File: c9e532095baf0a21ecda14f79e8024cf

Metadata
File name:oft.gfd
File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File size:419624 bytes
Analysis date:2017-04-21 03:36:39
MD5:c9e532095baf0a21ecda14f79e8024cf
SHA1:047af368dafe45b2b76aa96527d7c84d496ce7f2
SHA256:7f321e5e23be76cb9e84831de6aaedf46710a48c94b4929c8277af7c5d45a038
SHA512:38fc2fe5a403cd8efac9a36ad4f465385a0460169898795441201aa5058d2e4951eb8287b158c645200087f9f941b90c31a1e28a0d5ff79af8bd5532c7f6f48b
SSDEEP:12288:+nzGvEGkX7n/fsNDuV80y5DX2CgTBqjN6:MGslXTsNuVApgoj4
IMPHASH:e160ef8e55bb9d162da4e266afd9eef3
Authentihash:N/A
Related resources
APTNotes
Cyber threat intelligence reports associated with c9e532095baf0a21ecda14f79e8024cf.
Loading...
Domains
Domains the malware sample communicates with.
DomainIP
elycgm.oftrim.org185.75.46.192
Hosts
Hosts the malware sample communicates with.
62.113.216.177
185.75.46.192
HTTP Requests
HTTP requests the malware sample makes.
AV Detections
AV detection names associated with the malware sample.
Endgamemalicious (high confidence)
Invinceatrojan.win32.dacic.a!rfn
KasperskyUDS:DangerousObject.Multi.Generic
Paloaltogeneric.ml
SymantecML.Attribute.HighConfidence
ZoneAlarmUDS:DangerousObject.Multi.Generic
Mutants
Mutants created by the malware sample.
Registry keys
Registry keys created by the malware sample.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\oft.gfd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_CURRENT_USER\SOFTWARE\$(^Name)
HKEY_CURRENT_USER\SOFTWARE\heterophylly\Components
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\SOFTWARE\Microsoft\Cryptography\Providers\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\SOFTWARE\Microsoft\Cryptography\Providers\Type 001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
ActiveComputerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_LOCAL_MACHINE\SOFTWARE\Doctor Web
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAzfMZ.dll
Comments
User comments about c9e532095baf0a21ecda14f79e8024cf.
NOTICE: We have updated our privacy terms and conditions in accordance to GDPR. By using our site, you acknowledge that you have read and understand our Privacy Policy. Your use of ThreatMiner’s Products and Services is subject to these policies and terms.