Malware Analysis Report

2025-08-10 18:19

Sample ID 220208-v3fyracagp
Target b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5
SHA256 b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5
Tags
upx gozi_ifsb
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5

Threat Level: Known bad

The file b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5 was found to be: Known bad.

Malicious Activity Summary

upx gozi_ifsb

Gozi_ifsb family

Executes dropped EXE

UPX packed file

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-08 17:30

Signatures

Gozi_ifsb family

gozi_ifsb

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-08 17:30

Reported

2022-02-08 20:22

Platform

win7-en-20211208

Max time kernel

121s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\TeamViewer C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe N/A
File created C:\Program Files\TeamViewer\__tmp_rar_sfx_access_check_259407479 C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe N/A
File created C:\Program Files\TeamViewer\TeamViewer_Service.exe C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe N/A
File opened for modification C:\Program Files\TeamViewer\TeamViewer_Service.exe C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe

"C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\2F3C.bat C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"

C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe

3.exe

Network

N/A

Files

memory/1620-53-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\2F3C.bat

MD5 7688e4b2098cc4bfb5295d55d3659381
SHA1 5f4b29aa961de5446d76b445e64d943267c8f08f
SHA256 614cb24d7c29f1bea256029241387424d6678baa8b84cdb3e88267627d186232
SHA512 2a75038fa98c8e7b787e51ca5756757e3a7ff736844852fce7c9915774eaaba31b5ca173165072345a90bfdd71b386550d3e97edbacd927779ec01af90f0820a

C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe

MD5 e0164ff6ee36e49def5b6b851d38d22b
SHA1 1f0970e333c8a9e1be5af51576e27409ef978c1e
SHA256 c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e
SHA512 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1

C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe

MD5 e0164ff6ee36e49def5b6b851d38d22b
SHA1 1f0970e333c8a9e1be5af51576e27409ef978c1e
SHA256 c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e
SHA512 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-08 17:30

Reported

2022-02-08 20:23

Platform

win10v2004-en-20220113

Max time kernel

151s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\TeamViewer C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe N/A
File created C:\Program Files\TeamViewer\__tmp_rar_sfx_access_check_30264765 C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe N/A
File created C:\Program Files\TeamViewer\TeamViewer_Service.exe C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe N/A
File opened for modification C:\Program Files\TeamViewer\TeamViewer_Service.exe C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe

"C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\975B.tmp\975C.bat C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"

C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe

3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
AU 104.46.162.226:443 tcp
US 20.190.151.69:443 tcp
US 20.190.151.69:443 tcp
US 8.8.8.8:53 crl3.digicert.com udp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.168.112.67:443 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.238.20.126:80 tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\975B.tmp\975C.bat

MD5 7688e4b2098cc4bfb5295d55d3659381
SHA1 5f4b29aa961de5446d76b445e64d943267c8f08f
SHA256 614cb24d7c29f1bea256029241387424d6678baa8b84cdb3e88267627d186232
SHA512 2a75038fa98c8e7b787e51ca5756757e3a7ff736844852fce7c9915774eaaba31b5ca173165072345a90bfdd71b386550d3e97edbacd927779ec01af90f0820a

C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe

MD5 e0164ff6ee36e49def5b6b851d38d22b
SHA1 1f0970e333c8a9e1be5af51576e27409ef978c1e
SHA256 c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e
SHA512 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1

C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe

MD5 e0164ff6ee36e49def5b6b851d38d22b
SHA1 1f0970e333c8a9e1be5af51576e27409ef978c1e
SHA256 c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e
SHA512 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1

memory/2984-133-0x000002341F620000-0x000002341F630000-memory.dmp

memory/2984-134-0x000002341F680000-0x000002341F690000-memory.dmp

memory/2984-135-0x0000023421D40000-0x0000023421D44000-memory.dmp