IOCReport

loading gif

Files

File Path
Type
Category
Malicious
https://securemailcenter.citigroup.com/branding/citi/emx/images/emailBanner.gif
URL
initial url
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{72BD4AA8-CA70-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{72BD4AAA-CA70-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{72BD4AAB-CA70-11EB-90EB-ECF4BBEA1588}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\emailBanner[1].gif
GIF image data, version 89a, 150 x 68
downloaded
clean
C:\Users\user\AppData\Local\Temp\~DF280D04EE554E50CF.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF2B830054C2999F0C.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF4E2977DE7B6AC2F0.TMP
data
dropped
clean
There are 7 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\internet explorer\iexplore.exe
'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
clean
C:\Program Files (x86)\Internet Explorer\iexplore.exe
'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6492 CREDAT:17410 /prefetch:2
clean

URLs

Name
IP
Malicious
https://securemailcenter.citigroup.com/branding/citi/emx/images/emailBanner.gif
clean
http://www.wikipedia.com/
unknown
clean
http://www.amazon.com/
unknown
clean
http://www.nytimes.com/
unknown
clean
http://www.live.com/
unknown
clean
https://securemailcenter.citigroup.com/branding/citi/emx/images/emailBanner.gif
unknown
clean
http://www.reddit.com/
unknown
clean
http://www.twitter.com/
unknown
clean
http://www.youtube.com/
unknown
clean
https://securemailcenter.citigroup.com/branding/citi/emx/images/emailBanner.gifRoot
unknown
clean

Domains

Name
IP
Malicious
securemailcenter.citigroup.com
192.193.154.4
clean

IPs

IP
Domain
Country
Malicious
192.193.154.4
securemailcenter.citigroup.com
United States
clean

Registry

Path
Value
Malicious
C:\Program Files\internet explorer\iexplore.exe
{72BD4AA8-CA70-11EB-90EB-ECF4BBEA1588}
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
Blocked
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
LoadTimeArray
clean
C:\Program Files\internet explorer\iexplore.exe
LoadTimeArray
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
Blocked
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
LoadTimeArray
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
LoadTimeArray
clean
C:\Program Files\internet explorer\iexplore.exe
CVListPingLastYMD
clean
C:\Program Files\internet explorer\iexplore.exe
DecayDateQueue
clean
C:\Program Files\internet explorer\iexplore.exe
LastProcessed
clean
C:\Program Files\internet explorer\iexplore.exe
DecayDateQueue
clean
C:\Program Files\internet explorer\iexplore.exe
LastProcessed
clean
C:\Program Files (x86)\Internet Explorer\iexplore.exe
@C:\Windows\System32\ieframe.dll,-912
clean
C:\Program Files (x86)\Internet Explorer\iexplore.exe
@C:\Windows\System32\ieframe.dll,-904
clean
There are 16 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7FF54DB31000
unkown
page readonly
clean
7FF5CC248000
unkown
page readonly
clean
1BF01950000
unkown
page readonly
clean
7FF55C3FA000
unkown
page readonly
clean
7FF5CCB0F000
unkown
page readonly
clean
29402813000
unkown
page read and write
clean
2940283C000
unkown
page read and write
clean
7FF5CCA11000
unkown
page readonly
clean
7FF54DA2A000
unkown
page readonly
clean
1C47F980000
unkown
page readonly
clean
2D76E049000
unkown
page read and write
clean
7FF556A47000
unkown
page readonly
clean
1B436F40000
unkown
page readonly
clean
2D76E04E000
unkown
page read and write
clean
2D76E055000
unkown
page read and write
clean
7FF5569FC000
unkown
page readonly
clean
7FF5CC6A2000
unkown
page readonly
clean
1B43623C000
unkown
page read and write
clean
7FF55C291000
unkown
page readonly
clean
2940288E000
unkown
page read and write
clean
D3A277E000
unkown
page read and write
clean