gozi | 9adc313b64a286f9d056b7efabda5565e2f3d8010d5432975899af6bbe71a0ea

Analysis

max time kernel
140s
max time network
131s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
Size

234KB
MD5

c9d954b3f1c512e6804fd8f5637b58b6
SHA1

b452040d8072117ddbe1adf9e1eab5e4bdb150bd
SHA256

d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
SHA512

a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b
SSDEEP

6144:SCY2oo127AHBPr4CggrMbPMdsf5LLNBU94nzKE:SSD6w4bKsf5PUomE

Score

10^/10

gozi 3050 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

3050

c.s-microsoft.com

ajax.googleapis.com

groovcerl.xyz

Attributes

build
250166
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000615ef64d4a01e64eb7b5b2f49cda59cc00000000020000000000106600000001000020000000efd80a9c19332466c5e5ba7c08ba7c5711608d2e69839474c0f16ff4625b0b9f000000000e80000000020000200000003d3b361fc43ad5d394e10dc414c0a858da6f18acd18779ac736b4e074b2ee811900000000eb38f0f68bb6e992072f756c2afa17e41c3deaa96c17dc04aea15adec5aabd6c465559d3544558294caad4fed161ae3ed08517e49df0f1e0c0de2bf83dbaeb460b1d3faa7fb0ef7828228f64fa03a45f5a333440c3399cb81635bb0752af49a59440f97307f8da310dc60153466d23f8d879b11946a3164718fb24cead116493e37d2c81e6a21f76989dcf949c8197140000000088430eb58872bcb06185e569267c3481ecd0c8e12cab7d98c2c39f58c2594e0e6e265c2ca8f1dd00631023ba9dd169c4c1230a3925db7d597e19a63e67c6284	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE9F70C1-0A85-11F0-8E54-C2CBA339777F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B18142E1-0A85-11F0-8E54-C2CBA339777F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d4b18c929edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2768	iexplore.exe
2076	iexplore.exe
2244	iexplore.exe
2108	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2768	iexplore.exe
2768	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2076	iexplore.exe
2076	iexplore.exe
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2244	iexplore.exe
2244	iexplore.exe
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2108	iexplore.exe
2108	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2660 wrote to memory of 2656	2660	regsvr32.exe	30
PID 2768 wrote to memory of 2600	2768	iexplore.exe	33
PID 2768 wrote to memory of 2600	2768	iexplore.exe	33
PID 2768 wrote to memory of 2600	2768	iexplore.exe	33
PID 2768 wrote to memory of 2600	2768	iexplore.exe	33
PID 2768 wrote to memory of 3004	2768	iexplore.exe	35
PID 2768 wrote to memory of 3004	2768	iexplore.exe	35
PID 2768 wrote to memory of 3004	2768	iexplore.exe	35
PID 2768 wrote to memory of 3004	2768	iexplore.exe	35
PID 2076 wrote to memory of 2612	2076	iexplore.exe	37
PID 2076 wrote to memory of 2612	2076	iexplore.exe	37
PID 2076 wrote to memory of 2612	2076	iexplore.exe	37
PID 2076 wrote to memory of 2612	2076	iexplore.exe	37
PID 2244 wrote to memory of 2196	2244	iexplore.exe	40
PID 2244 wrote to memory of 2196	2244	iexplore.exe	40
PID 2244 wrote to memory of 2196	2244	iexplore.exe	40
PID 2244 wrote to memory of 2196	2244	iexplore.exe	40
PID 2108 wrote to memory of 3048	2108	iexplore.exe	43
PID 2108 wrote to memory of 3048	2108	iexplore.exe	43
PID 2108 wrote to memory of 3048	2108	iexplore.exe	43
PID 2108 wrote to memory of 3048	2108	iexplore.exe	43

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:472078 /prefetch:2
  2⤵
  PID:3004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3881d6998e07f38e5e875988f99cc092

SHA1
2f2eedb4554a76a2cf757aa29cbfacd4fc2bc12e

SHA256
1d8d37343421600e1b0a25378c81a27f6ecf3f31f189e48f86d2701c258a9c9c

SHA512
f53c94bed877a468e87f9d167beace80966e8f50e8e64f0989430a196e81c8cd2f1c61410cbae4c220028a180c4fd77c06a726d1d52e99fe889972973b2f8830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f621ebecd0bcad1fdfa5ff40f4c5025b

SHA1
d374f0cf32a913733c42a97faedd6eaac5ca3717

SHA256
5013aa6a8ad3bec1c459853f79b9683ba4bf3cd86bf224a2b12b96ab7ae669b3

SHA512
55bdc1914a4befcaaaf329383b31d72009a1973a7bf9cf2f2a8426dee3fed2e89f6820d9ab00aa188d5b0c55bbc0b243f0334bcf4ba486252ca49a1fef4f4f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4bdf7864d2f6374537d52650d8fd3b87

SHA1
f26ff953dcf138cecc0b52fd5947fbd7705e8886

SHA256
239913277ee5bf64f5222a5e6864ef0fb7cc0a67a44cb01b13be528f12c364be

SHA512
0a43ac12d4d1966d4c12df76fd73dd25741621d1a7a30715959858fffd9ed55ac94acdee9336648154549c3e53cf66cb8317dfc2d3cb36639e8ccaa1784e07dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2d8006500ffd862620593de9a1b68a9

SHA1
3178c50fae11254dca25048f3bce11c00fe7d101

SHA256
1ad8522156020d2bff7a79ee87a51868dc30b7e4aba1699baec6736a9d03738c

SHA512
8482dc311618580ba5d76d9e90956e7ed038aa7398be29715eac2c3e5a780a37b6c576686c42ffc912bb69c0dea965a11a60afb8a8cfb91b1be7f554fe4c7a73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
760e579435db1b44efa1ab6316811c94

SHA1
8aa63cb64a5392a4bca16e2f0c04c584ffbcfc10

SHA256
3998e6182172f15238514f62d5f21d558092f3fa1e62d911fa91e24bf44f635d

SHA512
532c83ba9a4129f67ad36cbfdc783091d8ae726ced193ede417730603eb7782bdc72d7db9fe14217d35c7932650c7d8d0819776ebf539fbfe1b90220df13d756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a3710b6704a06a26fc5d6535a34e992

SHA1
9a5f2b13c378e52397a3e38fee787815eb9c6ae1

SHA256
757cb73065c1a15a3312cc321fcb92155ef98a930d33c5ef2eb5da3776552e44

SHA512
260cc0d72a2428c0400824e0c0d0af6b9b23d41b0df80abe6be181ffbf6888f7c00115cb2edec1683ada2a85b6d5779a3ba1f9dad28e3e864860f950236963e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a073b4e0ff0043f01b901d623a6cf803

SHA1
b58fbab3abd413c9e15f0fcaa31cfbf3947254f6

SHA256
cdc72665e7af2545e1fc2faa28cdb913bd3d71854604caee733c0938c8dd551e

SHA512
8f009934717002d8cf4c09db507a92011d1253f7b45c887d2fdeef18781e819370e3c418073dd81567c67503684c68a88a6db867307a0fc264694bb3aa29ffe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
416905d6c991417a77dfb256e41119db

SHA1
f7765074e281c715be72a5555c2e1b4119e94f0a

SHA256
66dc8924857b378469ba056f86efa8848535c21a580ff2a195fe3fa73601d817

SHA512
1c4f2a95bea413c661198784d9013306f47e95b8663e22355f4eb66641b5748fce0939bd228d8669446da75e2d6b8aa850057fe7bfbcbf662a6e63ce137642c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d142d9ae1e83c71eb2708c8e9bb9adb

SHA1
ecd7846c2f62d304fe0bca629a10b53f0b9e46ae

SHA256
8477a377189c763ca51874f0937a8e5b8051d88075ce1558f8b0b9d2bb5166c4

SHA512
e2f3eb318ac99ee01d8f6087d7cbeb7297b4719b2c35f25a4edbb1876557949640e7caca2d7000e944c823a24f9082e01f1f3808d517f6ee4e73db7ce3c17fda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91bf207918ef93c2ea73bb33822e4a32

SHA1
ae0df0037fa171a82f440bf0323256da9e90868b

SHA256
f70fef8656295e8f36482fa10180af1aa14e965facf4c46217892dde2ea7d697

SHA512
4915d829853d3d3df3d2a6721b6c482e3834e34e481181cd173903cc639ab8be49441ffe5377d36ed4fc45578a59b66475300e00fde1bc7a3e8047170c9ab1f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2eb11fa73d962e0f4ff8819f61d55fe4

SHA1
a3a1710973becd564bef1dadd1907223052b6770

SHA256
2be7d46cbc4b2fe79a237963112816b8fb0acdb90aed0f3be91bd7d608ddd026

SHA512
3f20c6b9b72620fb47b80ee821a8fa5e77c727f28da106dc6519b834a7b4ff1b2f0f7c1a622611a339152f9f13bb3639fd6546954e19b8cf38d58e04edf4608f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26976ebec082e5a303b63c5a0425ffaf

SHA1
088cbcf37fde98a63981ab28d74830012de08509

SHA256
a26cdc3d021a57fff39c0be0ae2e37cd73fca3efc36076802534b90caccf2022

SHA512
7dc4da8453fc537e376fbb3bcc06bcf8096769736c0d60d5bfca6dd0989d05f761f966d7041273aef8c674794b524828ba2405e67db6b9f517a590ab8a051141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31c68b099b3b395041e2ffced5192232

SHA1
c7ec8224639ed57bb69fae787e30375a7ad005b6

SHA256
39d5233d8107c67f4ee7d2829f76fcb59e9925eebe2c66fd30523d31a5d4c0a9

SHA512
ee668d2b93a620d4402bae34f077861f0028eabb4d32948d4daf4c124d5984951e41dd60050a7d05a2200e4672c5f1843d1cd5b0bee525a5b95a97fa0a320a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
716526722f19d7fbfa885090a6f9c733

SHA1
b40e8ff1f8c20df1e76c1c7c2fbad93300210ab3

SHA256
c45e6105c18381da08106fb208f31b7b083a09f2c2d8d59ada42fb1c2c6060a2

SHA512
ba440a338a070de4ca9a626680f5268e9d06821ffabed28e45ae0f18a29834c091f2102178ccfcf1fc84c17038cc43beee520e9150ffd191047cd204ae6dd33d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72bbb6402b458e5426291d2beb764070

SHA1
48c5d655cf40f1de196a258a648257e80c46334e

SHA256
6ee6d5797c044c2aa35f59bd14a2f4ff61adc19f5f258279d590b13cbed1a9ff

SHA512
469cb58e97ae2329dfe2645ba9665f46aa0eb4d95c076df0f649aeba512f7ac822d39020b3cc6dc0cf2a6655482585480101adf6da5c5e8ed282269ebc6e804f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1ad3934360d56c17fa19f097754fc40

SHA1
e0b96694ce95ca8ac165bb407660cfb2a7e7b40b

SHA256
d91945e4e3a4fd1b04d85ab446ddad5156b8972a47e706c256c59fe99a5a4e97

SHA512
5b5c1c0fe537a496c74b4cb102cc56b48d125218e65abb8ed45f3ed59f864fa6d043d892311ca4f13dd1c9ae9ea4e657605dfe2a830015e9133326e68e3bfd94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fcaa545ba789a90bbb130d2b9fafee2

SHA1
e6447e765fd4fb61427b8b8ed97d0f68e2e0199f

SHA256
d5f6d5ac9d0090586ae3c64359fd1e1a874824d73eed11843e79315b80316d4d

SHA512
d9753863496c3a915a655ff178f2c748334c9ce80d0dda7440c1eab571bcad2f937144fd989a65b3a839ecf51cd4aec7ae72587bb21b37ba130961dfa35d9850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9896c4b4d9888a02d9d3bb2e3c7e68f8

SHA1
67dfe81b4e2cf3b450ae4b46f5e3256b54f6212a

SHA256
e189c0c8320ae431b73f7090f7bf9e470399aef4fd0dc67b9cca6422ed8e1bfb

SHA512
5362d7c7a02671ada27f51dc5f1ee637e8a9c7bfbe1e85eef540ae76a68be45f074ff75207d2a3fa065717c49484bdae6a54afae46881faccc4e60730c553563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e2e35b9f1ccfb236020d7caf60073e3

SHA1
c205db09c73a5573222fcfb26b95ca12d5580690

SHA256
e0fa7a13c69b11e94d4151df27daf2f6a030a19d0ed93815444ee41c38a755e5

SHA512
69aec8002b9cfc45dae1e66a865ab2a73238da84afb5d4b5879342b1b420627c11eb46be5fcfd90b451047ce7397c9bb61d650537e0d5021fa39d5201589ed66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58a8b1a16832345870668e4e4ccdb79c

SHA1
33f6758b1c046dd8b51110757268b812b287fc7c

SHA256
6933bd2b1ddd7a87272613be67c360ff3d85f559e6809ec8b500a533741d3367

SHA512
01042141f8f9ed73d9e3ba255422f81e9107bd82b808b7be1d95e07c955f0c8224f8dca00cc99b8adce7be23660d996a0ed6e3ab38f1075f7d47d59da771ae7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0df6023b59b232b8566c228da3c49805

SHA1
358df3b8c4738b0146bfe9c025152ac582096e90

SHA256
af8986b6535936470564ed18142fec467b7d9c7abebcf8454fc199b247a9a8d3

SHA512
5c6f85e4a8556c9505aceb5e5e04c0bdcf06dc6dc2cbc30efb2ee764400e43881b1c9c1174ebc661694f1dcf391fe27096580936d05473e8f17bb1b94fb8f8e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cd45285ae58aa3610a41231aa71da96

SHA1
70615e9d72fb76adcab6e196d9e02ddbdea3b72d

SHA256
dd483c292925aa308b86d346ae906bd65ad6d6918d6a327d5e769c8f40690aef

SHA512
0b2243f5755d43ca0e893993282b11924b45d3955c55f415e436b0b54401344bfea0f793727ee1ac88779467908c7f2b4eeeacc0bd51a0c48fb61245ce66e305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
144c9f233dab631ec931d04198825360

SHA1
ddb49d6a4801887d3b2a6d2f576c57d8dcd86c0d

SHA256
2c5401f846ea34eb18042d78fd972e00921491409d700110525d249e7daa516b

SHA512
41efdac28461b69fe304615986dc12e89969ec978ced514b4c6738cef94e037ecc299744f177e65bc134e832ed755312988fa39e8b5b0751cf0e821e35b03d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1f6c630940a6d3135b1c2bd869a0204

SHA1
f3b400fb3dc9e0dd4dd4b0b6f4e479355f444740

SHA256
b0e195727b0b68850201bbe8ec171a63db628153387a7d1e441a48b4de8b9d5a

SHA512
1dffcaba161f55530b4d3ef756cb162496e30f5c4f88571f3fabf0b797212c606f27f6682e7f8a8b3b4d716bc01150bc0f36274c1ff697454c35b0afd7586dcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31a6768bae8e62d88dccd08e2b98c449

SHA1
5ff59c69ac9aa3f2891bac62148934eb517bbc66

SHA256
03211fe7a3dc834eec63c988fe49e317c846b539e25b7c0210d022100dce9772

SHA512
649cf71399c535e4e834e57a4aa11b89636643e9c30317efc52f1fd3e81c6f99ebaf35173bc6c617b5d58d0cb58b2a93a7e253855080dc7afc5f833130cd2b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c5a348ecd22c0fc3a5d7105bd100ceb

SHA1
97928688ca2c34335dd6f544cdc1a128f093c6a9

SHA256
172c39d0baf824d197767bcf2766d8e6f6ab54254017bde2765cf2f8d615c50e

SHA512
2908ff724ce66830051dc21158f7eba0a82297489116258522618aadbe4738488dbcc7a99cdcce7f3d0b3cb2f40f49fc2dc66f220dbeeec4c35b96450b763c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8dca6a83e8ae7fdc48d553f41894ef06

SHA1
5d813efe4b14db81a72281b3444e501f4a74456a

SHA256
0334e39ea76d70554641f0008a2c7e239cd109b4e8ff7ebfb7d365dad1c5f26c

SHA512
fcd6ad2ab0adaf5b6b41bf812546cf541236013730d6d16ade3cd5ad017d6db8c554941837934fd193706432d6d03ade4c01db69470f02a0b5fdd026307baebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b5e5e3db26a0cd2f2fe8afac6150d42

SHA1
0cc66c020e2aae8b5045860ad0192a90930eb5c7

SHA256
851a3f286043ac8a791c8a403ac37c9f1a9a7118614683392e73329cd9efe73b

SHA512
f23f51e956696fdd7e1a5da0721fce2cf14716b21e951744541c8fbee3253cbd86b42e6851ef7baff9b41a0ea7a82da9947b923b2d2bb4404292759bcdfa726b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
001fcf62dd8787b3649464dd41bab6f5

SHA1
9776997ad02b1e3aefcb5dcec845aa04481d5601

SHA256
be227168e22fc95889753c13829096513e9ff4f2c8afa0afb84aac9c45e46226

SHA512
00fe647855ac2fc5fd26f03167afc551e3066efc4e68b97e8a1e6030b9ba46342ee5f5357cb1b576787c3443698dceac8b9834f841cef34bc2c30ea7ba77ffd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60fb05eb30969dd2b604420059dc895f

SHA1
6a67035b1d348faed55ff7164537f7bf6363429f

SHA256
e259ad48fd08126c1f6996f065ef56770bb44dd87a3a28ce3a8063f7c399d60d

SHA512
bf698ff1c128e86091f9e9d34e5239b211eb9c7f4166e85194674256f0fb54b9d643c0da91eeea9586411aa789bcc8af5e60568cff144acb49c9b27889843be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0335adbf72cc0e408169d4a6a57da29a

SHA1
e0b4d256cc8c6404930ffebc35bdfc963209df24

SHA256
c332267b3e8965a4fb093fe046e225221d7ab7e2dd983654af35fbbb19b9b083

SHA512
07dfe8392ac69b811850ca8c4dea5bf251e94c71d8184dc927eda85d1a97abfdf9cf1b117a45742075e36647ecc629fdd695fbf51929f67d78213b214d5651f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EF2.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF04DAAF3F0D7AD350.TMP

Filesize
16KB

MD5
ac5dbe5408670c5c02429245ad007a20

SHA1
13ccd68d33bd62d8f0f3afc12bb248075fb91b10

SHA256
2d13081dd11fcd12d09bf30e2569a40fa6783f3b55ced19ace850e40a90b6de4

SHA512
21097599bedab5bf5c24396123817f3d66a1338b9970a296a75ae5354469db809693fd76c35d8995a25a39ef8ec0ea85a3d101a55d852edb88567e76797e0617

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
192KB

MD5
d51ce4633980ba4666c09e8c873e346e

SHA1
6550640c62cae7fba96f4ca43ea33ea3d0ec9059

SHA256
c1278531de6e8ded48db0b7ac875c252c1a21c85f5447608bca1fa681a8a82d7

SHA512
9eefc2e76dda7de8b5e2e70e63ef4b6874bd9cdf46e7137126657ece42cae2aa56163c2fd3e1da5efb624fd8ad33c0530d9d67f6a59f2f6fb9b4ba2f54a47498

Download Submit
memory/2656-0-0x0000000000270000-0x00000000002B5000-memory.dmp

Filesize
276KB

Download
memory/2656-191-0x0000000000271000-0x0000000000288000-memory.dmp

Filesize
92KB

Download
memory/2656-190-0x0000000000270000-0x00000000002B5000-memory.dmp

Filesize
276KB

Download
memory/2656-12-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/2656-9-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/2656-8-0x0000000000271000-0x0000000000288000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads