Malware Analysis Report

2024-10-19 03:00

Sample ID 220209-r6xh5aafb6
Target TeamViewer_Setup.exe
SHA256 f971c06c3cf16467d90652e57b72c53b273a1360f1af1fc377d6158e772b6a70
Tags
gozi_rm3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f971c06c3cf16467d90652e57b72c53b273a1360f1af1fc377d6158e772b6a70

Threat Level: Known bad

The file TeamViewer_Setup.exe was found to be: Known bad.

Malicious Activity Summary

gozi_rm3 banker trojan

Gozi RM3

Gozi_rm3 family

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-09 14:49

Signatures

Gozi_rm3 family

gozi_rm3

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-09 14:48

Reported

2022-02-09 14:55

Platform

win7-en-20211208

Max time kernel

165s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

Gozi RM3

banker trojan gozi_rm3

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70725df4c41dd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50613391-89B8-11EC-A6E6-6EBBDA1774B5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{333ABCF1-89B8-11EC-A6E6-6EBBDA1774B5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1876 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1876 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1876 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1820 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1376 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1376 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2000 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2000 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2000 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2000 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 672 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 672 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 672 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 672 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 yuordom.xyz udp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp

Files

memory/1820-53-0x0000000075531000-0x0000000075533000-memory.dmp

memory/1820-54-0x0000000000320000-0x0000000000330000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso2E33.tmp\TvGetVersion.dll

MD5 465ad8b483c5e8bbfee17aa15ea3b488
SHA1 ad984431df286cd6c10796b49c248e6afb4d55bf
SHA256 943149b2cf028bbe593375e255ed834c129f97ed2dab9c3779d871446dc177df
SHA512 8c137cff4aeeee2556233a07d7df9c183c38a36c40d904a89f22d73cc13b3941d71708da89dfe908f335f6c39e4c70b376dd437924e15ac697876f612bdf01d6

\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 6beb92614435557ead728bfc739b1ada
SHA1 8b74f34b7cff0bd2bc4369adf7b594fe8869c3f9
SHA256 6b92739bf2bc25cd2a41d8cce0ae9815279d8c4b36ddad1617f5fe6b3d1b7ed6
SHA512 d804a8049434916f126a00385fe97208a00282bff574fd93eb35296d6a97e3c9751898b1261e93415049e5c2f1c17f3d0f0a550405c69412ef65643727be4ea2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 6beb92614435557ead728bfc739b1ada
SHA1 8b74f34b7cff0bd2bc4369adf7b594fe8869c3f9
SHA256 6b92739bf2bc25cd2a41d8cce0ae9815279d8c4b36ddad1617f5fe6b3d1b7ed6
SHA512 d804a8049434916f126a00385fe97208a00282bff574fd93eb35296d6a97e3c9751898b1261e93415049e5c2f1c17f3d0f0a550405c69412ef65643727be4ea2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 6beb92614435557ead728bfc739b1ada
SHA1 8b74f34b7cff0bd2bc4369adf7b594fe8869c3f9
SHA256 6b92739bf2bc25cd2a41d8cce0ae9815279d8c4b36ddad1617f5fe6b3d1b7ed6
SHA512 d804a8049434916f126a00385fe97208a00282bff574fd93eb35296d6a97e3c9751898b1261e93415049e5c2f1c17f3d0f0a550405c69412ef65643727be4ea2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

MD5 acd6cd3df0f488a6571d5a4723b32115
SHA1 552cd3eec0561fc5f58b974b3a381ef90b9a63f7
SHA256 cdbb63b7564a66278d31af41f9c22a9b7d2bb2a0f186d3f7ec01cf65ac5d4614
SHA512 549713a40e3d4aa4ab8a08fc005d5a6a9547e12b9291c548ee9f8b7bd4bfcb0ea92d4f0a646777ad37ac4137705540ba21b56d8ca32646f96c6e1a0ee4293ddf

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\UserInfo.dll

MD5 9b0db6a6056e8e51ac35e602aeab769f
SHA1 b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA512 83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\UserInfo.dll

MD5 9b0db6a6056e8e51ac35e602aeab769f
SHA1 b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA512 83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

\Users\Admin\AppData\Local\Temp\nsd8519.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 883128d8a5b06f547a8c3c5a643dbd37
SHA1 26ae182db9355a92aea4eda5b3fa8f0643dc1b2f
SHA256 69f21a443026ccfe791701a80fc2582e8d3f766b78441dcfc3c073f72e6bc1c2
SHA512 164c8a0e84f3e2d04679c7057bbd12bdd61d50dcc672ec069a7133ba9ebedd15195047c1e896c508120043499c63d16b9105c4869488c9e31902ce9a64ef450a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc0439cde58936e71a93770cb1572e28
SHA1 337d1150392faad123fae06acd81f7146de11d01
SHA256 95067fcb6e4e131034029f244b1f75ca367cd830c3a90ec10afe4fbee96cffcc
SHA512 71683f85a0511843e1838a12bb10a5d6835cf12d251381eb6af576362338e6f69e56efb31470f432b98642b4c1be155dbf8ccec3fb40c7300b9956624d5a24e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 ebade4f0cdb6e7c6a9777b09bcf2852f
SHA1 4ad702ad9b515692a953b57f4b86857e522c9cb7
SHA256 b593fa62a8f9e580844daae388ec6c5b56e18b6ca5d0d59064ad5215d0368697
SHA512 ffb24dec884760f9867016c165ae567ec53f9bed9f898d2045e0b1562ea8b8816fe8659140de436246e1afc9c76fe0efcf8fadcf4cee66d7acb9fba8039c1dcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEE0CCFF84BA1E9121EE261796CAE1A7

MD5 2f653a788f187f0c57f53856f36e46f1
SHA1 1efb24ada3dd48c54681debf3220ba5dd2ebee7c
SHA256 30968cbb3604111b2818bb21fc0005dc49e09abde58421bd25a8fc1776fefb41
SHA512 76ef41f84faaaf95a60d902107dbee1b4fd47777f3a577e201ab6bfde4f917e59aa2ff536598e91eac42c75d9d4d69854c6813c58b5d3a1b18172be22763c2df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEE0CCFF84BA1E9121EE261796CAE1A7

MD5 3b08772962fdc949c24b0dba1715da25
SHA1 6304d805145c7e9bcb9aeba1e4a4916537f3825f
SHA256 2a3047c6c9e07ae08c3d4077feaa2b0203adf4f4af448397bfe3f704dd185c63
SHA512 36ce8af15e53663b4469c1309f5f4b64adfc815389f6a673006ddc667d1b1a008394cb0cd50879cbd17b91852ca9f6245f6c5348d6f75b9b579e375fb1caf74d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1c589faf0da1a467345f5894972afe7
SHA1 2d57dc4ab499f24b09fd3dc0ec3cd5eb864aea51
SHA256 aec442990e96f3c3ff2f040ee0c3d9f4d0b3e66f58ba0130c672a0cdfcf89821
SHA512 d02121dbaca90d3256a94a31a7e658bbcc1b798ae245922d3e31965223b9de01f71a843bb02a735ee2d8e46da5b58d667c9660fe4be6fdb3682639b8789611de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 0925ebb4ec85700819192961b8110fb7
SHA1 c6c9bdb566ea5e27dbc4fe6c14661eb65b1d15c2
SHA256 4b0d77987da9c2fd149c9bc6cbb1f7032642a0985cd4f42da106f7b61c032c1a
SHA512 7c568bc2815ac21e5311bf25dbd80d93bc342561cc8f13f41ca61491876878017a7f955d87016767d0e4d1d6dad3389599a6b8bb02f5ddbf1fdc578eea08e037

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d886f428058868770b4e74e3974478a6
SHA1 078a14a30d9e51e6df7301765e0a2c232023b582
SHA256 59f3193d2fe02a40a79f0c5b8c0e0c1483a79aa928d684db5414a8256fc4efec
SHA512 91c016dc0089dbb7bd6d61e3e570d60247edc718d53f19938236f8d5c875425b9337b7fdb1a110bbbceab4a7d0f196d002c1fad5589b258284be6eb832d6b872

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb6cc5a8a02a938fa7aa98eadf2b067d
SHA1 2c3b08ec8cde93094edb40167d7699eeed3aeb88
SHA256 eb648b5eee86d95171805917b4955e2d08567489a8ccbb5242a203c6b5ca8b94
SHA512 5a3262b484b9d6c601027060d3ca232d7181bc57c3c589e2a7e1ebdc98e2b911273a60eb8d069f440b5c3777b80285c8fed76c5df47a06660c326c93e5348703

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca31026c5786bdae3386a2c1e6f7de29
SHA1 9e8425970117d6e2ac25e44cb98cd17440b02bff
SHA256 4e04d6109d1b378b15e532f0fb13c2d774a601381849c71b7dd14086eca2065b
SHA512 401004bb46afde563ed6418dc74fc6ccc9fd0814af685239d7442d25838f14d093b76f88e3bb5ee7245bdca8ee508a6b4d367e30c6897a36b21c0c7cac77e759

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-09 14:48

Reported

2022-02-09 14:55

Platform

win10v2004-en-20220112

Max time kernel

160s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

Gozi RM3

banker trojan gozi_rm3

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9B96ABB7-89C0-11EC-82D0-E6101B3923D5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "892811787" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000f76976cb9b8c91b2bf3a28966f8db14fe2753a669138b81dac55eeadf5493fcc000000000e8000000002000020000000adc5b757d7700955cb94878b363a4958bd9e16e0d986d7ae6922fac2530b6ab520000000ae64179da705d0336510c14a29a6afa609f7b6ae7b4f276055f6b4410c14b5d940000000e7cb5559b93ba5b7ddc7f57901c2de9e70f105eee90ff4246cc623d524a249a5d7c9dce867711ba17bbc3d2c01041dfbf5be80894e676c067db1e83e9dcd76f7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30940621" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02ae95ecd1dd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C95BD55-89C0-11EC-82D0-E6101B3923D5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000029cd75ffa7dacf86bf64af924a1884d94e0f7aa26ca664159a562ed7affd1079000000000e800000000200002000000067cf945396911feb303ca110a65735b58e23346131f75c896917de14edacf0d7200000001b5ba2b82e8e5b58602b139d420eb066413deda5d2dfe51e6e74709518257ceb400000003e80b725e126d024f9d12ab253b0139e3dc0b1c76d297b87c2a8787d319e4c7783f82e40aca51bc9f2b450164c9c175499f8192e919d9d2bd83f1fdcac4a1a95 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{940B7AD2-89C0-11EC-82D0-E6101B3923D5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101d5257cd1dd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000032ca58e69046a47780e9d0fb9b2575b9fbc57cc28e5be0c7be161919b0a4598d000000000e8000000002000020000000020253bdd0b99e3ce071ae2d83d8186de468c79ac1ca38f7056c38f38ddbba7c20000000918b700600611384a6d6a305d7c4a07c6100e58b8ba11f50042a01242e04ec7840000000774cc94227ba0254b54204e255db679aa55d45785ff1549e4042f350f189c1f9cd6f9c7edbbd6ec30dd12c289425c81671bdc1c6fbe769495fd0e5fcc4c13e76 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5097aa6ccd1dd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30940621" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A92F9315-89C0-11EC-82D0-E6101B3923D5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5076ae4dcd1dd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 2668 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 2668 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
PID 1144 wrote to memory of 536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1144 wrote to memory of 536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1144 wrote to memory of 536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3628 wrote to memory of 3796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3628 wrote to memory of 3796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3628 wrote to memory of 3796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1884 wrote to memory of 1004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1884 wrote to memory of 1004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1884 wrote to memory of 1004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 1244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 1244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2592 wrote to memory of 1244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4008 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4008 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4008 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 3896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 3896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2700 wrote to memory of 3896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:17410 /prefetch:2

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3628 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1884 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4008 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 20.190.160.75:443 tcp
NL 20.190.160.75:443 tcp
NL 20.190.160.75:443 tcp
NL 20.190.160.75:443 tcp
BE 8.238.110.126:80 tcp
BE 67.27.154.126:80 tcp
US 93.184.220.29:80 tcp
US 72.21.91.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 yuordom.xyz udp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp
DE 185.252.215.7:443 yuordom.xyz tcp

Files

memory/2668-130-0x0000000000630000-0x0000000000640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsb4196.tmp\TvGetVersion.dll

MD5 465ad8b483c5e8bbfee17aa15ea3b488
SHA1 ad984431df286cd6c10796b49c248e6afb4d55bf
SHA256 943149b2cf028bbe593375e255ed834c129f97ed2dab9c3779d871446dc177df
SHA512 8c137cff4aeeee2556233a07d7df9c183c38a36c40d904a89f22d73cc13b3941d71708da89dfe908f335f6c39e4c70b376dd437924e15ac697876f612bdf01d6

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 6beb92614435557ead728bfc739b1ada
SHA1 8b74f34b7cff0bd2bc4369adf7b594fe8869c3f9
SHA256 6b92739bf2bc25cd2a41d8cce0ae9815279d8c4b36ddad1617f5fe6b3d1b7ed6
SHA512 d804a8049434916f126a00385fe97208a00282bff574fd93eb35296d6a97e3c9751898b1261e93415049e5c2f1c17f3d0f0a550405c69412ef65643727be4ea2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 6beb92614435557ead728bfc739b1ada
SHA1 8b74f34b7cff0bd2bc4369adf7b594fe8869c3f9
SHA256 6b92739bf2bc25cd2a41d8cce0ae9815279d8c4b36ddad1617f5fe6b3d1b7ed6
SHA512 d804a8049434916f126a00385fe97208a00282bff574fd93eb35296d6a97e3c9751898b1261e93415049e5c2f1c17f3d0f0a550405c69412ef65643727be4ea2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

MD5 acd6cd3df0f488a6571d5a4723b32115
SHA1 552cd3eec0561fc5f58b974b3a381ef90b9a63f7
SHA256 cdbb63b7564a66278d31af41f9c22a9b7d2bb2a0f186d3f7ec01cf65ac5d4614
SHA512 549713a40e3d4aa4ab8a08fc005d5a6a9547e12b9291c548ee9f8b7bd4bfcb0ea92d4f0a646777ad37ac4137705540ba21b56d8ca32646f96c6e1a0ee4293ddf

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\UserInfo.dll

MD5 9b0db6a6056e8e51ac35e602aeab769f
SHA1 b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA512 83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\UserInfo.dll

MD5 9b0db6a6056e8e51ac35e602aeab769f
SHA1 b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA512 83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

memory/1784-145-0x0000000006C21000-0x0000000006C23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\UserInfo.dll

MD5 9b0db6a6056e8e51ac35e602aeab769f
SHA1 b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA512 83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\UserInfo.dll

MD5 9b0db6a6056e8e51ac35e602aeab769f
SHA1 b541c6d2635141cdc3a74f59d55db8df4a92e7ac
SHA256 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
SHA512 83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\TvGetVersion.dll

MD5 b9e0c430596b2435971079edd15d3f0c
SHA1 fc214c6757e3539729e42f754c6b9768fd44a942
SHA256 c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e
SHA512 93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

memory/1784-161-0x0000000006CB1000-0x0000000006CB3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\InstallOptions.dll

MD5 033ee34c40e8fa85bf2739bcb2f3e186
SHA1 2ca942f35f77f37df3fc6097acac34f2e77341b7
SHA256 c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
SHA512 2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

C:\Users\Admin\AppData\Local\Temp\nss507C.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 e2f4d7934d053d8708d8c443a8604a4b
SHA1 473a5d2fe5aa15addeb8d0227f352078776db1f4
SHA256 77c9ad79c855b846a0c6bf4e2e3c2df639eac2df3ec0627804cc3081f0c02328
SHA512 8ad78377f07772775752685bfcb9a1e192a44e3e36589f73a47126f7502adf9f9b6f0b6697fc24a63a5ef7582936af245ac26e91ab156e17d3e9176fd753f76d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEE0CCFF84BA1E9121EE261796CAE1A7

MD5 2f653a788f187f0c57f53856f36e46f1
SHA1 1efb24ada3dd48c54681debf3220ba5dd2ebee7c
SHA256 30968cbb3604111b2818bb21fc0005dc49e09abde58421bd25a8fc1776fefb41
SHA512 76ef41f84faaaf95a60d902107dbee1b4fd47777f3a577e201ab6bfde4f917e59aa2ff536598e91eac42c75d9d4d69854c6813c58b5d3a1b18172be22763c2df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEE0CCFF84BA1E9121EE261796CAE1A7

MD5 b8f5e4bcd8542693cf07fa696cd55af7
SHA1 0c7d23b7dddaca7362641e4f34821c841d9d4142
SHA256 45560634f239576d29f9530c74c2672a2baa8ac3db0848c23b5af773d7f8d83d
SHA512 bcdadebb23dc974b38463ddc4c98d4c95f46157ec2af42357765d0fb0a33d19a4cc658758817d773fe8a270eb0ee5072037aa7923022cd71a374fd297fa6345a