Analysis Overview
SHA256
9d9be6c628204970cf06fb9faeaf69fa9100721db000ee9caba78330a0349cd0
Threat Level: Known bad
The file 9d9be6c628204970cf06fb9faeaf69fa9100721db000ee9caba78330a0349cd0 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Drops file in Windows directory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-21 08:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-21 08:14
Reported
2022-03-21 08:17
Platform
win7-20220311-en
Max time kernel
4294180s
Max time network
127s
Command Line
Signatures
Gozi, Gozi IFSB
Processes
C:\Users\Admin\AppData\Local\Temp\9d9be6c628204970cf06fb9faeaf69fa9100721db000ee9caba78330a0349cd0.exe
"C:\Users\Admin\AppData\Local\Temp\9d9be6c628204970cf06fb9faeaf69fa9100721db000ee9caba78330a0349cd0.exe"
Network
Files
memory/1500-54-0x0000000002C2B000-0x0000000002C3C000-memory.dmp
memory/1500-55-0x0000000002C2B000-0x0000000002C3C000-memory.dmp
memory/1500-56-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1500-57-0x0000000000400000-0x0000000002B21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-21 08:14
Reported
2022-03-21 08:17
Platform
win10v2004-20220310-en
Max time kernel
154s
Max time network
170s
Command Line
Signatures
Gozi, Gozi IFSB
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk= | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT582A.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314 | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT4DC9.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4 | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT585A.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITB580.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT48B7.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A= | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITB3D9.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8= | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT4868.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BITC0EA.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BITC1F5.tmp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT478C.tmp | C:\Windows\System32\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000ed87689215e364eeea990b4744e05720c20e91288ab79e07b4fca98a12201ed0000000000e800000000200002000000070555f4dd7d222a3d5c6fbac8c6347e86c4dfcd85f4416af2e4634713ff5be3c2000000022063318f7dd25a4c7828e39dd943a7b309f0486ad7195f4115ecbc67c2ed0ea40000000520e7d1e6f2cafa8b8542ce573fc196b7b2c2937d4b47a9255296a58b2e2ada6f34683d088c9fe7f7d0293aa59e813f4bdec9fec5da44fb4fc2e1c8dd1a4ac88 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0dd73f1fb3cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000dc481d66af9bc08940342585490ea96cbdd5e4843969a1dc99d1c7dbb96b5a35000000000e8000000002000020000000cad7943cdabae78edfb5ee86227eb3bce6290793b8731328f65aeace40ae1c1a2000000081cb97772e443a31b13c096e2d344968e7d7b45881220dfa297a1ab4aa050970400000001a4717f18f32dadc04a9e7b4be11abfd9efd2d2a8c7b28cabc27d69cecd0a7c81a5892f490f669d8c703f63b413eeaee71ccaa34715613352ed63da225e8831f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000001f0eb6cb507b27b9a14de6f874245fffa23bde068c41d8042a508783f7e96911000000000e800000000200002000000043ebba8321bf9c4756eed2e4fbce32075e8b76b78d585dcf8480ff3220c3f970200000005f2cfee7baf542c26259478734bf0e471418ff65748536b387c1294179223f9e40000000ea43ac44cf3da75afd797a1c1d5d0cc8068d00011bc5f968dc0dd02af3ed451887221e7de2a3290ff591fd000de66eb7f0c779a4aa1c8e671397f33bd2461c67 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000163f0804dfaab65748a401029f4fb9248c040df86acac2299858dc39432c1ce9000000000e80000000020000200000006794cbe5f1eccaac5dc5f15e23216178bb7d3be29c83ee085a612d5ae9586f432000000034c1ec4484364dfb93ea5760418358a6b3ab7c4a0dad9911fee4fdde900d07da400000001ba9f2f525749723909e6ac2a520998b2a271fe537d7a46c08d2caf417f8e8c4eff8683e74dbe6d417c6193ecae7ab6ab928d0a0762c1fc7d803bdbe449e36c6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d027890cfc3cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354615483" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{453566BB-A8EF-11EC-B9E3-5667AE4B1421} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00236ff1fb3cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36BA0020-A8EF-11EC-B9E3-5667AE4B1421} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d4fafafb3cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5F1E5F6D-A8F7-11EC-B9E2-5667AE4B1421} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d9be6c628204970cf06fb9faeaf69fa9100721db000ee9caba78330a0349cd0.exe
"C:\Users\Admin\AppData\Local\Temp\9d9be6c628204970cf06fb9faeaf69fa9100721db000ee9caba78330a0349cd0.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:17410 /prefetch:2
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | statilink.top | udp |
| RU | 31.41.46.120:80 | statilink.top | tcp |
| RU | 31.41.46.120:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | premiumlists.ru | udp |
| RU | 45.128.184.132:80 | premiumlists.ru | tcp |
| RU | 45.128.184.132:80 | premiumlists.ru | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | premiumlists.ru | udp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 104.110.191.148:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| RU | 31.41.46.120:80 | statilink.top | tcp |
| RU | 31.41.46.120:80 | statilink.top | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 93.184.221.240:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| RU | 62.173.149.135:80 | statilink.top | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| NL | 8.238.21.126:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/4856-134-0x0000000002DA8000-0x0000000002DB9000-memory.dmp
memory/4856-136-0x0000000002CC0000-0x0000000002CCB000-memory.dmp
memory/4856-135-0x0000000002DA8000-0x0000000002DB9000-memory.dmp
memory/4856-137-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/4668-138-0x000001F561A60000-0x000001F561A70000-memory.dmp
memory/4668-139-0x000001F561CB0000-0x000001F561CC0000-memory.dmp
memory/4668-140-0x000001F564080000-0x000001F564084000-memory.dmp
memory/4668-141-0x000001F564420000-0x000001F564424000-memory.dmp
memory/4668-142-0x000001F564410000-0x000001F564414000-memory.dmp
memory/4668-143-0x000001F564460000-0x000001F564464000-memory.dmp
memory/4668-144-0x000001F564450000-0x000001F564451000-memory.dmp