gozi | a4bbf7654331415c4f7d0306066ececa014a27d706deca83bd7113ad4cd28d2e

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deacce266c9fe2354585347ae32922cc_JaffaCakes118.exe
Size

291KB
MD5

deacce266c9fe2354585347ae32922cc
SHA1

86d4cc7b5b821806c4ef8c9bec71da293fdfd323
SHA256

a4bbf7654331415c4f7d0306066ececa014a27d706deca83bd7113ad4cd28d2e
SHA512

3ef1793f98cce22d7e3d6743d718a19341b31a0a6d5ee18ebce4efa71f5d5c8c1a036a7e4706a5e9a4688d9abc553262003a1bf385d551ba596d6db917680d31
SSDEEP

1536:FoeqI98pX2SADuJJD9CHTK5UYQRmS6t0F:meqC8JhJBCzKVQR

Score

10^/10

gozi 202003111 banker discovery rm3 trojan

Malware Config

Extracted

Family

gozi

Attributes

exe_type
loader

Extracted

Family

gozi

Botnet

202003111

https://kolamana.com

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deacce266c9fe2354585347ae32922cc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70E5D3A1-71FF-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000d87c12200262303e4fd5e59c26112dc645754c9186bf970ef0f332676424ef5a000000000e80000000020000200000007b8cbf317c96a6c6f5ad664f0bf23cd72ea3021728135849c532bbe1e1e623dd200000003e4d485d999d37603574fb7110873aab63468e8b5accb71445816a7c2ffcf4f2400000000c40391c3fbf681103236ba13a3821dc325df084206da8b07cef0dff567745ae9aad6d911c2350043a0afa209f9254ac9158bc050af0b6c1c47cb4360e06940c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000ea4f24493be2a788430e667af4c7e88892c5fa179b3f608eecd30bab8ef6936c000000000e800000000200002000000049f753d46edaeca2563dac0a62b281dac64484da1a84da3536566ee8728565f6900000007358546887c3c993177d6e2a32179a5b1f4c63ea788045cb34a31ba93ccf109f7f9aaba8fac4fd12e815a4fc9d6f68a93bee0305804193611a6ae610d6c6b41d319781e6354e94070d9cab24eba0850a112b5d93a7e75dcddbd9fde8ed2bf33dd12e050ebcc2afbc6d885dc107a28f38a5b4b1717e7dc6af4ababa9c82244a035ec5e647f8a90a3b81db4614289a685d400000000b9dc2c4072f192158376655835d4e166fef2221cceb745ca28eb48f8e3c7e06d20d0006b031f1ebe6fc36a887a430522b0dd370013face4942d48ef77f4a592	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e4413b0c06db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432414607"	iexplore.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3060	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe
3060	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3060	iexplore.exe
3060	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
3060	iexplore.exe
3060	iexplore.exe
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
3060	iexplore.exe
3060	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
3060	iexplore.exe
3060	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
3060	iexplore.exe
3060	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
3060	iexplore.exe
3060	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2716	3060	iexplore.exe	33
PID 3060 wrote to memory of 2716	3060	iexplore.exe	33
PID 3060 wrote to memory of 2716	3060	iexplore.exe	33
PID 3060 wrote to memory of 2716	3060	iexplore.exe	33
PID 3060 wrote to memory of 2568	3060	iexplore.exe	35
PID 3060 wrote to memory of 2568	3060	iexplore.exe	35
PID 3060 wrote to memory of 2568	3060	iexplore.exe	35
PID 3060 wrote to memory of 2568	3060	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\deacce266c9fe2354585347ae32922cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\deacce266c9fe2354585347ae32922cc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:4011021 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01a9b7e3e8d948548b5930133c18cd59

SHA1
4aa61396a67629489621543da5de194ddb667463

SHA256
301d792d8e904c271e7dab8bab87168209fe78fffbc4e2715899db8d055ef97a

SHA512
3bed48c48f08c293dd1be4e1191c4176a6ef837dfebfb13f15da48c9bb4541b3b13d792785d61908dd674afc222bd18c748d13dc57091098ea52d47749fd5682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd2790be26a150ddf151d9a11c401916

SHA1
aff3537fad4ea34bf00de65c065755997e4487b1

SHA256
4dca5361fc009a7f0c054c8ed09846425a5e706c04f5cc536a77b5f670179e80

SHA512
52ed807e6e117cf7826cba747e81aa0706fe9affd33910c4c4b9405d090ec9a6df32028cd23a4370430f990105d1b5a046d5a0608d7ec2c7939700e66decfef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
869270a220ecf52367f5c9811ec61920

SHA1
2ba2d24e0e9ef6dfa8e9381fc73c9af309f6d6fa

SHA256
e4c08714a9ac6e90dc60dbb110d93655b7ff83a4f635af34f85880762ac4b55c

SHA512
b4e2e909fd89af9ef9ac770f4c38aceee74d9a082ae9539cf1ed7d4e969c52b6f18d6882b0857069a2bda212c4e4cc46fd12afdebcfe86be6487c33c9c654fc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
814a9648ddef780c4bb4e54a0a81af44

SHA1
a41f35db9c6e8818f30eb8018a83d8bf57e42136

SHA256
315ad97adaa49a7182d0c0c03a929d90746ddd48710829fccdaa94beeb174640

SHA512
768a0d127b8092aebf757f3ca1be30fd15e9cb7faf1b586b44c0b92967049c88a3a843f576b077417ebce0cfb9489b862c7f8a52e8f2b9c44a38219e6965dc12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ea7738060f12c9e37a3f39197858191

SHA1
897f3a891302c9791f75ce246989cf7f9542dad9

SHA256
21a82c3e3936cba577f41ea78bb6a037993a789226b7bec1122d870686bd87aa

SHA512
671f5a6b701d6386757da9e9c2a1347b060ef26db370c0be21535bc3eaa7db1d39fb463533bef5a4cde557a1bede3dfa7571e009cde1ee6951f3ec7d3abba538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d964a779ba1f96509130a3b917a7f7e

SHA1
219e3f1044f0add90d1bd719f870799131a336eb

SHA256
c50a4efaaa49d6de5eac6fc13a0406628b86a24d193f4242fed0bc5ad2365d5c

SHA512
da224b554c9e5dc5e3c5005155f0a60cfc8baf484b018a08a26e3c321ee93e9cb510bc9143e0ea3f1e688ac55715c45a2898fc532aa2c15a7f39d300d62488c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4747476238ddf6903c5f7a8ddfebcd08

SHA1
052b561d7ec6e48dc80f61d4ba031dbae04c5df3

SHA256
778ad9f735b88676834de03ebb0b4af453f880515056aba944a6eac8c5a45643

SHA512
d9e12fa52669e236c26cf156bb55981eecffba0ae211b32f7f40bc599214c1dacb1f691992ee48783fbd20c7fbc62cdd93ca5e70183d7bbea1b8adfa5ff280f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
279bbdcaddeb5acd7b5115d7d812dd28

SHA1
80ad013b0379a37821958d87e3cf4a40b2b2e0e2

SHA256
ddd83d3a41cecc9a203e9d275582e5e9d6f1dbc76390f620dc466caf92293f61

SHA512
5bac77c686405e2af85f69445d6cb838cac75ad2120fe4808bcee7cc166f9868992619b04aa1e2931cadb17ac8a9dc8286073f61d4a30a4ea71d5d31cd0fa77d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c30a4bb7c3409d5a4c9b31023b4dfc7

SHA1
ecc0ad43a58f37749e4c0897414decc5799c584e

SHA256
172c448e5fe81fd6aefe6bb1e281f1624f4ca7dd38c865c7565958fd0b298796

SHA512
338835c31684e50e798e647ab1faa139307a405f663fde336dd10bf36f0fbb5f262da6382b452b65aa97b2ecbbe1f107bab07eb8e2f3e2e1071ba1539a137522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be004f98e86f4d4a5a94ebef13a5fad5

SHA1
fc9c30df2254cbad69780694434e62ea86ca9eef

SHA256
3285a828cc1b7fc20e372daf1b30764d13ade35dcedf3f586cf175368797ea0b

SHA512
a66b21114c5aa9f6ece8e49c2a1a2c74ab866e1262a563dc088ff5682c9ae28e9ce755028198ff3259d59ea1a48ff2429078db7eb242f0f3f9421fe70a6d08c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90d30e337798a07678ef14902621344

SHA1
c5261d21319b1024f045ed387410caa096246dbc

SHA256
3c98ba2facb24579474ff2d1abff1fb1de41f8191ef67f626e67266256429154

SHA512
e92d10bc2a96e6e7196cb71f81ed970c1accf990ea79a4e02eb3473b41e77452bfdfa6306bc6a56b578aa9ce62f639da7d4c94990c6072e402033a03a8643e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5da1e0dc0c1b384679dcaf65c159090f

SHA1
06c236641eadbbe115fcd41b9f5cfa76503a3753

SHA256
33d0e1c963596dab4ca477d494a9a69d824cf6144cdea17f0013a73d359f4012

SHA512
8d8269fb06327d96a476a670d5cebff81776c8d399582d15f9263da0d24624fcd425d18a4b09c3e997dd005a54bd9868ba9b04929624b2b782b0af3b49197095

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7ba0939212d21ac665a52a031065433

SHA1
05b600bbfd7bbfcc38ddea6d9e7390c9693d0c7e

SHA256
f2571d75fd50986843b0ba5c50b69812227ad7cf3d4fbfbb4f0c6fed309ac4f4

SHA512
eb232bd0359959c06ded715b3190d2f8c24f8b3905b9fe6303800f30606e4f6fa756600cb0102aead3f56d1ac906471a1ee34e2d983dcd614059335c69d0b3b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ad539ef8299707e59275af352b4ae81

SHA1
8f224cc55dd159bfc7673e187d4d300c20895875

SHA256
7e98f36eba8092efe3c42f488c64bf0afb7d1f7e55c951b5f1030f9af8401abd

SHA512
772fe7f9ee69ee013648d02ce98f2ad2f09108dbc95eb734d99d86a5a877fe5e26003a35ea795512bfd1229a3cf3b9cebba25ca873e9c200f30ae7bfcebd5857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ccaba2339c30428f064b473aee7569b

SHA1
03523cc5d04b9aa8cc083783e91215a833955af4

SHA256
66b8cb504c6b8fe03fc43acdb9f8ec58a2d4321d135ce7c28ddab7cafc7b389b

SHA512
2a9ca0a7a141f7f1633c5103ab6df723c9ef87622662c218f16ff4a7fc33aa416bcb86c6f3b1167b2e7709857b0c672ab20c43cb8ac2eb21967caad0220f8313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
562c2348b512d5c14350744eb875a541

SHA1
40314c17bc702afead03afcf4b66f45ad0596a83

SHA256
84274e76354f5c8f787d377e9d60cae0c3eef0a2c824afa667e24c16e006e292

SHA512
0b61df653fb334b3b31b6683a402e6aadb971e9a730a9538edb59e01f485f365163af0b2288c4ece9365fbd9de25516a0d2257517d5afcc4ac36fe5978431966

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae4eaf7c1eecf9e3cc22a08cef7c4969

SHA1
7afe139067d8af750967645c2333710e9c426fab

SHA256
a0b48e5cf66512101dfbcc3c7f8fa9a33332d60bd9c0a1170f4335fdf297fb27

SHA512
486fd93cc72ed43bff2cfb1c9088c8fea1963151caa1b775a16609972ae72fba8df5e9326832822f948c65493b6818b1b54ba73a93af101208085d88fb594de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab235.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFBFF152F33C183DEF.TMP

Filesize
16KB

MD5
c8415f9e97e0e8f6886da50001832c80

SHA1
e367ee1dbc30655d0dbe0e7437775b88b2f8eb74

SHA256
659b40665eece0017d0549bddee4fea83683c9ee45460529c6df8cbc1150fed8

SHA512
99aa0c650d9b8bd300aaa75980d86a16453122680b26ce46c12a0b895dc36f94b078a696790c71143705edb418d5e868d22bdcbaafddc85bf209a419eca420d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
6e7c9987ede39251305a3c62d2af83d8

SHA1
5c21d064c20075e0eff4a5e267bb1457cf5ebad8

SHA256
105cf073d7fb99af40824a95feabe26b2bfea704ccc76b9cfcffddefa5406f45

SHA512
2dca69a702defb54dadba93414ee83440791427fe12fcb441d0d026aaa5e6c22be4bb199ab76e72d763e6b841a81b994ea259e3c98d9873bfdae3cebe3b67cd9

Download Submit
memory/1976-0-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1976-6-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads