gozi | 9adc313b64a286f9d056b7efabda5565e2f3d8010d5432975899af6bbe71a0ea

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
Size

234KB
MD5

c9d954b3f1c512e6804fd8f5637b58b6
SHA1

b452040d8072117ddbe1adf9e1eab5e4bdb150bd
SHA256

d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
SHA512

a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b
SSDEEP

6144:SCY2oo127AHBPr4CggrMbPMdsf5LLNBU94nzKE:SSD6w4bKsf5PUomE

Score

10^/10

gozi 3050 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3050

c.s-microsoft.com

ajax.googleapis.com

groovcerl.xyz

Attributes

build
250166
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D6F9D2EE-0A85-11F0-9C64-7EA8B19A0055} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CA186C91-0A85-11F0-9C64-7EA8B19A0055} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007559c5b53c14c340835068035e51906a0000000002000000000010660000000100002000000007a6a4f2029aab4881228a94518f3f266a85631bdbd4de788db329201f9d08b5000000000e8000000002000020000000e34eb2a0c4b32a2da8194d55a71b9605392bca0b07832077e38aea9d49d353c720000000d27f8a3f2811cb962f59c5a26d2b38a6ab6defb08b0d25241b08ec79ad0c9fde40000000cd927e52d4cee8d3dbe1cde4fe14d5610676e99275f9c16767406753415cfbde68881366ec199fd375c14c608380ece38beec299ebc67b28f431e3933e4f5f9c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AFAC7C80-0A85-11F0-9C64-7EA8B19A0055} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ea0586929edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007559c5b53c14c340835068035e51906a0000000002000000000010660000000100002000000056ba1dde1047e0a3930cdcb1be8ade5887584e5d9e96b1866fe0939761414091000000000e8000000002000020000000c36754565f256d48c1a08fdf9c3dc31462f1c25af4cecb981e8da5b1564e7a77200000005b8a69f8f6e7cba04f323a6bbd8e19be7732fdae0d0c3a49d1f453e0b220de34400000008b41760e666bf4d4eebc69be9b23b187d1cb0dff33e5a5ff177cfac50fbfe53dd8c7af01748b71d94eacca494883feb8132dee8dfe07deaa067dcfb35d3dc28c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007559c5b53c14c340835068035e51906a0000000002000000000010660000000100002000000042adac6c658a87d6326ef3aa8d5704155be76d3a4544cffac7580f01cb414b8d000000000e8000000002000020000000b5bdf0c442b2a40c116f324d2faf31484439bbebfb0ae9fcba826b7c470a666220000000409159b75effa4619f0e95ddac5ba0f5e0b2ab15db94d6ea0f07e05a0ba4662140000000581d4f3aff578637eecc1540cae6367d61cb19722ec2e8f100ef29c1c2c46c066bafad5c6b9a5db75b1eaf36779c92822a2664ef60575c3d671654c1f067519f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d022ea8c929edb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20160d86929edb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007559c5b53c14c340835068035e51906a00000000020000000000106600000001000020000000153d43161b33494c702dc6f2830d597fed07df4a931311acf881bd402d6883db000000000e80000000020000200000006191c44fd1bca173fb8ce97490d97e8b0103d010e7192d34ea7a66ef3fcb3d6c20000000941087b4a0f57157a67f4a4235caa6dd8197f82daddd70cac95a41393d9fcc20400000009ea10910807379b4b9cc80a1aeadb2d93fdaaaafc07e6624b2d9fcc1d0d22d70eea311e5eb317367f720afb2991df98f17fd438c31b9cc9075b4503edd2031c9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E454AC83-0A85-11F0-9C64-7EA8B19A0055} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40aa5fa7929edb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007559c5b53c14c340835068035e51906a00000000020000000000106600000001000020000000fe357bef51518976e8e9796ff81384e7512707f863fd6ff7b5f6c20982502b00000000000e8000000002000020000000b8cdff096b3b021fc0ee72ac7e5a8cd81ffab2ea267ba737eee901d92b6665e720000000cf146f7965bf2f7a9ce98af5b69accbc7f94d15d3f1482a22260a069bcdd990140000000106f82026956246adf4d04e6bdfbff56627fddd755818f32cd19f05caffcd3f58289502fb06cc14248ad33c6e4aa4828c5c816cc03da13d9261ee54a51e39a18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1908	iexplore.exe
4572	iexplore.exe
4092	iexplore.exe
4172	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1908	iexplore.exe
1908	iexplore.exe
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
4572	iexplore.exe
4572	iexplore.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
4092	iexplore.exe
4092	iexplore.exe
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
4172	iexplore.exe
4172	iexplore.exe
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4264	4872	regsvr32.exe	86
PID 4872 wrote to memory of 4264	4872	regsvr32.exe	86
PID 4872 wrote to memory of 4264	4872	regsvr32.exe	86
PID 1908 wrote to memory of 1444	1908	iexplore.exe	93
PID 1908 wrote to memory of 1444	1908	iexplore.exe	93
PID 1908 wrote to memory of 1444	1908	iexplore.exe	93
PID 4572 wrote to memory of 2236	4572	iexplore.exe	110
PID 4572 wrote to memory of 2236	4572	iexplore.exe	110
PID 4572 wrote to memory of 2236	4572	iexplore.exe	110
PID 4092 wrote to memory of 2676	4092	iexplore.exe	113
PID 4092 wrote to memory of 2676	4092	iexplore.exe	113
PID 4092 wrote to memory of 2676	4092	iexplore.exe	113
PID 4172 wrote to memory of 2316	4172	iexplore.exe	116
PID 4172 wrote to memory of 2316	4172	iexplore.exe	116
PID 4172 wrote to memory of 2316	4172	iexplore.exe	116

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4264

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4572 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4172 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
a7bdbc839b37be41f3f97eace5a7a837

SHA1
d29d93311999f94110ad379847c146e4999c2bc7

SHA256
ae7d1a6f478f0451b1a0323ce4e49c2fa6f2024fde64c2faac9d177f33a1472f

SHA512
e17333c9b10e6542bf05e6769996ee83a39c5773ce6896aa4b2be4b09c552f760f4a78e86edbc4e93c4ce66c8790338e6ae009f7bebfb13453afa17164806ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
a29ddbf1bfaebd20b3918895e62dd58d

SHA1
34f60b76770d5bf4b96611ef96c2db737f4ba42a

SHA256
95dc7505c07c5c9be122101a781839acfb1fadf06ff92346ff3c3381357d4b43

SHA512
7be3411661ba0b5c22620d47d0aad069d6392b2fcf02f45568fa8bca23d8d005ee8f8a9cc2f03c5fe2c95ca1d47203009e177e9f6ce6652738cb952eade07de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EAO45EME\mwfmdl2-v3.54[1].woff

Filesize
25KB

MD5
d0263dc03be4c393a90bda733c57d6db

SHA1
8a032b6deab53a33234c735133b48518f8643b92

SHA256
22b4df5c33045b645cafa45b04685f4752e471a2e933bff5bf14324d87deee12

SHA512
9511bef269ae0797addf4cd6f2fec4ad0c4a4e06b3e5bf6138c7678a203022ac4818c7d446d154594504c947da3061030e82472d2708149c0709b1a070fdd0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF1FBF2006C6D75F05.TMP

Filesize
16KB

MD5
5be0505cd8d8dde0fbfad91292e9f72d

SHA1
94971261f53572d70e30c5308cef7b05a5e8cfe6

SHA256
47bce5219157a220d070b30c926bb7e33c28fdf7935141efdc9a9c6fdcbb409f

SHA512
5da9a21a03113797ea90d95f58868486a43dcb383dcbf76c16f0c9ca6f3e92a0f23665187f07bbbc9dc05d4072d94ac42d4f4e578a1ff19755ba26f65fc748fe

Download Submit
memory/4264-0-0x0000000000880000-0x00000000008C5000-memory.dmp

Filesize
276KB

Download
memory/4264-1-0x0000000000880000-0x00000000008C5000-memory.dmp

Filesize
276KB

Download
memory/4264-2-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/4264-13-0x0000000000880000-0x00000000008C5000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads