8db66f6bcd911ce2f96d524636fc6b023a54e26ad6c24711fde9aa4a07f5f633

Analysis

max time kernel
153s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1658856f99650fc701a84cd6f0c6cfc7.exe
Size

916KB
MD5

1658856f99650fc701a84cd6f0c6cfc7
SHA1

5a2c44c3a1b17ecfe19ef1b215d2e5606f7fafa0
SHA256

8db66f6bcd911ce2f96d524636fc6b023a54e26ad6c24711fde9aa4a07f5f633
SHA512

ce172672480340107727be3f173f44906b9162f29704d02950d7107ebe99b58507b7d6180443c9125a025d2a1ca3b1abcdb21b4e5ac6a6505677d41c771f4473
SSDEEP

24576:rwYFr0ySkThNKdao7LbKaCLyeJVDGJ2RtjAfL1HQgw049C8W:rwYV0ypNGa0uaMyeJV5jAD/kCt

Score

10^/10

persistence upx vmprotect

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Kban1.exe,"	Kban1.exe

Sets service image path in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\fzxspkecxu.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\ywqoigaytq.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\igaysidavt.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\kicausnkfd.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\bwuomgeywr.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\aysqkidavs.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\czusmkecxu.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\mhezurmkec.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\omgezwrpjh.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\gbztrljdbw.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\tnlgdywqoi.sys"	Kban0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\p2phook\ImagePath = "\\??\\C:\\temp\\snlfdxvqni.sys"	Kban0.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	1658856f99650fc701a84cd6f0c6cfc7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Kban2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Kban3.exe

Executes dropped EXE 7 IoCs

pid	Process
2940	Kban0.exe
4768	Kban1.exe
4628	Kban2.exe
4900	Kban3.exe
2188	Kban4.exe
3724	Kban5.exe
1084	Kban6.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4628-33-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/files/0x000600000002322d-42.dat	upx
behavioral2/memory/4900-78-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4628-77-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/files/0x000600000002322d-46.dat	upx
behavioral2/memory/4900-45-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x000600000002322d-39.dat	upx
behavioral2/files/0x000600000002322c-34.dat	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00080000000224fc-4.dat	vmprotect
behavioral2/memory/2940-11-0x00000000001A0000-0x0000000000223000-memory.dmp	vmprotect
behavioral2/memory/2940-13-0x00000000001A0000-0x0000000000223000-memory.dmp	vmprotect
behavioral2/files/0x00080000000224fc-10.dat	vmprotect
behavioral2/files/0x00080000000224fc-9.dat	vmprotect
behavioral2/memory/2940-90-0x00000000001A0000-0x0000000000223000-memory.dmp	vmprotect

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DOWIRE.sys	Kban4.exe
File opened for modification	C:\Windows\SysWOW64\system.ini	Kban1.exe
File created	C:\Windows\SysWOW64\Dowire\r.dat	Kban4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2552	2188	WerFault.exe	88

Gathers network information 2 TTPs 24 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3756	ipconfig.exe
3088	ipconfig.exe
5868	ipconfig.exe
5532	ipconfig.exe
5948	ipconfig.exe
5472	ipconfig.exe
4900	ipconfig.exe
6060	ipconfig.exe
904	ipconfig.exe
3100	ipconfig.exe
4272	ipconfig.exe
5912	ipconfig.exe
220	ipconfig.exe
4236	ipconfig.exe
1164	ipconfig.exe
4292	ipconfig.exe
5552	ipconfig.exe
5220	ipconfig.exe
1692	ipconfig.exe
1544	ipconfig.exe
2880	ipconfig.exe
2376	ipconfig.exe
444	ipconfig.exe
4316	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{26FEE4A6-A509-11EE-8024-72AE6231743A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3A92738D-A509-11EE-8024-72AE6231743A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808e46391639da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078677"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078677"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed60d6ae529e0e4187beee4fa1d8750f00000000020000000000106600000001000020000000eb59bcf10af8f13f9d116abdb3fd78cb3509714a27215c163bc721a718054ef6000000000e800000000200002000000031ac02a6ef99642413719b7c5766ec37fd218df5ed90ef95cbaa1c4d7c65a65520000000ed8e254517a96ee4faddc7b47dec504c8061cb496b2a08578a8937ab4029deb640000000990d241edc99bf052d2c7213ed466ea4968aa2f52f5b3a97d356d83c241dd53abcc637d953fe5933be9b7724db6b370a01694c77d2845ce460be2063351a6841	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed60d6ae529e0e4187beee4fa1d8750f00000000020000000000106600000001000020000000e6887a5aef4cc92056e868999b7d59f2f5ad0188916eae6eeec00f9804c8308b000000000e8000000002000020000000eef309ab32c30d8995b0deda0620fe920d3ab361d8424b36837eb23ec44632c02000000071694f31b4eecb1d0155572e6a2ca4fa6b31cfc331d019bd44fed481e7287b9040000000efc6015d47e9f5591fca212bb961d780b370e82df9d5633cbac325474dfe865c06d9083be51c466cf0a4b57e2abbce1ca3e8e6b2339c06e1291e64744d9f095e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078678"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed60d6ae529e0e4187beee4fa1d8750f00000000020000000000106600000001000020000000e081edbbd0602b740fb17b3e0dad7f46794db69828f37616add0b05640126db5000000000e8000000002000020000000e686b3f41c2c74c224d2ad649e27ad2d7508a0c65c5d5eb132dd7eab4c8559c52000000048f7299105e3e83e671bc0edb1cfd3599e3480204b73ac592a1fd1b0f738cc8240000000a5fc14fb039ec2a809f5dc9763534884d05320343176af9a01c43fdf8eef598f74e61d45d5b9b4022f0239adedb085797314f9e3a3a17943b454f2b025b3ddf2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078677"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed60d6ae529e0e4187beee4fa1d8750f0000000002000000000010660000000100002000000084914d9ef805a3a3f91aaab828d27ed4470c74d76865600a06fa2644ffe46bf5000000000e80000000020000200000008350ece9bcd3f4764ba3b8b9d03bb09860e68a915f5985accd28ea598b875d46200000009db9ef428109ede82ed520386561967e1032919f055f9346a4eeb2732417c39740000000cbf516de64af1c7b59b63d56e317ea8a0f7dd1954d390af9ca57ce6b4be932898f3c1bd0511029a3844289820794fe512bd78568b15f2676ba12b242f7150269	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{55C90AE0-A509-11EE-8024-72AE6231743A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4230581551"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed60d6ae529e0e4187beee4fa1d8750f00000000020000000000106600000001000020000000f3778ba7cefbfd104d512acf57a82bbb4930d0428288551563c06501860f32ef000000000e8000000002000020000000321e1f66a4788f72ccbddd08e21b5b4aafd9753e197b6eb18b762d487de2fe522000000010b81a4976cb061ed4f03f3069492c1e4663a8251ad637760139d550d11f93c640000000be652cb5a27791809020b6ebc5213057f90a0ea681279c84f45c63a32ba711c209bea47f9c9349259805ecffcf0ed1995554d9f8f15f1793feb0010c944c0b9c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ed60d6ae529e0e4187beee4fa1d8750f000000000200000000001066000000010000200000002884ffef391ddfbdfff880f3baecb3e979892bf1734282cdb75a35004c22bf58000000000e8000000002000020000000653e76665b47dae486693020d9f190195a84d34dd200215ec4c3624c80f1ce72200000003481feb2c7a346c7c041f4e47f819d115f4b4963730940463d7125f432bc11df40000000d88474d8c845a9db6362920a56346aa0611984ba9ddbf8ca978de25b3f464e23752eda57e34b9dac557e0eb7e5bd8e3bb72ceb4bd32279e52a8f8b8bb3bf2a55	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5B28B999-A509-11EE-8024-72AE6231743A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{71F9F995-A509-11EE-8024-72AE6231743A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4628	Kban2.exe
4628	Kban2.exe
4900	Kban3.exe
4900	Kban3.exe
4768	Kban1.exe
4768	Kban1.exe
3724	Kban5.exe
3724	Kban5.exe

Suspicious behavior: LoadsDriver 25 IoCs

pid	Process
644	Process not Found
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe
644	Process not Found
2940	Kban0.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	Kban4.exe
Token: SeDebugPrivilege	2188	Kban4.exe
Token: SeDebugPrivilege	2188	Kban4.exe
Token: SeDebugPrivilege	2188	Kban4.exe
Token: SeIncBasePriorityPrivilege	4628	Kban2.exe
Token: SeIncBasePriorityPrivilege	4900	Kban3.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe
Token: SeLoadDriverPrivilege	2940	Kban0.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
916	iexplore.exe
1848	iexplore.exe
1904	iexplore.exe
1996	iexplore.exe
5960	iexplore.exe
5240	iexplore.exe
1448	iexplore.exe
1524	iexplore.exe
1128	iexplore.exe
1528	iexplore.exe
5400	iexplore.exe
2000	iexplore.exe
1368	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4768	Kban1.exe
4768	Kban1.exe
916	iexplore.exe
916	iexplore.exe
4768	Kban1.exe
4768	Kban1.exe
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
1848	iexplore.exe
1848	iexplore.exe
4876	IEXPLORE.EXE
4876	IEXPLORE.EXE
4876	IEXPLORE.EXE
4876	IEXPLORE.EXE
1904	iexplore.exe
1904	iexplore.exe
2516	IEXPLORE.EXE
2516	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
3104	IEXPLORE.EXE
3104	IEXPLORE.EXE
5960	iexplore.exe
5960	iexplore.exe
6016	IEXPLORE.EXE
6016	IEXPLORE.EXE
6016	IEXPLORE.EXE
6016	IEXPLORE.EXE
5240	iexplore.exe
5240	iexplore.exe
5568	IEXPLORE.EXE
5568	IEXPLORE.EXE
1448	iexplore.exe
1448	iexplore.exe
5188	IEXPLORE.EXE
5188	IEXPLORE.EXE
1524	iexplore.exe
1524	iexplore.exe
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
1128	iexplore.exe
1128	iexplore.exe
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
1528	iexplore.exe
1528	iexplore.exe
5128	IEXPLORE.EXE
5128	IEXPLORE.EXE
5400	iexplore.exe
5400	iexplore.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
2000	iexplore.exe
2000	iexplore.exe
5268	IEXPLORE.EXE
5268	IEXPLORE.EXE
1368	iexplore.exe
1368	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2940	376	1658856f99650fc701a84cd6f0c6cfc7.exe	75
PID 376 wrote to memory of 2940	376	1658856f99650fc701a84cd6f0c6cfc7.exe	75
PID 376 wrote to memory of 2940	376	1658856f99650fc701a84cd6f0c6cfc7.exe	75
PID 376 wrote to memory of 4768	376	1658856f99650fc701a84cd6f0c6cfc7.exe	91
PID 376 wrote to memory of 4768	376	1658856f99650fc701a84cd6f0c6cfc7.exe	91
PID 376 wrote to memory of 4768	376	1658856f99650fc701a84cd6f0c6cfc7.exe	91
PID 376 wrote to memory of 4628	376	1658856f99650fc701a84cd6f0c6cfc7.exe	90
PID 376 wrote to memory of 4628	376	1658856f99650fc701a84cd6f0c6cfc7.exe	90
PID 376 wrote to memory of 4628	376	1658856f99650fc701a84cd6f0c6cfc7.exe	90
PID 2940 wrote to memory of 916	2940	Kban0.exe	76
PID 2940 wrote to memory of 916	2940	Kban0.exe	76
PID 376 wrote to memory of 4900	376	1658856f99650fc701a84cd6f0c6cfc7.exe	89
PID 376 wrote to memory of 4900	376	1658856f99650fc701a84cd6f0c6cfc7.exe	89
PID 376 wrote to memory of 4900	376	1658856f99650fc701a84cd6f0c6cfc7.exe	89
PID 376 wrote to memory of 2188	376	1658856f99650fc701a84cd6f0c6cfc7.exe	88
PID 376 wrote to memory of 2188	376	1658856f99650fc701a84cd6f0c6cfc7.exe	88
PID 376 wrote to memory of 2188	376	1658856f99650fc701a84cd6f0c6cfc7.exe	88
PID 376 wrote to memory of 3724	376	1658856f99650fc701a84cd6f0c6cfc7.exe	87
PID 376 wrote to memory of 3724	376	1658856f99650fc701a84cd6f0c6cfc7.exe	87
PID 376 wrote to memory of 3724	376	1658856f99650fc701a84cd6f0c6cfc7.exe	87
PID 376 wrote to memory of 1084	376	1658856f99650fc701a84cd6f0c6cfc7.exe	83
PID 376 wrote to memory of 1084	376	1658856f99650fc701a84cd6f0c6cfc7.exe	83
PID 376 wrote to memory of 1084	376	1658856f99650fc701a84cd6f0c6cfc7.exe	83
PID 4628 wrote to memory of 2924	4628	Kban2.exe	82
PID 4628 wrote to memory of 2924	4628	Kban2.exe	82
PID 4628 wrote to memory of 2924	4628	Kban2.exe	82
PID 4900 wrote to memory of 2084	4900	Kban3.exe	77
PID 4900 wrote to memory of 2084	4900	Kban3.exe	77
PID 4900 wrote to memory of 2084	4900	Kban3.exe	77
PID 916 wrote to memory of 1064	916	iexplore.exe	78
PID 916 wrote to memory of 1064	916	iexplore.exe	78
PID 916 wrote to memory of 1064	916	iexplore.exe	78
PID 2940 wrote to memory of 1904	2940	Kban0.exe	79
PID 2940 wrote to memory of 1904	2940	Kban0.exe	79
PID 2940 wrote to memory of 1848	2940	Kban0.exe	118
PID 2940 wrote to memory of 1848	2940	Kban0.exe	118
PID 1848 wrote to memory of 4876	1848	iexplore.exe	121
PID 1848 wrote to memory of 4876	1848	iexplore.exe	121
PID 1848 wrote to memory of 4876	1848	iexplore.exe	121
PID 2940 wrote to memory of 4196	2940	Kban0.exe	120
PID 2940 wrote to memory of 4196	2940	Kban0.exe	120
PID 2940 wrote to memory of 1904	2940	Kban0.exe	128
PID 2940 wrote to memory of 1904	2940	Kban0.exe	128
PID 1904 wrote to memory of 2516	1904	iexplore.exe	129
PID 1904 wrote to memory of 2516	1904	iexplore.exe	129
PID 1904 wrote to memory of 2516	1904	iexplore.exe	129
PID 2940 wrote to memory of 2552	2940	Kban0.exe	130
PID 2940 wrote to memory of 2552	2940	Kban0.exe	130
PID 2940 wrote to memory of 1996	2940	Kban0.exe	135
PID 2940 wrote to memory of 1996	2940	Kban0.exe	135
PID 1996 wrote to memory of 3104	1996	iexplore.exe	136
PID 1996 wrote to memory of 3104	1996	iexplore.exe	136
PID 1996 wrote to memory of 3104	1996	iexplore.exe	136
PID 2940 wrote to memory of 2632	2940	Kban0.exe	137
PID 2940 wrote to memory of 2632	2940	Kban0.exe	137
PID 2940 wrote to memory of 5960	2940	Kban0.exe	148
PID 2940 wrote to memory of 5960	2940	Kban0.exe	148
PID 5960 wrote to memory of 6016	5960	iexplore.exe	149
PID 5960 wrote to memory of 6016	5960	iexplore.exe	149
PID 5960 wrote to memory of 6016	5960	iexplore.exe	149
PID 2940 wrote to memory of 6032	2940	Kban0.exe	150
PID 2940 wrote to memory of 6032	2940	Kban0.exe	150
PID 2940 wrote to memory of 5240	2940	Kban0.exe	157
PID 2940 wrote to memory of 5240	2940	Kban0.exe	157

C:\Users\Admin\AppData\Local\Temp\1658856f99650fc701a84cd6f0c6cfc7.exe
"C:\Users\Admin\AppData\Local\Temp\1658856f99650fc701a84cd6f0c6cfc7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\Kban0.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban0.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?RUN
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1064
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    PID:1904
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:904
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:1164
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4876
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:4196
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:3756
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:3100
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2516
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    - Modifies Internet Explorer settings
    PID:2552
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:4292
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:2376
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3104
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:2632
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:3088
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:5868
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5960
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5960 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6016
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    - Modifies Internet Explorer settings
    PID:6032
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:5552
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:5220
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5240
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5240 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5568
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:5644
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:5532
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:5948
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1448
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5188
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    - Modifies Internet Explorer settings
    PID:5316
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:5472
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:4272
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1524
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1868
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:2492
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:5912
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:1692
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1128
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1128 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5356
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:5940
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:4900
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:444
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1528
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:5484
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:6060
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:220
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5400
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5400 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1692
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    - Modifies Internet Explorer settings
    PID:1756
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:4236
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:1544
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2000
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:5712
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:2880
- - C:\Windows\SYSTEM32\ipconfig.exe
    ipconfig.exe /renew
    3⤵
    - Gathers network information
    PID:4316
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://dh5566.3322.org/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1368
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:17410 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2512
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t2.asp?err
    3⤵
    PID:5388
- C:\Users\Admin\AppData\Local\Temp\Kban6.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban6.exe"
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\Kban5.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Users\Admin\AppData\Local\Temp\Kban4.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban4.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 684
    3⤵
    - Program crash
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\Kban3.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\Kban2.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\Kban1.exe
  "C:\Users\Admin\AppData\Local\Temp\Kban1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\Kban3.exe > nul
1⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\Kban2.exe > nul
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2188 -ip 2188
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26FEE4A6-A509-11EE-8024-72AE6231743A}.dat

Filesize
4KB

MD5
6e23b436227d2c791101375fcc7589c0

SHA1
eae1fd59f85bbb7697344594f4d5f569fd046d72

SHA256
33006fd92a08be68c997a6f7977bf85b173dba52db38cc5f7873923519926292

SHA512
4b2daf612d4d7814847c57793927c19a0e924023ebcd1522406c100837171b05ec5c140af3f172e9874c3d7a2b5b831c5b07087fca3d4d992e69c4be2491c944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26FEE4A6-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
ba757c9be1bcc41626129ce88a0d64ca

SHA1
3fb557a160967463e36bdc84e23ea5b37c8e8b04

SHA256
5cbf74b6b95274c90a8a52f0220a0da0ff1a4820720798e19da0ee1a025c1c3a

SHA512
b47de3d84dc91bdd425a46f8eb6bb7de929391e839e3f333f6d34818d597e13600ce53c31229bceeb7e3a997cc45e2887c6d638cf36485b43980f3363a78aa56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3066EC51-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
873637344ca48e87935e96800a7b888e

SHA1
2ddbe1dc09e02c8c39fda301553604c24c4acee8

SHA256
1d616f24c1e77c91a74854c0f6c64a9e564078d9a917882f45df6c5eb3af8dd7

SHA512
5b1a11112e99e7fd454897dff07b9d1753b627c6c0f4eeefd7956ee85e26f02a14bdf2f9b2d7bb75bd1071f7b5dac677b515957b269933b80faeeae42a42b6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3066EC51-A509-11EE-8024-72AE6231743A}.dat

Filesize
4KB

MD5
6afb3689243188269c7c9b58673cae65

SHA1
f40b32a9b71ca6445b3b7fa9abe1cf75ef7cd703

SHA256
83af36be7eac7d3216ed9dbdd678ce5f3cb284e137780e3c218551433f4d596f

SHA512
501be3609b942f3ce6511b00a7002c9ca2c0c30a3a96ae02d78b45226c355d9deeba286a543c05a23a5cb8880c71c4cd2fedc8f22574c76e0a10f14181bd2e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3A92738D-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
492c0aeafc13ef4a32adc93b331947da

SHA1
4a3c9654ba05391bfddcbda56ec402bf0763f7c1

SHA256
2f8de5c097abf61082b617d5e6ef93a22f5b377883178e596a28832c02c91254

SHA512
a034ba78a61f9b90ea44375b7518c389609d01ecace6b40494af6287a26478738f1ac43586eef0b79aea5be57b559fc8e73079ae5913656fd2627aa70286ca33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3FDCAC9C-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
a0e0aa7788f5ddfefa8c256c0f516b30

SHA1
26cfd8d4eb5c6596228b7cf86775a63df9426c1f

SHA256
78d58d318288d2ffd21faae9cc4849b6b0c82e7e1fb795b5bceaca2e14d41628

SHA512
7bf2a3afed96bf689b4d2f87bc641915f8c8cc9f0d003705d3467a982c10906fc56e1e1c458931c4376511ab83f701add037c7a0c3e864d6292d4fe3e7b2139f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{453C5871-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
fa71d7d3935c592f59cc4e51df4a6c8b

SHA1
779f3d7ab33efe123d004bdc7068789b546a641a

SHA256
52d64c19749d8e621034b707d61c126b6679f6df9653a6f606af555224521e07

SHA512
37dc0c65b2ffbf3d51f79bdd3485e146d959c8329fa6f7a9dfaf8734a8f0cfdbf268948ecf1191915a1d25770e9aa1edab66c1ca47f5a6199663fd44b53c4fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{453C5871-A509-11EE-8024-72AE6231743A}.dat

Filesize
4KB

MD5
b8835db7a4166209f1686747faf01857

SHA1
6a142d6f3ff4a249cc12ed40f831b97c4bfefb33

SHA256
fb826bbb1a25992fb0a19844f34938e40b02b96a59708ced032acbd4cafa26cb

SHA512
3bf37dbbec4f1f50543bb52fb95e2dc3d881233163f2fb76cff8bd2be13986d237ccd377d6cfdf9311bd0ac7fa09ebf7e57e85d5ca1ff65acf53343a8841076e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{55C90AE0-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
edf3f745f2168b7c230ae7703b09b5b9

SHA1
4ffce12d0c0286188cfdd20d8269f57e4604e8de

SHA256
eca02ad15d730164587bad749ffda0669d79c272b8750795460e0d859f31e53e

SHA512
fc6ec3e2c847562a25686d911f949fa80fb4a82b11e0dc9783f85adf618bf450c1a0d65b57855f83be2e02a0a43ad7347d190da2c80f7455687cf8f911f1bc5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6096B334-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
531ae352f8cc712bf91b42248ad77174

SHA1
fd78d07fd1d020b9eab1850f4152e6634932b355

SHA256
edec9a24a002e06b88e36dd588a44aad25b271e192275ffdb8cf4dea2bc824b9

SHA512
a157ed4ac28736b766dad9187003694a61d2d96648939b7fe2958d406004d40f978339eca1bf067a07b0e0c2152cf4d66a7b58d244483b95b0fc53a7f0b5f230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C6114EA-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
605d5662682a8a7ee5a26d7e85a57f01

SHA1
80778884b73ff39797acffdaae0a8c46700877a6

SHA256
e4d7757ea9bfcecaeae2e8b1babac97946ccb2ae45d04d5f485b14562130bc48

SHA512
15eea42bba92c100e90ddf19c8f65e83726bc68b8b772a761308c0c6482fafb8643883ed7a4596bfceb7697f0572af06b3936150bb385679e5cc5bf3bd5a0e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{778232E9-A509-11EE-8024-72AE6231743A}.dat

Filesize
5KB

MD5
561104d9591f678cfd888c6c7f489b09

SHA1
7d5128f635df4120d2bcf47fff15420cf4dbb79f

SHA256
b6cc62c6102c0e1c0de1bb3a56a83d9d42f99d6220de1d8b605136a3e7561251

SHA512
a8e0b3ec625fe8730b632077b243497bc75b7616d0a84a05fe8e834d468430b5c8cab2d9cbb501de6e0bbb9248039e0224cef91d9d68ed12d2e280b3a4bbeead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08N5I3QV\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BPK32G26\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BPK32G26\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DV2I56HE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4T5ISGA\dnserror[1]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4T5ISGA\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban0.exe

Filesize
166KB

MD5
b7bf2bace19dc2c1134be23b2e717dcb

SHA1
6e6ed614b3571544fc8b571eda7efa8c6ef2b7f2

SHA256
72c0a129e62e937eaece53909c69f46f2ea81f27c4ddf15b07c089e7de5cd6f6

SHA512
aebcf3ee89afb4b9c33d08ef036b25868e7eda183bcd4fea675d26d405376172cc31daed370a4be2bed7007d9bdeb891aef8be4de141b847cb27e00c73f82674

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban0.exe

Filesize
12KB

MD5
6ba1dfd7688e9686b986da758c54b870

SHA1
69e1336cca457921d5710f34cf999aead9e950c7

SHA256
8b9a98dfd2988faecb0b6941dd3aff471dfcad689b5a7aab885bf4591083e901

SHA512
455a5f752256e24314c880bd1ab1ad00ce3a8bebf71c0c384bca7525a9bd0390b7646510f2bb7ad64c98821c35af105411a704caa761c8928e7fb1b71a182fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban0.exe

Filesize
121KB

MD5
812e0fc6ba2d83bd9f5c0d00a123915f

SHA1
4f4c9d0b4fb26269ce3d4e22dba1f2ee04d8fccb

SHA256
e0a7a786e2bf3d339ec3fe527bbc4af646c5824f5650ee6a7581f49da1d49ce7

SHA512
6781aa496f2915a38ef3ac4e3515b11a005ad9dd17b4f7cc8f289413fae06cd7902d7427f7761b2f7e5e2e147e66c26603fa73bbed22f044d83594b942ec0fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban1.exe

Filesize
60KB

MD5
2db6caa6660f9274a936d0e76c2e1467

SHA1
ebef53a232b8a7df07a1852dc2df00fd5e0170f8

SHA256
5a42c182084ec1529b0fa12a32838e8dba89965fd3c8ecbdb78ba64a086defb0

SHA512
5a6e8b44e9b96b69488d1c0caa052733339105b6fccca9969e69fbf285693b15226e8bea377f9740816bc9f153c36747b7fa8d86c3c4f1c400d55ff4838dd336

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban2.exe

Filesize
94KB

MD5
71cd1598c825c565f59c1d77a244e3c1

SHA1
3d07afc765b47d2eaaa092bf053fd81735a24854

SHA256
fcfb120376912e78da174fd05e765f4b7aad60dbcde9f822e225c6a0e3fef288

SHA512
5eea477fdefecb24005250837bf2742839c659221b6fb82fea661d82e759f93b1591861fd8dc684f8e2dd81e481a373ab9331cae35e43c05ad85a4bcddf38d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban3.exe

Filesize
168KB

MD5
aab9eaff83a05f040e21fe323614b034

SHA1
daf154c6e283024cefd29766e5ab9df40b7a94c1

SHA256
68365f26639cf5fd8995387a6fead8d8b41e37bfbda1e4624dc2648d50f4d149

SHA512
9992b541b8d9951da7b4182d94c005f3aa197e675515209157b954848ed6d658b4f8fcb4bf98584053e3e70c168305e507fa9774fffc0ad308b0d8300756a88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban3.exe

Filesize
46KB

MD5
969c6a3806a9b7f39ea25d6ed087d10f

SHA1
a6952b5901236f5ab8d4d005db6110562151f27b

SHA256
6dfd866521444e8d9365737d69635ef339d955e98ef8512aaed5c5ef68a17e13

SHA512
e0578aea530f46d62a57b1cc404e29becb3eec5c2ef4f5635aad4db777d72a9420ec6c5333f5db6b8a68612e1fba3505f425f87bf351987ea4d320edb6a21a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban3.exe

Filesize
162KB

MD5
8e54d783ab7eccf8700552c04a10e59d

SHA1
399fdd1d28b67a1c987209628173ca998bbd1c4e

SHA256
39eadfd0ffc0a77229e117d417d4611d5aa55b930df87e27af637005319b9760

SHA512
b50de80f09b69ec8484d2de314e357a3ba097a52278b4a76c092995e3b451c3f7f6341d2231e8b2a137d52901d6ac8e234acf76cdddb194c83687f7ca7846cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban4.exe

Filesize
107KB

MD5
2a1d53324fe86f9f0060b335bb66af1a

SHA1
59936a50a8df83bd07f229cbd12cc1007c3bfe7b

SHA256
0093ccf68a431e633e3806c8d3b74babb30f6e94983af8093cf68493d4eb7746

SHA512
bec1c98e995bb8327fa321bc71ccf7d0050e206cf9521903cccc87fd0c2a5e0ef36149d21bbaf7cdf4a48d4958a05e1b991305742dcbc20bbf51092d3792af48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban4.exe

Filesize
145KB

MD5
a289cc6d8197ad25bb1577bf248c82ab

SHA1
86eb04f557526f6a81be328cfef3250490d185f4

SHA256
956b755affed4a34b50c3aa0ffbb2142e51b93f0adf2ed65377cb37baa017614

SHA512
98703c2cbc34e428386fedde9472cb14e2df3145e235f768d9b6ab6e7090929ec31f95c5be0cbb9220b7f3c41bdfebdf7f7c670cb44725ee6130e164fedaac77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban4.exe

Filesize
59KB

MD5
ebca6a436e8b460e68ebfd572eb8d908

SHA1
ae75903539a91fd292f4d75f88ec96c44b26f7d8

SHA256
a4d77d0d03b28e4cdfe03b6e3731bc700e03932797abfaf4f8a08a60a46b7628

SHA512
80c5552a9d0339210a1518b0c007b38c34ffb5be5bf2ca3b8ae538d8854705d0f714120e38a2587a2156764f9ab67e66ad923047e9c6b4e340f7672a0dd30a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban5.exe

Filesize
84KB

MD5
bd3c171444f9b9bd4f5537290ab19bfe

SHA1
a70e91f505b39f62c2b79dad25c8529491836c20

SHA256
c2161a0b26e079aeec83f13b12c80020dcc521a3d2e3719507a3590a02b4e542

SHA512
d4c62d1cb258ce719e2d1525493212b6d4f84dbd4b20c1ffbea708717978388f0a2ed49e2ad8169e0cf68d19979a6a666dfb49328ec2c465833b6f1d674f26da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban5.exe

Filesize
61KB

MD5
257be00bb738bb2cfffe250ba868fae5

SHA1
2d2d3869431963cfbd3116d7fb1aa604122f0eb2

SHA256
b095f35a7c5aed1d908a3f91125f52cd134b9c66650d883423f1f53980ab728f

SHA512
db15b52e56c6c42ff2be89f6cbb51e978295ee2d23e1c21e4ff70883c381fc624f1ed9eae19557cdb87bf742318615c794f61be3d1b57ee20ad2d26ce56d489d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban6.exe

Filesize
26KB

MD5
4f3bd11d0fad6ed3c6178fcb2345e106

SHA1
38dff4ee69e9699050b75ea6c66cb35526c9ef16

SHA256
cd6e664fdd8e652b72eb142a053e2111089f5e9ef291735695dbfffbf780c2d8

SHA512
52ecb7b37f69d0f077607cd2801d201e5d3619034098cb1acab300ab0ad8e700405591acb2a4c593db0574c60ebd48c0e390bd118a24ab88eed20b8dd2956bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban6.exe

Filesize
58KB

MD5
52632f57a7280ce374a1f47d494b6aed

SHA1
0b9f6f0f1b1b00999142c5682a13bc3ec6139517

SHA256
fdeb43a1fa28e3aeec26275995d072455b96d4668660204e56e25eb79324cbc4

SHA512
6dd8880aaa3a8691591de3cdaa0c8685b06b0de8a64c4d930737b1e2d70171b18507848089a7c93416524b64d1d89fdac69ae1a9be7ce5ae9d30bbc2578a1048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kban6.exe

Filesize
1KB

MD5
6fb1675b357abb9392742cf215056175

SHA1
7523e5366a69b589e95885b0f7ebad479359e6c1

SHA256
bbfa8c726e3f6f706f006a3a1ae51ff5414d3ac333352b84d6b5f7561db61c5f

SHA512
d7dda0669ab7e8d4c79cf52aede1cbfa1538064ec35139f81cecb1719d6a2a19686af01374525735c2521b836e0be1dce29d114d4b2bcf092c8e85c6bef48a95

Download Submit
memory/376-76-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2188-85-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2188-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2940-13-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2940-90-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/2940-11-0x00000000001A0000-0x0000000000223000-memory.dmp

Filesize
524KB

Download
memory/3724-72-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3724-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4628-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-78-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4900-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download