Malware Analysis Report

2025-08-06 04:27

Sample ID 220320-dypawsgab3
Target ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba
SHA256 ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba
Tags
gozi_ifsb 1051 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba

Threat Level: Known bad

The file ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 1051 banker trojan

Gozi, Gozi IFSB

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-20 03:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-20 03:25

Reported

2022-03-20 18:17

Platform

win7-20220310-en

Max time kernel

4294213s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe"

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A7CDE20-A882-11EC-9663-D62D82028222} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe

"C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.s-microsoft.com udp
NL 104.80.225.163:80 c.s-microsoft.com tcp
NL 104.80.225.163:80 c.s-microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.123.41.162:80 www.microsoft.com tcp
NL 104.123.41.162:80 www.microsoft.com tcp
US 8.8.8.8:53 assets.onestore.ms udp
NL 23.2.172.62:443 assets.onestore.ms tcp
NL 23.2.172.62:443 assets.onestore.ms tcp
NL 104.123.41.162:443 www.microsoft.com tcp
US 8.8.8.8:53 statics-marketingsites-wcus-ms-com.akamaized.net udp
US 8.8.8.8:53 ajax.aspnetcdn.com udp
NL 104.123.41.162:443 www.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
FR 2.22.22.97:443 statics-marketingsites-wcus-ms-com.akamaized.net tcp
US 152.199.19.160:443 ajax.aspnetcdn.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 152.199.19.160:443 ajax.aspnetcdn.com tcp
FR 2.22.22.97:443 statics-marketingsites-wcus-ms-com.akamaized.net tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp

Files

memory/1752-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

memory/1752-55-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1752-56-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1752-57-0x00000000002E0000-0x00000000002EF000-memory.dmp

memory/1752-58-0x0000000001DB0000-0x0000000001DB2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-20 03:25

Reported

2022-03-20 18:16

Platform

win10v2004-en-20220113

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe"

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C09374E0-809F-11EC-B9A5-76D18A13ADEA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000007605e53b51774b39497d8bab8de7a1f09ee07db94ab913e6b1ecd6184e5c1e89000000000e8000000002000020000000188de85469274ff8ab617493987f1b6515710fa44bb09cca9f8a4ff14e7f3f092000000059d59c3daa0b64abe46311a1ebfaabe6bd43a40b63ce1e3ddbfbdcd596eaba2f40000000c0d8568cb3150994a8abbd34db4d140e256b08508aaf128d7f9469afbb60ffcbdde4d299cc04821ad244081383bf3d60881ff33551cd16fc3b2283fe31f286c7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10596b7cac14d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2668447343" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30948486" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000c24544640baf118601710b0405624a9324224ae192f0690dd4a1dc79ae4685ff000000000e800000000200002000000074f92dcd0a42759a0720559435a06d1d10fa4f84f2ba86d7c9d563bff3047e7d30000000a6031912a5a06a51977db12877bdadf58f039b166cfd70136e9ddbfba94703d09570f59dabd4248fa40b6228f0ef014c40000000f7972e917c692930caea56c7ed731eff7611596a4359c529784777b6245137d6d5438951162a1edef828e292f0b45b5a617eb44db639175407a1c6cf4574fb12 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000066a33e1b1bee11caa657267238c866e786ca22d02acd75aad3bede657d7a0dac000000000e800000000200002000000068e53de72bbad038ee94c868f1de911a82d9f67a7b9d1194e9af3696994fa4bb200000006554c0184858e204b6170f206bcc489760eb7edaa9e290322f953959bbd61c48400000007c000e8f1e03b35b913b5c0d16274c25e4116b3289b1ce7ab2b4d64aabb62bec049a2a107d09e9cf2bde742fa34231b35bb507f23c04a524cd697ba14b7a8df3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a0a583ac14d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d42d91ac14d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d25ea1863cd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2668447343" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000b1c11da8a9ed14fd054b7ac5f6d9c61576e5d75818ba066deae343f6a3ff691c000000000e8000000002000020000000642159a9631bf933038775af794f39bd819f8dbc6a4bb749c2fa274ff0f3e05330000000c5cc476dfe0585f183b441158f23e27d145dee3329a9fb3529bfeac76d7d5d5ad883239e03e225757189f12e9849d41a40000000f6f4ab165016f0aefb92c6de3b3110a764e0b4d958b26b68d6bc97bcdc96f22db4ab77be77e42c1af600a68709e7e46af9467d223e324a232f43bd76ab3ab12d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f4a7a2863cd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30948486" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CABB95F1-A879-11EC-B9A5-76D18A13ADEA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CDB2C305-809F-11EC-B9A5-76D18A13ADEA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 4840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4812 wrote to memory of 4840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4812 wrote to memory of 4840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3720 wrote to memory of 844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3720 wrote to memory of 844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3720 wrote to memory of 844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3128 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3128 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3128 wrote to memory of 632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2012 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2012 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2012 wrote to memory of 612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe

"C:\Users\Admin\AppData\Local\Temp\ef78d1bc0863a7e939b37e2daefe96450cd44e207d52e8663030fb1780eea7ba.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4812 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3720 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 67.24.25.254:80 tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 67.24.25.254:80 tcp
NL 104.80.225.163:80 c.s-microsoft.com tcp
NL 104.80.225.163:80 c.s-microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.123.41.162:80 www.microsoft.com tcp
NL 104.123.41.162:80 www.microsoft.com tcp
US 8.8.8.8:53 assets.onestore.ms udp
NL 23.2.172.62:443 assets.onestore.ms tcp
NL 23.2.172.62:443 assets.onestore.ms tcp
NL 104.123.41.162:443 www.microsoft.com tcp
US 8.8.8.8:53 statics-marketingsites-wcus-ms-com.akamaized.net udp
FR 2.22.22.112:443 statics-marketingsites-wcus-ms-com.akamaized.net tcp
FR 2.22.22.112:443 statics-marketingsites-wcus-ms-com.akamaized.net tcp
US 8.8.8.8:53 ajax.aspnetcdn.com udp
US 152.199.19.160:443 ajax.aspnetcdn.com tcp
US 152.199.19.160:443 ajax.aspnetcdn.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
NL 104.123.41.162:443 www.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
US 13.107.246.52:443 wcpstatic.microsoft.com tcp
NL 88.221.144.170:80 tcp
NL 88.221.144.170:80 tcp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 vlasdmkdmewnfjfnd.xyz udp
US 8.8.8.8:53 vlasdmkdmewnfjfnd.xyz udp
US 8.8.8.8:53 c.s-microsoft.com udp
NL 104.80.225.163:80 c.s-microsoft.com tcp
NL 104.80.225.163:80 c.s-microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.123.41.162:443 www.microsoft.com tcp
NL 104.123.41.162:443 www.microsoft.com tcp
US 8.8.8.8:53 statics-marketingsites-eus-ms-com.akamaized.net udp
FR 2.22.22.139:443 statics-marketingsites-eus-ms-com.akamaized.net tcp
FR 2.22.22.139:443 statics-marketingsites-eus-ms-com.akamaized.net tcp
US 8.8.8.8:53 ajax.googleapis.com udp
NL 142.251.36.42:80 ajax.googleapis.com tcp
NL 142.251.36.42:80 ajax.googleapis.com tcp
NL 142.250.179.132:80 www.google.com tcp
NL 142.250.179.132:80 www.google.com tcp
US 8.8.8.8:53 vlasdmkdmewnfjfnd.xyz udp

Files

memory/2564-130-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2564-131-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/2564-132-0x00000000021E0000-0x00000000021EF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5 3e8bf3e678b229ffd960820dcddd209f
SHA1 df93373e96533d0afac7d3749d838c80c70c7c89
SHA256 959e61d046198d29665a00fd0699adce385ed3e2a08d5ee3db4893b2337e787e
SHA512 b6684986056d220c00667b4f5f7cbfb09e8caf45d2f480278968ec7381bc453c0fefa8f4c0747f0bb0294bd9fa776975f9db76382d0cac3cb11728070f980364

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5 04596d39d4a61098d996ad20ad539d8b
SHA1 c03b038b4ada55ccffc490a1c4d5fabe5285bd8a
SHA256 5235a2002f650c076090918f3d037d21d2d621112dfad3d8f960a936ea7065c1
SHA512 d624eef633b55f6d63e4a6e3ba1016deaa3dd9a6a26f2da4e3e4fec0b2660c6dc8f5c1627d9f589dd135d19ad1f7977949e8f9d85aabf54a275fdf337451c06f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\mwf-west-european-default.min[1].css

MD5 12dd1e4d0485a80184b36d158018de81
SHA1 eb2594062e90e3dcd5127679f9c369d3bf39d61c
SHA256 a04b5b8b345e79987621008e6cc9bef2b684663f9a820a0c7460e727a2a4ddc3
SHA512 f3a92bf0c681e6d2198970f43b966abdf8ccbff3f9bd5136a1ca911747369c49f8c36c69a7e98e0f2aed3163d9d1c5d44efce67a178de479196845721219e12c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\jquery-1.9.1.min[1].js

MD5 397754ba49e9e0cf4e7c190da78dda05
SHA1 ae49e56999d82802727455f0ba83b63acd90a22b
SHA256 c12f6098e641aaca96c60215800f18f5671039aecf812217fab3c0d152f6adb4
SHA512 8c64754f77507ab2c24a6fc818419b9dd3f0ceccc9065290e41afdbee0743f0da2cb13b2fbb00afa525c082f1e697cb3ffd76ef9b902cb81d7c41ca1c641dffb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

MD5 72cfb77407b615e84d1cf09cf793f2a2
SHA1 f7db51d9a38465768b75db834fa6af7010da1df4
SHA256 10f44d67774092f89cbbb029236ac03d36a5be94bee6b224db25986261aa7403
SHA512 d7121a1f97bc2857031d4cf293daea3fd9e78a0e0c379e53b2083dd46f0e34ed9d1331cf743a6847031717391c47614cdeaceb097f40abc61ad702e4d08e2c23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6

MD5 7a148a6565822eba0272816e45b9536a
SHA1 4d8596e44f27bc89afd0d321e38c24be889834af
SHA256 c6540ca31096d0a1e56506fe541ef7f2ac0fbd0b8fe2a16541ac80e0681f462b
SHA512 a12282fcf7624f750c1700244c7e3566f5cdd14587e6241556a84791cb5b57ca4b0e6be6a9c2f6f17d2e373681d4c3673537fa96b4f1cd35edcf58e8d4fc07c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\wcp-consent[1].js

MD5 6dac845917017b70135ccf8af68d6b2e
SHA1 418dea43a8eefe05ac7138445cf7d1e093aaf17f
SHA256 768304ececf64109acb1144a4a5fb1ea56ccadf675c60b65956dfad07a8d5ceb
SHA512 205e15cc7be1b631c6ca47254207060f9eb72190f1f161ef1b1d5b3ae5d77b7382c7bdb08a38aaadae75b48d68b920d0ced3c692c1000556bc568bbea29d4e55

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G62MFOMV\RE1Mu3b[1].png

MD5 9f14c20150a003d7ce4de57c298f0fba
SHA1 daa53cf17cc45878a1b153f3c3bf47dc9669d78f
SHA256 112fec798b78aa02e102a724b5cb1990c0f909bc1d8b7b1fa256eab41bbc0960
SHA512 d4f6e49c854e15fe48d6a1f1a03fda93218ab8fcdb2c443668e7df478830831acc2b41daefc25ed38fcc8d96c4401377374fed35c36a5017a11e63c8dae5c487

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\MWFMDL2[1].ttf

MD5 5410c5517f1bbeb51e2d0f43bc6b4309
SHA1 4adf2d3a889a8f9d71fac262297302086a4a03f4
SHA256 2f4e38662c0ff2fab3eb09dcb457cd0778501bffee4026f6b0d9364abb05db46
SHA512 e0ef3bca5cef4b6b69ce09fc5295e21a5d151912585ae80703139550bd222ef463cba856ea7f37e9d8bef21eebd7790e3a7d81d580469997a8708b11b00e61bd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YZU4W80K\MWFMDL2[1].woff

MD5 5ed659cf5fc777935283bbc8ae7cc19a
SHA1 a0490a2c4addd69a146a3b86c56722f89904b2f6
SHA256 31b8037945123706cb78d80d4d762695df8c0755e9f7412e9961953b375708ae
SHA512 fccbe358427808d44f5cdfcf1b0c5521c793716051a3777aafde84288ff531f3e68fbc2c2341bbfa7b495a31628eab221a1f2bd3b0d2cc9dd7c1d3508fde4a2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G62MFOMV\mwfmdl2-v3.54[1].woff

MD5 d0263dc03be4c393a90bda733c57d6db
SHA1 8a032b6deab53a33234c735133b48518f8643b92
SHA256 22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12
SHA512 9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2a8015e5dac8de39f4df8811aa27dcfb
SHA1 c342ec81aaf4ab5ce033c986b9b5034334096512
SHA256 37e469f9b4430560926a4e8536c5d86d8293bd833514b3b15a1b86d2745ba3c0
SHA512 5a1f0264eafff592e2ea980d609457bfd2cab1032cdbf94c8be6bb17abf6067cd53f85e4df33c9d95b33c842542ecc1f15cafab06813c70ca52206b7e58058b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 74114eea1a53c02b6108e0e0cb25bea6
SHA1 65ab1f85ab8303766c667f802d8a5eecabfa8ff2
SHA256 dd59fe5c7e85bb227a797d4a2af7749010dd1fd7dc663d01dc569ea9cc9f2f2b
SHA512 c61db57329fa7b57a32b09dfe188ccc5b2a363626819b6ea3ce3013b670f483dd6f49665946f3e969859a5b359cf527b2d372a27845a11b8f259d7bffd6668bc

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml

MD5 39a0a06674b3989e837d9bc61964a1e7
SHA1 b1ed0766eea5a02570891c155ee941ddf67eb404
SHA256 515fbf7867c4bd5b4a19ae622dc484f54ede432c1a9ef3237568b3b2710aef0a
SHA512 50ba831436e0427274f8eec04216268a0b34ea2568dff275004723c86dc105d083b0259581f24b14987cd2806d87b575a83e93d9a627dcafcfe370521956e356