8c991cfcd0812cd8768b7f02b0a54eb68da564ab32046f2513d1ceb56b6e4878956f67523fd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3826489762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30857427"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000c1b2a11a55985f5cb25315f2c2f6010b90b2397be473617e772dcbc918b6d14b000000000e8000000002000020000000979f1014bb2fe60db571302ea982f28d9fe6db5b31308dd78f9a53159c0db82c20000000a7e37504087c3e424091bbb90ed854d8a254b9facda9f2d8264856a3d8698217400000002e453453bfa58351a3dc0f4a8d434be7b8cf71f65c03fb0013a6eeacf9031dfca2a59640e088c33aef93707827666cd26498e635eab8d6c7a04be2e8cfecc396	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2192 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2192 PING.EXE

pid	process
2192	PING.EXE

pid	process
2192	PING.EXE

Suspicious behavior: EnumeratesProcesses 2301 IoCs

Processes:

8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exepowershell.exeExplorer.EXE

pid	process
500	8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exe
500	8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3096 powershell.exe
3024 Explorer.EXE
3024 Explorer.EXE
3024 Explorer.EXE
3184 cmd.exe
3024 Explorer.EXE
3024 Explorer.EXE

pid	process
3096	powershell.exe
3024	Explorer.EXE
3024	Explorer.EXE
3024	Explorer.EXE
3184	cmd.exe
3024	Explorer.EXE
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeDebugPrivilege	2068	tasklist.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

2516 iexplore.exe
2516 iexplore.exe
2516 iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
2516	iexplore.exe
2516	iexplore.exe
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
2516	iexplore.exe
2516	iexplore.exe
188	IEXPLORE.EXE
188	IEXPLORE.EXE
2516	iexplore.exe
2516	iexplore.exe
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 101 IoCs

Processes:

iexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2516 wrote to memory of 2388	2516	iexplore.exe	IEXPLORE.EXE
PID 2516 wrote to memory of 2388	2516	iexplore.exe	IEXPLORE.EXE
PID 2516 wrote to memory of 2388	2516	iexplore.exe	IEXPLORE.EXE
PID 2516 wrote to memory of 188	2516	iexplore.exe	IEXPLORE.EXE
PID 2516 wrote to memory of 188	2516	iexplore.exe	IEXPLORE.EXE
PID 2516 wrote to memory of 188	2516	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 3096	1416	mshta.exe	powershell.exe
PID 1416 wrote to memory of 3096	1416	mshta.exe	powershell.exe
PID 3096 wrote to memory of 2128	3096	powershell.exe	csc.exe
PID 3096 wrote to memory of 2128	3096	powershell.exe	csc.exe
PID 2128 wrote to memory of 1596	2128	csc.exe	cvtres.exe
PID 2128 wrote to memory of 1596	2128	csc.exe	cvtres.exe
PID 3096 wrote to memory of 1620	3096	powershell.exe	csc.exe
PID 3096 wrote to memory of 1620	3096	powershell.exe	csc.exe
PID 1620 wrote to memory of 3728	1620	csc.exe	cvtres.exe
PID 1620 wrote to memory of 3728	1620	csc.exe	cvtres.exe
PID 3096 wrote to memory of 3024	3096	powershell.exe	Explorer.EXE
PID 3096 wrote to memory of 3024	3096	powershell.exe	Explorer.EXE
PID 3096 wrote to memory of 3024	3096	powershell.exe	Explorer.EXE
PID 3096 wrote to memory of 3024	3096	powershell.exe	Explorer.EXE
PID 3024 wrote to memory of 3184	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3184	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3184	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3488	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 3488	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 3184	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3488	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 3488	3024	Explorer.EXE	RuntimeBroker.exe
PID 3024 wrote to memory of 2516	3024	Explorer.EXE	iexplore.exe
PID 3024 wrote to memory of 2516	3024	Explorer.EXE	iexplore.exe
PID 3024 wrote to memory of 3184	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2516	3024	Explorer.EXE	iexplore.exe
PID 3024 wrote to memory of 2516	3024	Explorer.EXE	iexplore.exe
PID 3184 wrote to memory of 2192	3184	cmd.exe	PING.EXE
PID 3184 wrote to memory of 2192	3184	cmd.exe	PING.EXE
PID 3184 wrote to memory of 2192	3184	cmd.exe	PING.EXE
PID 3184 wrote to memory of 2192	3184	cmd.exe	PING.EXE
PID 3184 wrote to memory of 2192	3184	cmd.exe	PING.EXE
PID 3024 wrote to memory of 2200	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2200	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3720	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3720	3024	Explorer.EXE	cmd.exe
PID 2200 wrote to memory of 3696	2200	cmd.exe	nslookup.exe
PID 2200 wrote to memory of 3696	2200	cmd.exe	nslookup.exe
PID 3720 wrote to memory of 3824	3720	cmd.exe	nslookup.exe
PID 3720 wrote to memory of 3824	3720	cmd.exe	nslookup.exe
PID 3024 wrote to memory of 3472	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3472	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2228	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2228	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2080	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2080	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 2260	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 2260	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 2260	3024	Explorer.EXE	WinMail.exe
PID 2080 wrote to memory of 1932	2080	cmd.exe	systeminfo.exe
PID 2080 wrote to memory of 1932	2080	cmd.exe	systeminfo.exe
PID 3024 wrote to memory of 2260	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 2260	3024	Explorer.EXE	WinMail.exe
PID 3024 wrote to memory of 212	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 212	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 212	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 212	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 212	3024	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exe
  "C:\Users\Admin\AppData\Local\Temp\8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:500
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BFC92168-124C-49FC-1463-668D8847FA11\\\AppXxSip'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BFC92168-124C-49FC-1463-668D8847FA11").ActitLog))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgzeapb4\xgzeapb4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EC8.tmp" "c:\Users\Admin\AppData\Local\Temp\xgzeapb4\CSC4AFEE41CC5432DB8CCE95DCC4CA2C7.TMP"
        5⤵
        
        PID:1596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iub3rovo\iub3rovo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp" "c:\Users\Admin\AppData\Local\Temp\iub3rovo\CSC36221F386CC04591A0D3C6B9ABE6A987.TMP"
        5⤵
        
        PID:3728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\8e7e061cfbeca37aaa1faf43b7e248fbc53024e5abacd532873fdb7919569c2d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2192
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\93BA.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\34FC.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3696
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\93BA.bi1"
  2⤵
  PID:3472
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\34FC.bi1"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1932
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:2260
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:212
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:3444
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:2232
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:3280
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:1872
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:2264
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:3988
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:3460
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:1292
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:3508
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:3048
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:3812
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:2712
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:3928
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6D01.bin1 > C:\Users\Admin\AppData\Local\Temp\6D01.bin & del C:\Users\Admin\AppData\Local\Temp\6D01.bin1"
  2⤵
  PID:3096
- C:\Windows\system32\makecab.exe
  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\2623.bin"
  2⤵
  PID:3936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2388
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
b08549ce81ea781f4fcf6ca2476a4f6c

SHA1
54d0587b86d87e4bbab7536e287da7eb99111285

SHA256
864ccb7b917db5461df986dbd5f3713d34b46bf3c230c92a9b405866b8db7251

SHA512
790ad581ad2867ced4d962af056e0a356700093c113ab6e3b089d8592a7800dec1eaa1ede6cb3619c740c9e67bfda4df99e142130bdc2188c2f335dbf12018b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
760e4d738598e513b97f4583820f9990

SHA1
3f0667ee5b0571d87b14e352e1f9a553c19aea5c

SHA256
073977a7bee8e35f9be7aff15469b59123d81be00ae462829319d709ee23db69

SHA512
dd19582914f17046c4038a881c43639e259b040f0e166c6f8000d354ad125f95702c7ee9a5a88a0267cc4a9da6935ff8a5905d74bb5343a5d13d0fde62762203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YQPTC27I.cookie

MD5
20491cade3d0d9e136c64250bbbed0ae

SHA1
288b2ae48ea853b2297bcc3943879e272a71a7ed

SHA256
e70f0165df14e118a28cbff8a8dc50ada98908d5d95b68f1b06376833b6615b0

SHA512
3065011163b35c9aabe45f3705041156b6a1fd4f97f48b7a9e3ebfbbd75e17c83a89ea977345a570954c5d0a703c426dba0ac1121a65fdee9ba03686cde74fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2623.bin

MD5
a7d6b4293c548586da673b4377514fe0

SHA1
b2f9c0590a51f87100b09ac018816866775ecdd2

SHA256
fa563d4002e173c9f45c3f82cc8fe6b69f26a8bace62b38c67df9bbec887daec

SHA512
84b857531764e0b38eb697bb8f4436bd6dd1d64e67790ad8dba57353386b2e4b9a48ec0e68f4dbc76ea77081f1f0bc54988fc82bd05895a1fe54c18d12914ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EC7.bin

MD5
0d79438cc5a17c2d6bb8e22720701f06

SHA1
f59ab79edf779448b6a22de32bdd6e7d970ff71f

SHA256
b410b7fa321cc253b87b69512fb2f4288d2150c28fc22c345d6ddab4ce13f0c1

SHA512
a2804c86792a15cf920d73557c1269d8083fbfdaa4874432f130f5f44da0e9d39c53d45398ef121810cb16bd1dd46e8c9c742be5067167293004d32afe5203ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\34FC.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\34FC.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin

MD5
e3db7fdd16e0ec3ff16b30de247c7688

SHA1
5e866f1c66ecba074751d8654962623bd626d58f

SHA256
8bb76b270e8d97282b4de882fb0f4b91227670c574452da57f6e4b5b095c9334

SHA512
c44eb95f13d4f960a0f3b0b8ba2a4bf5c5cea3c6bae014426f436ec843848ac857e185b8ffec06ce82a47cd61d13ac776cadb7d385307a8b758ee2c75387794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin

MD5
e3db7fdd16e0ec3ff16b30de247c7688

SHA1
5e866f1c66ecba074751d8654962623bd626d58f

SHA256
8bb76b270e8d97282b4de882fb0f4b91227670c574452da57f6e4b5b095c9334

SHA512
c44eb95f13d4f960a0f3b0b8ba2a4bf5c5cea3c6bae014426f436ec843848ac857e185b8ffec06ce82a47cd61d13ac776cadb7d385307a8b758ee2c75387794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
c64bc3e2a7a38852080bc357eef3f608

SHA1
8714a95ba3e91d8dc0e32e645ecb56d7a5c39a1a

SHA256
8bed6f953b37e9b75dcf7419c75bbaff4850c80efedac296b690f60034e18f8e

SHA512
75888f9601a6ba4919032fadcc5b4c5db13f036481231734d9a82def414f1d228177b7e45f30911fd1e1effcd31d2a7a0e331603d9c75684cf53628057cf6625

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
c64bc3e2a7a38852080bc357eef3f608

SHA1
8714a95ba3e91d8dc0e32e645ecb56d7a5c39a1a

SHA256
8bed6f953b37e9b75dcf7419c75bbaff4850c80efedac296b690f60034e18f8e

SHA512
75888f9601a6ba4919032fadcc5b4c5db13f036481231734d9a82def414f1d228177b7e45f30911fd1e1effcd31d2a7a0e331603d9c75684cf53628057cf6625

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
7aa702375974509c44736527c3768abb

SHA1
bb10d4ad29458e7ae6c474a3636e4fd11f6a8669

SHA256
103022e06436e0b991d395372e39a5954efe1670754fe541319720765aa60c40

SHA512
a5570b754d9cc068200cfe7502f512e7d3156aef7edc74f46f72bcfda058d62e54552ef8d1c801fec9e7f6d0f3709d9224761a98d390fb80455999c4f423ce6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
d32ea6d35a4790287b9698d433e20bba

SHA1
f712f5090d3e4c7f025bbc2bb7b8e49b10af0456

SHA256
8d07b4938b4674caba58542c85738e19f76b21a331dbe366530146b206eecd3e

SHA512
d35f28e4f858600c9ac5760764e1784d43787e60580a76b02fe8187a549da3422be497fb28e1212029f1efcd2950aa6a04167dd4fdda8601e7984abfdac9d391

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
d32ea6d35a4790287b9698d433e20bba

SHA1
f712f5090d3e4c7f025bbc2bb7b8e49b10af0456

SHA256
8d07b4938b4674caba58542c85738e19f76b21a331dbe366530146b206eecd3e

SHA512
d35f28e4f858600c9ac5760764e1784d43787e60580a76b02fe8187a549da3422be497fb28e1212029f1efcd2950aa6a04167dd4fdda8601e7984abfdac9d391

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
beb23ef2ac92137857c989bfb1d11814

SHA1
23b7a77a2e3d734a81aa3780c39351abf95d28bc

SHA256
a7817d0b8060a8fbdf1fd0e59549ed7a5d31ef5b15580cbaf315a31f0ca21001

SHA512
2de1c6003393b638ea361ddda55d4aa74babe08766c97b0f1399cd83cc58fd80f4a02766962f657a7b153877823eddb79da8dbad9091260550f30715df88d181

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
beb23ef2ac92137857c989bfb1d11814

SHA1
23b7a77a2e3d734a81aa3780c39351abf95d28bc

SHA256
a7817d0b8060a8fbdf1fd0e59549ed7a5d31ef5b15580cbaf315a31f0ca21001

SHA512
2de1c6003393b638ea361ddda55d4aa74babe08766c97b0f1399cd83cc58fd80f4a02766962f657a7b153877823eddb79da8dbad9091260550f30715df88d181

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
e3b24439e092ed29a29b94fc93ea3ed0

SHA1
c2852c999131a5f8dd679c7dc8c87f530c00073b

SHA256
a2f0ba60de6cc6030358aebf00eb11c961948a4f5806f278ad38c15a902cefda

SHA512
0b822961069a2e3cf70db952a7895d340e8f8c800321cfa29718316fa498b30f04bcc2af0f4d99be4075bfa821a9f88a1ddf475dc3609935578fd05078cfb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
e3b24439e092ed29a29b94fc93ea3ed0

SHA1
c2852c999131a5f8dd679c7dc8c87f530c00073b

SHA256
a2f0ba60de6cc6030358aebf00eb11c961948a4f5806f278ad38c15a902cefda

SHA512
0b822961069a2e3cf70db952a7895d340e8f8c800321cfa29718316fa498b30f04bcc2af0f4d99be4075bfa821a9f88a1ddf475dc3609935578fd05078cfb505

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
e3db7fdd16e0ec3ff16b30de247c7688

SHA1
5e866f1c66ecba074751d8654962623bd626d58f

SHA256
8bb76b270e8d97282b4de882fb0f4b91227670c574452da57f6e4b5b095c9334

SHA512
c44eb95f13d4f960a0f3b0b8ba2a4bf5c5cea3c6bae014426f436ec843848ac857e185b8ffec06ce82a47cd61d13ac776cadb7d385307a8b758ee2c75387794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D01.bin1

MD5
e3db7fdd16e0ec3ff16b30de247c7688

SHA1
5e866f1c66ecba074751d8654962623bd626d58f

SHA256
8bb76b270e8d97282b4de882fb0f4b91227670c574452da57f6e4b5b095c9334

SHA512
c44eb95f13d4f960a0f3b0b8ba2a4bf5c5cea3c6bae014426f436ec843848ac857e185b8ffec06ce82a47cd61d13ac776cadb7d385307a8b758ee2c75387794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\93BA.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\93BA.bi1

MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8EC8.tmp

MD5
02ba192c71ebcb491dae7ef73f1fb984

SHA1
40dfe52175bb04622d5dd1a88faccb8e8c10b35a

SHA256
527d1a8ed5cba3673a1a21c00000df82878ad53904826b99db62d218313e06b8

SHA512
7e6e965b9ac493ecf866d8abb04a67e477300584bc916efb5a811ee7e20b30b3fe7b363e5173bdfb9b8b498fc0d6c4296aa7b1fd0f4ebb8410087ab9236b0a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp

MD5
e279d42e70eed26a04cdc28a7f8d03e1

SHA1
8387424117b51ee15fb510b5bd2cead8275841d0

SHA256
5c3d6b1dcf6c4351d91137de539c315ff5a67b312397d1a54082214db69cf374

SHA512
5471d58cf65a83bfdc40539f29b721deb41f3093714f10e6d3fecd19a83caf12fac9c87a942c576e490f407ba04d160f29ea42fdd110251813cd8a46916ca150

Download Submit
C:\Users\Admin\AppData\Local\Temp\iub3rovo\iub3rovo.dll

MD5
5aadc23a5c3b774082f34c16bc0ba92c

SHA1
5e39504f1f74965c2fd2359e2169577ff6d705e8

SHA256
cf00542b5fe0fa67278b9191227036760e5a5cb97c3fe583a449f66d2637a169

SHA512
2f3d758b248ab583c53e966a85f411b057340489112632f03cfdc8c00fd95c51a53bff699bd87f24a1255b0ad906f2bc5caf4b930277ada8f0cb0bb1b2a42163

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.inf

MD5
bf0c4f9b07f3ddc47c759ef037176c23

SHA1
6be36d720db47ee2d4fafe549c33b65d375e718d

SHA256
e454183a5d119cfcac4a5015ce0e4a2eac0eaad80f128817c450797d9632eed6

SHA512
9d3e2628b61b12dfb3dff8ad2ba65ef29aeb9ca5b86923ea57b6be0c7036261620b78a1d563f82d57bdd42f549c1a36d2eef7abb0f216e9d6a36a57588cc814b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.rpt

MD5
cd8f400f0fa797b49248dfcfa47d6e8b

SHA1
11b2b77738640bf9458f6f0b202a57d05737eea7

SHA256
19e5f690d62d59dd343880d525cc39024aaa914026ee84cb7f7c28ca487c0348

SHA512
460f48a1464555687dbeeca2064bb011b8c7c3cdc9c9395fe6cae1e862f5ac0ed89cc24019ca00eea6b33c97871020b27b467fecc9287345127d1433df84ac1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgzeapb4\xgzeapb4.dll

MD5
c6105c59c342cabb9fe7d12966bd3b3b

SHA1
8dcbca0e3fb1d757d07f7a1d85ecbf7aefca664b

SHA256
eacbe6aa937ce446e55b007913af143c0b5aa56f7ce1a73625b48d191da70d9c

SHA512
b6f446b0d3a5dbffe49a40e3cd6f7d824cb9c6cf0bbc900bfe067519de4f9738fea21858907cf652baa90f7fa4a497e2cadae8cfedd8a70edfb5d575a7a9c0fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iub3rovo\CSC36221F386CC04591A0D3C6B9ABE6A987.TMP

MD5
043c0111af0cb577bce9f698aa55019c

SHA1
7eedfba3c2a472a160a945d70023d50988a4099f

SHA256
30e0761b3135769bb3bb01f706ad327963892005ec46ca712706a36b0370ba9e

SHA512
1bebd5e94c3e4596c7c78715deaf7aee07151de3508c088c0c708ea1dbc14cae2081a58a03c5ab7548046f273357f941a3c427977bf590e0a7d9f86d2ed8b468

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iub3rovo\iub3rovo.0.cs

MD5
9d57f67db4fdaf8c7ada911bf55de8ac

SHA1
61ab45f33a51709b953c697f0a4e4bad605d2f84

SHA256
6b6f8322894c977515a9494ab7ed63bee74c786333467c1da051627283564bbc

SHA512
e894d4cc33c00f4d02d84c390f301f8e72385379604541f84f535579b31dc5f005eaa3191649a959257a958fdc24fdaf8337d502eea72585c92a382ca6e5703d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iub3rovo\iub3rovo.cmdline

MD5
b04ad0b46253addc5b07f28a1b11be08

SHA1
0745f000d8c013e82e26a4bec211eeae02acbdfd

SHA256
3600291476c9c1fd2a33f8cdd9c496492ffe2324090ee0d0d8e8aad00560565e

SHA512
cc445f33973619d935b3665dc5284bb4e36afb5be37facb4a81478b448980db8d4d2455ad3215b81498e09f21cca5754593fced0095bb751ec15ce86a1a874c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgzeapb4\CSC4AFEE41CC5432DB8CCE95DCC4CA2C7.TMP

MD5
f851bf07d35900eac970471a43c214ef

SHA1
2cc1891ebb5bd750272352d21951dd2a99309a84

SHA256
eb87a5bf43dbb4c2a62d95305b698ea8057c10c0ac2583d5de5286f8dfa1bb18

SHA512
31b70bc0cc12972086d791b50decf103e3b006fb737f9b899bba95b33638077db3f8f88a9f963d7998a0ea83a24f85c579b3cf290f1090c3ade4de74dbfc1b6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgzeapb4\xgzeapb4.0.cs

MD5
167fe90bcdf7038b8b85ca436ac197a3

SHA1
041ab427798bc783706b603b9965a6d07978ff61

SHA256
17b5275cedbeee30699776490a6eb9ac23705effd3d8bd593b5255cd565df282

SHA512
582b4bd7c7cf069694e5040697800cace192ce41b54f31e0ef84ae493a57d66dddfb755c5177666586e8ae7b3b82f828d6070080b491681b20588f3c95587a12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xgzeapb4\xgzeapb4.cmdline

MD5
79f2b5b3b09f0379e730971c6a81f48b

SHA1
7e6363f8ec1d3e4f195d4e59827c6816f729e551

SHA256
012dee793beecea55948c3a8d42975cd4d7b16a3dcb0e132b5b45a3120b72242

SHA512
fe3d8a1bee9ba1a603d7a3e1ce42f6ea39aaa16228fde822a2096847eeb70575aa8bee70cdddd031d0d446779ceb07fdc911d491e5c2b887a231af5a64933174

Download Submit
memory/188-4-0x0000000000000000-mapping.dmp

Download
memory/212-53-0x0000000000000000-mapping.dmp

Download
memory/212-54-0x0000000000B76CD0-0x0000000000B76CD4-memory.dmp

Filesize
4B

Download
memory/212-56-0x0000000000B76CD0-mapping.dmp

Download
memory/212-52-0x0000000000000000-mapping.dmp

Download
memory/212-51-0x0000000000000000-mapping.dmp

Download
memory/1292-70-0x0000000000000000-mapping.dmp

Download
memory/1596-12-0x0000000000000000-mapping.dmp

Download
memory/1620-17-0x0000000000000000-mapping.dmp

Download
memory/1872-64-0x0000000000000000-mapping.dmp

Download
memory/1932-48-0x0000000000000000-mapping.dmp

Download
memory/2068-72-0x0000000000000000-mapping.dmp

Download
memory/2080-46-0x0000000000000000-mapping.dmp

Download
memory/2128-9-0x0000000000000000-mapping.dmp

Download
memory/2192-33-0x0000000000000000-mapping.dmp

Download
memory/2192-35-0x000000C24A89F000-mapping.dmp

Download
memory/2192-32-0x0000000000000000-mapping.dmp

Download
memory/2200-36-0x0000000000000000-mapping.dmp

Download
memory/2228-41-0x0000000000000000-mapping.dmp

Download
memory/2232-59-0x0000000000000000-mapping.dmp

Download
memory/2260-47-0x0000000000000000-mapping.dmp

Download
memory/2260-50-0x000000707F590000-mapping.dmp

Download
memory/2264-65-0x0000000000000000-mapping.dmp

Download
memory/2388-2-0x0000000000000000-mapping.dmp

Download
memory/2516-83-0x0000000000000000-mapping.dmp

Download
memory/2712-80-0x0000000000000000-mapping.dmp

Download
memory/2932-78-0x0000000000000000-mapping.dmp

Download
memory/3024-27-0x0000000004F20000-0x0000000004FBA000-memory.dmp

Filesize
616KB

Download
memory/3024-49-0x0000000004F20000-0x0000000004FBA000-memory.dmp

Filesize
616KB

Download
memory/3024-31-0x0000000004F20000-0x0000000004FBA000-memory.dmp

Filesize
616KB

Download
memory/3024-28-0x0000000005990000-0x0000000005A2A000-memory.dmp

Filesize
616KB

Download
memory/3048-75-0x0000000000000000-mapping.dmp

Download
memory/3096-7-0x000001EC77C20000-0x000001EC77C21000-memory.dmp

Filesize
4KB

Download
memory/3096-85-0x0000000000000000-mapping.dmp

Download
memory/3096-24-0x000001EC77C60000-0x000001EC77C61000-memory.dmp

Filesize
4KB

Download
memory/3096-16-0x000001EC77AF0000-0x000001EC77AF1000-memory.dmp

Filesize
4KB

Download
memory/3096-8-0x000001EC7ACB0000-0x000001EC7ACB1000-memory.dmp

Filesize
4KB

Download
memory/3096-6-0x00007FFAB2EE0000-0x00007FFAB38CC000-memory.dmp

Filesize
9.9MB

Download
memory/3096-5-0x0000000000000000-mapping.dmp

Download
memory/3184-26-0x0000000000000000-mapping.dmp

Download
memory/3184-29-0x000000153E6D1000-mapping.dmp

Download
memory/3184-34-0x0000019370F30000-0x0000019370FCA000-memory.dmp

Filesize
616KB

Download
memory/3280-61-0x0000000000000000-mapping.dmp

Download
memory/3444-57-0x0000000000000000-mapping.dmp

Download
memory/3460-68-0x0000000000000000-mapping.dmp

Download
memory/3472-40-0x0000000000000000-mapping.dmp

Download
memory/3508-73-0x0000000000000000-mapping.dmp

Download
memory/3696-38-0x0000000000000000-mapping.dmp

Download
memory/3720-37-0x0000000000000000-mapping.dmp

Download
memory/3728-20-0x0000000000000000-mapping.dmp

Download
memory/3812-77-0x0000000000000000-mapping.dmp

Download
memory/3824-39-0x0000000000000000-mapping.dmp

Download
memory/3928-82-0x0000000000000000-mapping.dmp

Download
memory/3936-88-0x0000000000000000-mapping.dmp

Download
memory/3988-67-0x0000000000000000-mapping.dmp

Download