gozi_ifsb | 92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
13-03-2021 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

borderLink.jpg.dll
Size

563KB
MD5

8b851b9d3d35d64a9692234069c2572d
SHA1

2e47c72028a54ccd3c51c56f69674b6b22a6c76e
SHA256

92382e0ee6dc1abe0665e6703c26dd98aa8f334a2b0c7b25127948b82188e40b
SHA512

663ed5d14ce767ba41f8a4ed89438c4b1bc11d6adfde9d9868f19798d10200489c4b98d616e88155e3d81e26a82b916a47c0ddf45fe2552904a1ba5535fdeb8f

Score

10^/10

gozi_ifsb 5500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

5500

windows.update.com

shop.microsoft.com

fraloopilo.xyz

paladingrazz.xyz

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

185.82.218.53

107.181.187.187

195.123.208.101

185.14.29.31

kraufaundingf.xyz

prilukisoft.xyz

drakluskolikooo.xyz

Attributes

build
250177
dga_season
10
exe_type
loader
server_id
12

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1424 set thread context of 3040	1424	powershell.exe	Explorer.EXE
PID 3040 set thread context of 3488	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 set thread context of 3096	3040	Explorer.EXE	cmd.exe
PID 3096 set thread context of 2960	3096	cmd.exe	PING.EXE
PID 3040 set thread context of 3680	3040	Explorer.EXE	WinMail.exe
PID 3040 set thread context of 1500	3040	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3812 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3764 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1748 systeminfo.exe

pid	process
3812	net.exe

pid	process
3764	tasklist.exe

pid	process
1748	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06f00910f18d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a2e4982c0a49944b69dad2a06c0a5d3000000000200000000001066000000010000200000005d9c673dd3cf79629ccb6c7c6b39056a8d46d3e6b21749c1ceeaf3ac8b2b8f76000000000e8000000002000020000000f8d20bd364dc3328b58bf5f539b18997287827339ac516dd20ebd9ac34166b1a20000000a57d18e502b7a0b3f7cea86f9f86dc7005c19badd35de9b3592b83523a8b4403400000004bdc60b1ca7c570e579625b26137e349ed2216b6db96a4a6b6d1ebd25d51b5c9f0474c8eb847b642767702be5e229f6a81a6cd3382f776e454e288225c1de3fa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a2e4982c0a49944b69dad2a06c0a5d3000000000200000000001066000000010000200000008cae1ef20a78f564214fc45e72020ce70af5801aa152eeb45f19a1f27b5c2943000000000e80000000020000200000000050126aed59f0dc1afbcc962b703920f1dc9e21c83792fede065af07f7f4aba200000008af8e1bef6868e059392265e4426a7a3c1411da7ddac2a8f1f33caa30faa22c5400000004a8681d97443ea7724a37400f45a2bd89a11c8cac371c9bc6e08b18226223208f4e7be6026b50705fdbdd6e506c7504e69a7f882a53b38c6c5c2c1a13282d2a1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c058890f18d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0dc95920f18d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30873615"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD49E53B-8402-11EB-B59A-42BBCFED91E6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a2e4982c0a49944b69dad2a06c0a5d3000000000200000000001066000000010000200000007afefe8090ff0a7386826c2f79929ff072c70ff2276c172c594f930d9ab32500000000000e800000000200002000000069a91627067b11818cf44519f2fe1bafb3ed9fce15548b37e53effdffdf0f04c200000009d7ccb797522c05e06ebb6c797ccf41ed004e18398701e17c52dd59fc589c623400000004d2eb0b744bada19a031b06b2de1066acc78509eb539adfd46d94989bbb147776260de189d03e8174769a2951b20318e978306d6be0fd5dd91b43139e8013b9a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e083cd910f18d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2250391225"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2250391225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a2e4982c0a49944b69dad2a06c0a5d300000000020000000000106600000001000020000000364fe53747838d3c1e1b962cc3e9ad89103a55283000fae1eae2fbe8a2fa07da000000000e800000000200002000000060a3efc59186bcbf275737af3d910de505dcc7907cc7f8f9a6cc6c6ccceed4192000000024554d4b6690d315b487b9d92360a9dc5ecc4bcae4e99a66083f37664847d43c40000000175a2b452514215b6cb25684758f4e5963ed018bb79876ce168c9c4dcd8fdb978767e897b595c74cc2836e48048cf1161477df4db0cb3d5786cf99e0a07ea738	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30873615"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B15490EE-8402-11EB-B59A-42BBCFED91E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103662890f18d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a2e4982c0a49944b69dad2a06c0a5d300000000020000000000106600000001000020000000c2db7f6f78026a9a8b7bb61b413f0756ce62ccbc5b9e01e786257fea2a4bb486000000000e80000000020000200000003b744f17994d40e40ca688f13f7b0f5538b2e982e9410a412d2c4c39a862ceb7200000007c9bb97e5f1e074a371e23cacda64b0b73711a6a9904f4a2a401ca64ae7c3faf400000008555c4ea12070e820ba29732c997993cc2682e41d8b6283769847bebfea1af858fdc1e3e517f8b19641657415ee9c83458f3cdf393b8e57964e02b622b8fddc9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2960 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2960 PING.EXE

pid	process
2960	PING.EXE

pid	process
2960	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exepowershell.exeExplorer.EXE

pid	process
1808	regsvr32.exe
1808	regsvr32.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE
3040	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

1424 powershell.exe
3040 Explorer.EXE
3040 Explorer.EXE
3096 cmd.exe
3040 Explorer.EXE
3040 Explorer.EXE

pid	process
1424	powershell.exe
3040	Explorer.EXE
3040	Explorer.EXE
3096	cmd.exe
3040	Explorer.EXE
3040	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeDebugPrivilege	3764	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

576 iexplore.exe
420 iexplore.exe
420 iexplore.exe
420 iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
576	iexplore.exe
576	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
420	iexplore.exe
420	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
420	iexplore.exe
420	iexplore.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
420	iexplore.exe
420	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
3040	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 636 wrote to memory of 1808	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 1808	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 1808	636	regsvr32.exe	regsvr32.exe
PID 576 wrote to memory of 1528	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1528	576	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1528	576	iexplore.exe	IEXPLORE.EXE
PID 420 wrote to memory of 2620	420	iexplore.exe	IEXPLORE.EXE
PID 420 wrote to memory of 2620	420	iexplore.exe	IEXPLORE.EXE
PID 420 wrote to memory of 2620	420	iexplore.exe	IEXPLORE.EXE
PID 420 wrote to memory of 1992	420	iexplore.exe	IEXPLORE.EXE
PID 420 wrote to memory of 1992	420	iexplore.exe	IEXPLORE.EXE
PID 420 wrote to memory of 1992	420	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1424	1932	mshta.exe	powershell.exe
PID 1932 wrote to memory of 1424	1932	mshta.exe	powershell.exe
PID 1424 wrote to memory of 2136	1424	powershell.exe	csc.exe
PID 1424 wrote to memory of 2136	1424	powershell.exe	csc.exe
PID 2136 wrote to memory of 3568	2136	csc.exe	cvtres.exe
PID 2136 wrote to memory of 3568	2136	csc.exe	cvtres.exe
PID 1424 wrote to memory of 2624	1424	powershell.exe	csc.exe
PID 1424 wrote to memory of 2624	1424	powershell.exe	csc.exe
PID 2624 wrote to memory of 1444	2624	csc.exe	cvtres.exe
PID 2624 wrote to memory of 1444	2624	csc.exe	cvtres.exe
PID 1424 wrote to memory of 3040	1424	powershell.exe	Explorer.EXE
PID 1424 wrote to memory of 3040	1424	powershell.exe	Explorer.EXE
PID 1424 wrote to memory of 3040	1424	powershell.exe	Explorer.EXE
PID 1424 wrote to memory of 3040	1424	powershell.exe	Explorer.EXE
PID 3040 wrote to memory of 3488	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 3488	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 3096	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 3096	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 3096	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 3488	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 3488	3040	Explorer.EXE	RuntimeBroker.exe
PID 3040 wrote to memory of 3096	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 3096	3040	Explorer.EXE	cmd.exe
PID 3096 wrote to memory of 2960	3096	cmd.exe	PING.EXE
PID 3096 wrote to memory of 2960	3096	cmd.exe	PING.EXE
PID 3096 wrote to memory of 2960	3096	cmd.exe	PING.EXE
PID 3096 wrote to memory of 2960	3096	cmd.exe	PING.EXE
PID 3096 wrote to memory of 2960	3096	cmd.exe	PING.EXE
PID 3040 wrote to memory of 860	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 860	3040	Explorer.EXE	cmd.exe
PID 860 wrote to memory of 296	860	cmd.exe	nslookup.exe
PID 860 wrote to memory of 296	860	cmd.exe	nslookup.exe
PID 3040 wrote to memory of 1812	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 1812	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 744	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 744	3040	Explorer.EXE	cmd.exe
PID 744 wrote to memory of 1748	744	cmd.exe	systeminfo.exe
PID 744 wrote to memory of 1748	744	cmd.exe	systeminfo.exe
PID 3040 wrote to memory of 3680	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 3680	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 3680	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 812	3040	Explorer.EXE	makecab.exe
PID 3040 wrote to memory of 812	3040	Explorer.EXE	makecab.exe
PID 3040 wrote to memory of 2316	3040	Explorer.EXE	makecab.exe
PID 3040 wrote to memory of 2316	3040	Explorer.EXE	makecab.exe
PID 3040 wrote to memory of 3680	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 3680	3040	Explorer.EXE	WinMail.exe
PID 3040 wrote to memory of 1500	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 1500	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 1500	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 1500	3040	Explorer.EXE	cmd.exe
PID 3040 wrote to memory of 1500	3040	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\borderLink.jpg.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\borderLink.jpg.dll
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BFC92168-124C-49FC-1463-668D8847FA11\\\AppXxSip'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BFC92168-124C-49FC-1463-668D8847FA11").ActitLog))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iat2as2i\iat2as2i.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60F8.tmp" "c:\Users\Admin\AppData\Local\Temp\iat2as2i\CSC20B554B581884ED492F22E9D16CA47A.TMP"
5⤵
PID:3568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jgg1yadf\jgg1yadf.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES628E.tmp" "c:\Users\Admin\AppData\Local\Temp\jgg1yadf\CSC7B329F541465482E93DC64384221D94D.TMP"
5⤵
PID:1444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\borderLink.jpg.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2960

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A0D.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:296

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A0D.bi1"
2⤵
PID:1812

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:1748

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:3680

C:\Windows\system32\makecab.exe
makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\7A39.bin"
2⤵
PID:2316

C:\Windows\system32\makecab.exe
makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\B950.bin"
2⤵
PID:812

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:1500

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:2296

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:3028

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:3812

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:936

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:508

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:688

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:296

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:420

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:1420

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\B4E7.bin1"
2⤵
PID:3864

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:3380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:420 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:420 CREDAT:82951 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BWXJDH3N.cookie
MD5
e9a8f8e0a85ad02552c30faa553d0856

SHA1
de4ce23059f5a0887160bad4b77e5c041ccaf762

SHA256
23a79c97b4caddeeea397f8ad05294ea57e808393c520850bed4aeeb6e761fb3

SHA512
2fcb7c0edc47dfb9aa6c68d58e599c3c2d5d9e1c776ccd2da0aba1708ef4e81a8989347c11c7d991f78b4084d745ebac7baa0c6898fd1b30dc34e3ce354e6e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A39.bin
MD5
6e855fc96f0a651b11223591b4972a07

SHA1
67221065a68cf765c4f430a71a5a9b4a5425eba7

SHA256
fe349ac842562963d8672454cc3acc57e70cacfe017c80e680bd2a176cd0eb55

SHA512
23e66a491503082ced1d2970ed308dce67788de26a89a709a23fca3d82d923568540e57c46d61e3908e99ab653a9879530e58a9167190d5f701c70b3bf76dfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\82DD.bin
MD5
96ad630bffec459a625baec2eb5731fb

SHA1
64bd2ba63771fa379bbf0c687d0254e3d2f7b8fc

SHA256
81a4b45c8263695023dbbbe656e50198eb73180511908a1c4cb97741e3570cc0

SHA512
175a7e2d98d60404f26409f78a4c03adb32f17f1a90b47371eaa083bf36214b60e1c8738c782ea1416c591a3efc54c11b7ccef5170a604ed51a9ea6b7cea69cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0D.bi1
MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0D.bi1
MD5
67a173408db29be821b9fe2421000340

SHA1
71faba974dc8fbbb67fa955142c30fbe0cd149a4

SHA256
b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8

SHA512
e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
3085574a70c8be9c15392a2a014f4047

SHA1
18b3b5d7b3ba0dc12db435652831b4ec6a5dbc2c

SHA256
58d4884d527af8b3b4dd8dd7a0ba2e101296a9cc01ec10bbf1f9630fbae64eb8

SHA512
143cfa2f1462c82c7df09f211a31682955d983bccd519161e68a7a4bd49a8bdf7b2a859bfe1e7d427564cc5796e36eca62052ad10e46d0c674c83303f5c9b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
3085574a70c8be9c15392a2a014f4047

SHA1
18b3b5d7b3ba0dc12db435652831b4ec6a5dbc2c

SHA256
58d4884d527af8b3b4dd8dd7a0ba2e101296a9cc01ec10bbf1f9630fbae64eb8

SHA512
143cfa2f1462c82c7df09f211a31682955d983bccd519161e68a7a4bd49a8bdf7b2a859bfe1e7d427564cc5796e36eca62052ad10e46d0c674c83303f5c9b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
c83083eb6ecf3dc5d871640c448ae8cf

SHA1
69212103cdbb79702e284bb39f092948de0fd981

SHA256
63302a4ad171ba7be64f46d36cb2636df3896295440d84909892e1a52e3b04bf

SHA512
c56a70730389b0c272982849dbd246a0d45e84d459dead5f3626ee51fea65b4ad7c3706a1463e2e66d231fbb1db1f83d96ccc83f7346a16d0b5af585992a58c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
c83083eb6ecf3dc5d871640c448ae8cf

SHA1
69212103cdbb79702e284bb39f092948de0fd981

SHA256
63302a4ad171ba7be64f46d36cb2636df3896295440d84909892e1a52e3b04bf

SHA512
c56a70730389b0c272982849dbd246a0d45e84d459dead5f3626ee51fea65b4ad7c3706a1463e2e66d231fbb1db1f83d96ccc83f7346a16d0b5af585992a58c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
1e151d57485be283937fb7ccbe9a17fa

SHA1
b7bf6626a51d960f2d958921015ad77133e67077

SHA256
b0d947da2494843f88b10bdd5d893ab7365dee1f7e581e2a4962c33b6f0f82c7

SHA512
308aaf99a70ae261738ec611a1449a0ca03d2713cbd4544d24d8adfe5ad1038618810ad606042bdcef355cdb919a5cdd550f972d532416977a3ec1f2f1f9d33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
1e151d57485be283937fb7ccbe9a17fa

SHA1
b7bf6626a51d960f2d958921015ad77133e67077

SHA256
b0d947da2494843f88b10bdd5d893ab7365dee1f7e581e2a4962c33b6f0f82c7

SHA512
308aaf99a70ae261738ec611a1449a0ca03d2713cbd4544d24d8adfe5ad1038618810ad606042bdcef355cdb919a5cdd550f972d532416977a3ec1f2f1f9d33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
42a663ec21f2a27ce8ab120d5aee68b8

SHA1
2043d6fb39a2bc7fb1f0e618bcf1697cb3a21569

SHA256
5af0b75f0c8cc981247f87d3e4c8275f3e983cb12eb43c21715224c24c126a5f

SHA512
5263429e2b28681f8a71aa8cf38c95ad8e4c7b22a70fe71b78da4228593420d54ff1693326319b73ef891da0a5e4b5721f2789c27ecfcc916eec041efa3f31ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4E7.bin1
MD5
42a663ec21f2a27ce8ab120d5aee68b8

SHA1
2043d6fb39a2bc7fb1f0e618bcf1697cb3a21569

SHA256
5af0b75f0c8cc981247f87d3e4c8275f3e983cb12eb43c21715224c24c126a5f

SHA512
5263429e2b28681f8a71aa8cf38c95ad8e4c7b22a70fe71b78da4228593420d54ff1693326319b73ef891da0a5e4b5721f2789c27ecfcc916eec041efa3f31ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\B950.bin
MD5
bfcc4f55239bb8d5b22e8f8b76cf9b3e

SHA1
48053810beea78f719bd07bdccad798a423e1c27

SHA256
25b91d11225e4a83d3e022099944219916cf932857f0c6d2f7a2bab1ab034e34

SHA512
87185238d8838a2127dc5f56d105ae4d3d4d108feaf16d4fea16169cb86f422a22db1815e61d022a34beb36183875670c056e33f32551ca2b0c2f4b023a1018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1F4.bin
MD5
08fe1e6778cb2b1626f3bb02de3f2c5f

SHA1
aeefa6077fc52c3893429ee675f2b69e033f25c6

SHA256
86f24603dba0c0c084f135169f081067ba77cb096663a161311757de7bea716e

SHA512
422ec4c6cd35095ed702b796c836e9952e5a352ec500654e291879a141f1fa0d9d4ba525d37bd75d2b570c93382793e91edda7155156da82adef4cbaee5f4534

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0C1.bin\AuthRoot.pfx
MD5
550d1b1e8ccedb21cee0155b472e7313

SHA1
e5c587ed79f7bbf0bd1380ea27d85c34a8cb7118

SHA256
dd538bf61cd26ce6352009bc6f8647f48d6b67f48754422a6b57ba4f4cda59d7

SHA512
c00b452151368416ef58de008fed55365cd8d425fe385bf9894291e92edfa7e671bf2025d1381be961d817b98f1ca81514582f658f35cd47622cc52b1b13b5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0C1.bin\Root.pfx
MD5
2f90eac78fe1f96152987113c29b4650

SHA1
8c12a3a7e7646be0d6e48c84e84cf9cfab14f14b

SHA256
1b457c9e71157891a3e667fb67b07756f27b4da81b5f564463e913ff5d5a0a83

SHA512
a5a134998e49c17a5bedd79f92ad07ff2b26cc3577db8413bd2c91ea7ee6cb54233eee7ca277d6fa317882a4acc1e7caac6d5bc1c725fa9504e4b1fcf9497597

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0C1.bin\setup.inf
MD5
335dd572666838a48539cc49d62cffeb

SHA1
4a83114c51a3848813d025fce01a929e5e9a0e9d

SHA256
75e0808e5454b06ded2d398bccc74c90b03b5ee88a9d39570f421697252727e7

SHA512
83a1dc7a536707eb446f688f108ce367ad5c1f675e8fba47ba6206cbf8fbcd0eeb681e6131f684ba5715c987e6bb328568f98fa546bac2d8bb75bad38996fc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0C1.bin\setup.rpt
MD5
1304761419c75be506d4429f2f44ad52

SHA1
aed7d4a7c3408a352f9a48b7c80efb1b8290e740

SHA256
62dd63a9bf88e4492a7dbe90fab613c738989a91ee89b1447370e6fc91c19e04

SHA512
1028ba8bcb006664486049d5b2772a9ec1f921c0ab3f28c5477d4a9e3dfd564b5edac246e7310a916f1671a703f85e2e270f33f225e577bf5941c677063d821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES60F8.tmp
MD5
3f7803b484a07aaef04b48f0c25f46d2

SHA1
a18dc991c53cf1b4b3ff663e2e4ee89fc36d0054

SHA256
0ddc4de91efd9f9e3ba631c22bef0f09f6a2f1c0b9f2c9e3bd77d52ea58a5e7f

SHA512
c0d23d41fb991e84b489bbd995b8bfe2935acf8d5e299702b0085051097066c450e534ce0b0f0b8d9dd535d347fa11878a7a5be4ab0b96cd4ba53d251a028d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES628E.tmp
MD5
d3847ded4f471461b06b43e182275859

SHA1
a93ab04191ec798c51bbda383177e9ad4b298076

SHA256
7fec90b168cb4c7c963643bfe351885dc3bab56bdaedad30fff62cb29aad4a56

SHA512
517b81e342dc1030e5205027d0aaae5e00c282bf5844ebfb1c7cf2effb6d48e0c4bd013fd285b7d8bb5800da979111402530adca2a2cc0d7a379a2700e4045aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iat2as2i\iat2as2i.dll
MD5
021074c8d2bd2695c0fbdc9e33cc1a3c

SHA1
b35c4b2afd76d75f6d56d49ceb8d32cf434d4255

SHA256
624f0bae4f865382fab57467196e186a2594677c76c60f22879c5cb69d5cc6fc

SHA512
a3b70ee4aad77d9db276466167f3a76e41db55d0deae9cb69b7d8f5d6e0f3acd38324b033d58284572fce6ccd52d9149aac9b02a4802902fb417a1dd5273d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgg1yadf\jgg1yadf.dll
MD5
7fa83b71d10e658886fbafa23841e6ae

SHA1
3196b9f69a3cf784945d6d360833dfe59715031f

SHA256
9118fe63d293a34ef4004e106c10e09993592ea220d3b94245ce8718bb4ad5ce

SHA512
a22d182b044583f27ff1517474eabe5bfd43452925f6eaba869d22c71704f5ef698396728ac1c9ba6ec634a47e0dd5f4c964f8521e2e5b51b85c31634ae4415b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\{D6649~1\cookie.ff\2kcxi5oi.default-release\cookies.sqlite.ff
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{D664934C-3D56-78A2-776A-C12C9B3E8520}\setup.inf
MD5
b00168b34ebfbdab01b08c9b5d0c29eb

SHA1
397f6d08c2e56a462b05a29754f9042ebcce8034

SHA256
85dae8c46bc015e94edd67957fee31f825d4ce78e51e3f7e2b11534095a16097

SHA512
fcd4123cac8f5e4ac991152a9f3dda86c6355cbc44de96000e9a9bd0e03351ed6ed24d9220a5d1b1ebe59ac082eefe44f1d0490f40dec61588f8dca0b204b9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\{D664934C-3D56-78A2-776A-C12C9B3E8520}\setup.rpt
MD5
5111bcc535ab5baed3538bc8cfdd9472

SHA1
c007d7ecdae0d7689dcb1b7d283952f890e4b3bc

SHA256
761d044bc5b9bbe7a705870666974a3551508a5a884744cd4bc1c3308cffc654

SHA512
4c4cd252bed7f0ee567f7f94f4943bd259ae1100a39d534a0f7d3e7180ed8e50d410c15c42fd667cc08adcdd7ed7b28adde81669b8c7ebf2f6d6322546e3edbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iat2as2i\CSC20B554B581884ED492F22E9D16CA47A.TMP
MD5
89139528daa2bd7e362d55306427d245

SHA1
2d34555315d3d2c4bf7a0db2191ebaeab6362e84

SHA256
e22185ddf5bdf87216821bc721ac2b371a5a15004d9ca64a6ce70eec0886a55b

SHA512
54bc7ccb19ee6b931bf80db7f0704bdc0248cafbd5bbebd554228c657e7a96de4a6eb10ae19f56efeefe1beffc6456fd5e3034535697013a1f6cae050993bb22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iat2as2i\iat2as2i.0.cs
MD5
39e11f07a1f54792a10d3eb5204c7692

SHA1
31ef54b2b7f74d6b0768dda602c428adfed96cd4

SHA256
4c4bcd84956847402f4c833b4abc060c08bbf021fad35e7065feaf23241b9d73

SHA512
51f845e87f935591400c2b9ad921a6807148adfc4fc8092252156a42d927da1cd92127516943866b29be9361d503f74c5f055eda280c38e4d07a6d2b941b44a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iat2as2i\iat2as2i.cmdline
MD5
2f6f3ef5009a4cb979c47c17b021fa7a

SHA1
c64ec7f62c2a5e6b5beeeaf22b67d0f03ad49327

SHA256
f20b7bf7f284840d3287b26144530a4c924bb0b42e78403faedea34513e1bff5

SHA512
b859c64f22d895eab50b74089615faecc3b47a9a794674ad19c32a782d259bd07451ab7f46df6eaecf0ee1178574459d24350240a13b765a05ef3a461a1e96c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jgg1yadf\CSC7B329F541465482E93DC64384221D94D.TMP
MD5
a3e7305a7e2c6d31b57bfca416ebee57

SHA1
18f0908199da80cbe46997ae4a3e9b521120781f

SHA256
3ee55405bfa61b47f3e00a33aac93125953e55c832f2881dc75ab304f0596534

SHA512
4f547e030a8df6970d6a35e5eb2fd09169dc7d9fff2123185856c35fe891b13a2e783a174fbab7577f39e257eaef5a3cd42ec70ce451f7f27e36d0c7c536d19a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jgg1yadf\jgg1yadf.0.cs
MD5
d926107fd8ab7346c82353f3fedd1db3

SHA1
c0cd1ec04f1d5f06e1ff931f4e6fed1db849e408

SHA256
2df76e5f440e16b4ca6c646072b32698fd39e630e205244c00e7764485ad1305

SHA512
35185ff5d6d4a4cf1a54a9efd712966860f634957f7073bdd26904f2fd40e58d3420261de6c62045bcb4239dba1ca3846c78f8a203f9ce280e4138dd5d02d0f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jgg1yadf\jgg1yadf.cmdline
MD5
f65d986c6875b635a00a50a68ac5da45

SHA1
3a18270d2f3077027efec5427fa1d326bc31cfb0

SHA256
8b634ff72c711d3349f82a7bcb0fe01a199517ac4495d6762c2134665fbbfde2

SHA512
a4130ccd3ef8cfeb7aaa2545b340213c0751945dcee2513f41a349bb130571290190ed69216f375551b5175fe775b0e62ab7c03c33a8c90e025c8f3f9401b6bb

Download Submit
memory/296-44-0x0000000000000000-mapping.dmp

Download
memory/296-80-0x0000000000000000-mapping.dmp

Download
memory/420-82-0x0000000000000000-mapping.dmp

Download
memory/508-77-0x0000000000000000-mapping.dmp

Download
memory/688-79-0x0000000000000000-mapping.dmp

Download
memory/744-48-0x0000000000000000-mapping.dmp

Download
memory/812-51-0x0000000000000000-mapping.dmp

Download
memory/860-43-0x0000000000000000-mapping.dmp

Download
memory/936-75-0x0000000000000000-mapping.dmp

Download
memory/1420-85-0x0000000000000000-mapping.dmp

Download
memory/1424-33-0x000001A7F6BF6000-0x000001A7F6BF8000-memory.dmp

Filesize
8KB

Download
memory/1424-13-0x000001A7F6BF3000-0x000001A7F6BF5000-memory.dmp

Filesize
8KB

Download
memory/1424-34-0x000001A7F6B50000-0x000001A7F6B8A000-memory.dmp

Filesize
232KB

Download
memory/1424-11-0x000001A7DE7A0000-0x000001A7DE7A1000-memory.dmp

Filesize
4KB

Download
memory/1424-9-0x0000000000000000-mapping.dmp

Download
memory/1424-14-0x000001A7F9820000-0x000001A7F9821000-memory.dmp

Filesize
4KB

Download
memory/1424-10-0x00007FFC32200000-0x00007FFC32BEC000-memory.dmp

Filesize
9.9MB

Download
memory/1424-22-0x000001A7DE790000-0x000001A7DE791000-memory.dmp

Filesize
4KB

Download
memory/1424-12-0x000001A7F6BF0000-0x000001A7F6BF2000-memory.dmp

Filesize
8KB

Download
memory/1424-30-0x000001A7DE7E0000-0x000001A7DE7E1000-memory.dmp

Filesize
4KB

Download
memory/1444-26-0x0000000000000000-mapping.dmp

Download
memory/1500-68-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1500-69-0x0000000002CA0000-0x0000000002D31000-memory.dmp

Filesize
580KB

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1500-64-0x0000000000A86CD0-0x0000000000A86CD4-memory.dmp

Filesize
4B

Download
memory/1528-5-0x0000000000000000-mapping.dmp

Download
memory/1748-49-0x0000000000000000-mapping.dmp

Download
memory/1808-3-0x0000000073510000-0x000000007351F000-memory.dmp

Filesize
60KB

Download
memory/1808-2-0x0000000000000000-mapping.dmp

Download
memory/1808-4-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1812-45-0x0000000000000000-mapping.dmp

Download
memory/1992-8-0x0000000000000000-mapping.dmp

Download
memory/2136-15-0x0000000000000000-mapping.dmp

Download
memory/2296-70-0x0000000000000000-mapping.dmp

Download
memory/2316-52-0x0000000000000000-mapping.dmp

Download
memory/2620-6-0x0000000000000000-mapping.dmp

Download
memory/2624-23-0x0000000000000000-mapping.dmp

Download
memory/2960-36-0x0000020A2E150000-0x0000020A2E1EC000-memory.dmp

Filesize
624KB

Download
memory/2960-32-0x0000000000000000-mapping.dmp

Download
memory/2960-35-0x0000020A2DF10000-0x0000020A2DF11000-memory.dmp

Filesize
4KB

Download
memory/3028-72-0x0000000000000000-mapping.dmp

Download
memory/3040-37-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/3040-38-0x0000000001470000-0x000000000150C000-memory.dmp

Filesize
624KB

Download
memory/3096-31-0x0000000000000000-mapping.dmp

Download
memory/3096-41-0x000001E2F3230000-0x000001E2F3231000-memory.dmp

Filesize
4KB

Download
memory/3096-42-0x000001E2F33C0000-0x000001E2F345C000-memory.dmp

Filesize
624KB

Download
memory/3380-89-0x0000000000000000-mapping.dmp

Download
memory/3488-39-0x000001D0A8EF0000-0x000001D0A8EF1000-memory.dmp

Filesize
4KB

Download
memory/3488-40-0x000001D0A8F60000-0x000001D0A8FFC000-memory.dmp

Filesize
624KB

Download
memory/3568-18-0x0000000000000000-mapping.dmp

Download
memory/3680-50-0x0000000000000000-mapping.dmp

Download
memory/3680-56-0x0000027EEFE40000-0x0000027EEFEDC000-memory.dmp

Filesize
624KB

Download
memory/3680-55-0x0000027EEE510000-0x0000027EEE511000-memory.dmp

Filesize
4KB

Download
memory/3764-84-0x0000000000000000-mapping.dmp

Download
memory/3812-74-0x0000000000000000-mapping.dmp

Download
memory/3864-87-0x0000000000000000-mapping.dmp

Download