Analysis Overview
SHA256
ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba
Threat Level: Known bad
The file ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-20 03:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-20 03:25
Reported
2022-03-20 18:17
Platform
win7-20220310-en
Max time kernel
4294213s
Max time network
160s
Command Line
Signatures
Gozi, Gozi IFSB
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A7CDE20-A882-11EC-9663-D62D82028222} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 1800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1204 wrote to memory of 1800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1204 wrote to memory of 1800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1204 wrote to memory of 1800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe
"C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| NL | 104.80.225.163:80 | c.s-microsoft.com | tcp |
| NL | 104.80.225.163:80 | c.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.123.41.162:80 | www.microsoft.com | tcp |
| NL | 104.123.41.162:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | assets.onestore.ms | udp |
| NL | 23.2.172.62:443 | assets.onestore.ms | tcp |
| NL | 23.2.172.62:443 | assets.onestore.ms | tcp |
| NL | 104.123.41.162:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | statics-marketingsites-wcus-ms-com.akamaized.net | udp |
| US | 8.8.8.8:53 | ajax.aspnetcdn.com | udp |
| NL | 104.123.41.162:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| FR | 2.22.22.97:443 | statics-marketingsites-wcus-ms-com.akamaized.net | tcp |
| US | 152.199.19.160:443 | ajax.aspnetcdn.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 152.199.19.160:443 | ajax.aspnetcdn.com | tcp |
| FR | 2.22.22.97:443 | statics-marketingsites-wcus-ms-com.akamaized.net | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
Files
memory/1752-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp
memory/1752-55-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1752-56-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1752-57-0x00000000002E0000-0x00000000002EF000-memory.dmp
memory/1752-58-0x0000000001DB0000-0x0000000001DB2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-20 03:25
Reported
2022-03-20 18:16
Platform
win10v2004-en-20220113
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Gozi, Gozi IFSB
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C09374E0-809F-11EC-B9A5-76D18A13ADEA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000007605e53b51774b39497d8bab8de7a1f09ee07db94ab913e6b1ecd6184e5c1e89000000000e8000000002000020000000188de85469274ff8ab617493987f1b6515710fa44bb09cca9f8a4ff14e7f3f092000000059d59c3daa0b64abe46311a1ebfaabe6bd43a40b63ce1e3ddbfbdcd596eaba2f40000000c0d8568cb3150994a8abbd34db4d140e256b08508aaf128d7f9469afbb60ffcbdde4d299cc04821ad244081383bf3d60881ff33551cd16fc3b2283fe31f286c7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10596b7cac14d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2668447343" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30948486" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000c24544640baf118601710b0405624a9324224ae192f0690dd4a1dc79ae4685ff000000000e800000000200002000000074f92dcd0a42759a0720559435a06d1d10fa4f84f2ba86d7c9d563bff3047e7d30000000a6031912a5a06a51977db12877bdadf58f039b166cfd70136e9ddbfba94703d09570f59dabd4248fa40b6228f0ef014c40000000f7972e917c692930caea56c7ed731eff7611596a4359c529784777b6245137d6d5438951162a1edef828e292f0b45b5a617eb44db639175407a1c6cf4574fb12 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000066a33e1b1bee11caa657267238c866e786ca22d02acd75aad3bede657d7a0dac000000000e800000000200002000000068e53de72bbad038ee94c868f1de911a82d9f67a7b9d1194e9af3696994fa4bb200000006554c0184858e204b6170f206bcc489760eb7edaa9e290322f953959bbd61c48400000007c000e8f1e03b35b913b5c0d16274c25e4116b3289b1ce7ab2b4d64aabb62bec049a2a107d09e9cf2bde742fa34231b35bb507f23c04a524cd697ba14b7a8df3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a0a583ac14d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d42d91ac14d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d25ea1863cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2668447343" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000b1c11da8a9ed14fd054b7ac5f6d9c61576e5d75818ba066deae343f6a3ff691c000000000e8000000002000020000000642159a9631bf933038775af794f39bd819f8dbc6a4bb749c2fa274ff0f3e05330000000c5cc476dfe0585f183b441158f23e27d145dee3329a9fb3529bfeac76d7d5d5ad883239e03e225757189f12e9849d41a40000000f6f4ab165016f0aefb92c6de3b3110a764e0b4d958b26b68d6bc97bcdc96f22db4ab77be77e42c1af600a68709e7e46af9467d223e324a232f43bd76ab3ab12d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f4a7a2863cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30948486" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CABB95F1-A879-11EC-B9A5-76D18A13ADEA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CDB2C305-809F-11EC-B9A5-76D18A13ADEA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe
"C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4812 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3720 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 67.24.25.254:80 | tcp | |
| NL | 104.80.225.163:80 | c.s-microsoft.com | tcp |
| NL | 104.80.225.163:80 | c.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.123.41.162:80 | www.microsoft.com | tcp |
| NL | 104.123.41.162:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | assets.onestore.ms | udp |
| NL | 23.2.172.62:443 | assets.onestore.ms | tcp |
| NL | 23.2.172.62:443 | assets.onestore.ms | tcp |
| NL | 104.123.41.162:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | statics-marketingsites-wcus-ms-com.akamaized.net | udp |
| FR | 2.22.22.112:443 | statics-marketingsites-wcus-ms-com.akamaized.net | tcp |
| FR | 2.22.22.112:443 | statics-marketingsites-wcus-ms-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | ajax.aspnetcdn.com | udp |
| US | 152.199.19.160:443 | ajax.aspnetcdn.com | tcp |
| US | 152.199.19.160:443 | ajax.aspnetcdn.com | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| NL | 104.123.41.162:443 | www.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.52:443 | wcpstatic.microsoft.com | tcp |
| NL | 88.221.144.170:80 | tcp | |
| NL | 88.221.144.170:80 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| US | 8.8.8.8:53 | vlasdmkdmewnfjfnd.xyz | udp |
| US | 8.8.8.8:53 | vlasdmkdmewnfjfnd.xyz | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| NL | 104.80.225.163:80 | c.s-microsoft.com | tcp |
| NL | 104.80.225.163:80 | c.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.123.41.162:443 | www.microsoft.com | tcp |
| NL | 104.123.41.162:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | statics-marketingsites-eus-ms-com.akamaized.net | udp |
| FR | 2.22.22.139:443 | statics-marketingsites-eus-ms-com.akamaized.net | tcp |
| FR | 2.22.22.139:443 | statics-marketingsites-eus-ms-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| NL | 142.251.36.42:80 | ajax.googleapis.com | tcp |
| NL | 142.251.36.42:80 | ajax.googleapis.com | tcp |
| NL | 142.250.179.132:80 | www.google.com | tcp |
| NL | 142.250.179.132:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | vlasdmkdmewnfjfnd.xyz | udp |
Files
memory/2564-130-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2564-131-0x0000000000B80000-0x0000000000B81000-memory.dmp
memory/2564-132-0x00000000021E0000-0x00000000021EF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
| MD5 | 3e8bf3e678b229ffd960820dcddd209f |
| SHA1 | df93373e96533d0afac7d3749d838c80c70c7c89 |
| SHA256 | 959e61d046198d29665a00fd0699adce385ed3e2a08d5ee3db4893b2337e787e |
| SHA512 | b6684986056d220c00667b4f5f7cbfb09e8caf45d2f480278968ec7381bc453c0fefa8f4c0747f0bb0294bd9fa776975f9db76382d0cac3cb11728070f980364 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
| MD5 | 04596d39d4a61098d996ad20ad539d8b |
| SHA1 | c03b038b4ada55ccffc490a1c4d5fabe5285bd8a |
| SHA256 | 5235a2002f650c076090918f3d037d21d2d621112dfad3d8f960a936ea7065c1 |
| SHA512 | d624eef633b55f6d63e4a6e3ba1016deaa3dd9a6a26f2da4e3e4fec0b2660c6dc8f5c1627d9f589dd135d19ad1f7977949e8f9d85aabf54a275fdf337451c06f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\mwf-west-european-default.min[1].css
| MD5 | 12dd1e4d0485a80184b36d158018de81 |
| SHA1 | eb2594062e90e3dcd5127679f9c369d3bf39d61c |
| SHA256 | a04b5b8b345e79987621008e6cc9bef2b684663f9a820a0c7460e727a2a4ddc3 |
| SHA512 | f3a92bf0c681e6d2198970f43b966abdf8ccbff3f9bd5136a1ca911747369c49f8c36c69a7e98e0f2aed3163d9d1c5d44efce67a178de479196845721219e12c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\jquery-1.9.1.min[1].js
| MD5 | 397754ba49e9e0cf4e7c190da78dda05 |
| SHA1 | ae49e56999d82802727455f0ba83b63acd90a22b |
| SHA256 | c12f6098e641aaca96c60215800f18f5671039aecf812217fab3c0d152f6adb4 |
| SHA512 | 8c64754f77507ab2c24a6fc818419b9dd3f0ceccc9065290e41afdbee0743f0da2cb13b2fbb00afa525c082f1e697cb3ffd76ef9b902cb81d7c41ca1c641dffb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
| MD5 | 72cfb77407b615e84d1cf09cf793f2a2 |
| SHA1 | f7db51d9a38465768b75db834fa6af7010da1df4 |
| SHA256 | 10f44d67774092f89cbbb029236ac03d36a5be94bee6b224db25986261aa7403 |
| SHA512 | d7121a1f97bc2857031d4cf293daea3fd9e78a0e0c379e53b2083dd46f0e34ed9d1331cf743a6847031717391c47614cdeaceb097f40abc61ad702e4d08e2c23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
| MD5 | 7a148a6565822eba0272816e45b9536a |
| SHA1 | 4d8596e44f27bc89afd0d321e38c24be889834af |
| SHA256 | c6540ca31096d0a1e56506fe541ef7f2ac0fbd0b8fe2a16541ac80e0681f462b |
| SHA512 | a12282fcf7624f750c1700244c7e3566f5cdd14587e6241556a84791cb5b57ca4b0e6be6a9c2f6f17d2e373681d4c3673537fa96b4f1cd35edcf58e8d4fc07c7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\wcp-consent[1].js
| MD5 | 6dac845917017b70135ccf8af68d6b2e |
| SHA1 | 418dea43a8eefe05ac7138445cf7d1e093aaf17f |
| SHA256 | 768304ececf64109acb1144a4a5fb1ea56ccadf675c60b65956dfad07a8d5ceb |
| SHA512 | 205e15cc7be1b631c6ca47254207060f9eb72190f1f161ef1b1d5b3ae5d77b7382c7bdb08a38aaadae75b48d68b920d0ced3c692c1000556bc568bbea29d4e55 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G62MFOMV\RE1Mu3b[1].png
| MD5 | 9f14c20150a003d7ce4de57c298f0fba |
| SHA1 | daa53cf17cc45878a1b153f3c3bf47dc9669d78f |
| SHA256 | 112fec798b78aa02e102a724b5cb1990c0f909bc1d8b7b1fa256eab41bbc0960 |
| SHA512 | d4f6e49c854e15fe48d6a1f1a03fda93218ab8fcdb2c443668e7df478830831acc2b41daefc25ed38fcc8d96c4401377374fed35c36a5017a11e63c8dae5c487 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\MWFMDL2[1].ttf
| MD5 | 5410c5517f1bbeb51e2d0f43bc6b4309 |
| SHA1 | 4adf2d3a889a8f9d71fac262297302086a4a03f4 |
| SHA256 | 2f4e38662c0ff2fab3eb09dcb457cd0778501bffee4026f6b0d9364abb05db46 |
| SHA512 | e0ef3bca5cef4b6b69ce09fc5295e21a5d151912585ae80703139550bd222ef463cba856ea7f37e9d8bef21eebd7790e3a7d81d580469997a8708b11b00e61bd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YZU4W80K\MWFMDL2[1].woff
| MD5 | 5ed659cf5fc777935283bbc8ae7cc19a |
| SHA1 | a0490a2c4addd69a146a3b86c56722f89904b2f6 |
| SHA256 | 31b8037945123706cb78d80d4d762695df8c0755e9f7412e9961953b375708ae |
| SHA512 | fccbe358427808d44f5cdfcf1b0c5521c793716051a3777aafde84288ff531f3e68fbc2c2341bbfa7b495a31628eab221a1f2bd3b0d2cc9dd7c1d3508fde4a2f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G62MFOMV\mwfmdl2-v3.54[1].woff
| MD5 | d0263dc03be4c393a90bda733c57d6db |
| SHA1 | 8a032b6deab53a33234c735133b48518f8643b92 |
| SHA256 | 22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12 |
| SHA512 | 9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 2a8015e5dac8de39f4df8811aa27dcfb |
| SHA1 | c342ec81aaf4ab5ce033c986b9b5034334096512 |
| SHA256 | 37e469f9b4430560926a4e8536c5d86d8293bd833514b3b15a1b86d2745ba3c0 |
| SHA512 | 5a1f0264eafff592e2ea980d609457bfd2cab1032cdbf94c8be6bb17abf6067cd53f85e4df33c9d95b33c842542ecc1f15cafab06813c70ca52206b7e58058b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 74114eea1a53c02b6108e0e0cb25bea6 |
| SHA1 | 65ab1f85ab8303766c667f802d8a5eecabfa8ff2 |
| SHA256 | dd59fe5c7e85bb227a797d4a2af7749010dd1fd7dc663d01dc569ea9cc9f2f2b |
| SHA512 | c61db57329fa7b57a32b09dfe188ccc5b2a363626819b6ea3ce3013b670f483dd6f49665946f3e969859a5b359cf527b2d372a27845a11b8f259d7bffd6668bc |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml
| MD5 | 39a0a06674b3989e837d9bc61964a1e7 |
| SHA1 | b1ed0766eea5a02570891c155ee941ddf67eb404 |
| SHA256 | 515fbf7867c4bd5b4a19ae622dc484f54ede432c1a9ef3237568b3b2710aef0a |
| SHA512 | 50ba831436e0427274f8eec04216268a0b34ea2568dff275004723c86dc105d083b0259581f24b14987cd2806d87b575a83e93d9a627dcafcfe370521956e356 |