gozi_rm3 | 6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
07-04-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

request.docm
Size

526KB
MD5

9b96a79a5e52ce888306ae92bf6668dc
SHA1

5e50023b851d24e7b16afa48eaa0904b5368259d
SHA256

6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f
SHA512

117f93c86cda5fd51e7b5c869dd3067b391ad1bdebf4dbb358243d42e6ae6eea612b12d568a18a5ea47050977da4c9312aa93c5c9de9b3373b25e5e7d0edad31

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

rsa_pubkey.base64

rsa_pubkey.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3048	3304	rundll32.exe	58

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4548	rundll32.exe

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3024	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000000ff8d0ca99819c0477b85bfaf51ed9e5ce747684b6e90a48f848dccf8d61c1d0000000000e8000000002000020000000956cd8b4289a4efcbd8eb465498c7cb9bc505355ab064ae8f4d59820d8c31064d000000028a366d2dd06e9262fe684ca39f58cc8f89f1968c65c8a652179a4539d7da01193cf094256d6893162ae37c9bf7e8c7e78d3329817de7596155072545a917232561c6e2ec812e1edf37a05998cf64bed5843df48ed899d1b700a5d70bbfb8eb2fe4d8b9982005a7221fc29cf73165b9f8e1310ebdd715baf245a39d97c302601298ffbbd32bd6cffd496a284b2a78dddf301bc88541eabdb4687e779e12ddc462d66ad14750f27e8613eac15dafadea492dd6b960cc20f1961d41d685e1167b832f37fce645858b7b62b24c6bffb7c0e40000000efe29e8242835b9f2e4cd1f5a6fd6a7024ef497c2a8f261bad31fd95925d448ecc24bae4ead53a84dfc6753b5645f031119b7d774455c43c3e852b7f7b03e1cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000780b1ca61f6ffdd3e52758d2d2b12d367f15c9a0d3ba6288f6dbcf018912db2a000000000e80000000020000200000008c2e0b1ad06b6b4378e2d8d70df033d102c7443982cfa2080b4c592e8edf926dd0000000f0ade466689f06a6c4000208d67d20c74b52d35fd52b6676710715dfde94a2b48cb806f56e11a7edf2277c56b51782299de0841688ec3b13835cbb86ff901766d26cba9d985892680ca8c5ec3bc50280fe64e87cfc5e40d68c9eb0544e0c6462d828f79d46045b83c607d2f1b28162d1c658b6ffc2e99b3e7f1c8746a40a16c8930bac5df3065a91ed1857008c0dc43922cd61e3d9715685611f24e1a066259c9ec5f13e3df956d8843e9f0b55a3a25cd29ddc927f185b5a04be30b18ca403179843caf6c607066ff59e100592ca6b7940000000a614a81898b243881ca1bd0d546007756f902270b64ee64bf0d55a63cb2c6884ef8c6298c60f6a021fb17ea39e9f95abe93e22a053d95e253a700ac787ab00bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000006a266702b548f7a51f77c29b8f3a932b7aefa802bd6a11ff91e0f7fd44bc1a7b000000000e800000000200002000000021c63148a29142946496a7915b834745c0086be2284471bdb5fd23ed66773375d0000000930b17381be955d7076004e9c6bc116469608af9741098fe77e19223c9b01a9255b35b02ae7a48c2a97c265f35c81bb7359e44f978a7947c121515ba827660e16b4c9dcff6e7f834bcce1270446c84e83e38b6bb92fcb3a0fa8ade3110be97a6651da0e6a1b171c54995a20e77c17b09b99b95d909512242201a3b30a9030f3b591d28a56aef1349d285e9af8e700066cde44b69cf8630efd3a6e46947166abe3196aa1fa5ac8bcde9770b3cee500dd453116b4b15a17f44492b9df33f876620be3c47703c6d696020037da259c7e18d400000004a90a6d915e94be47339b17f9f4fe7992cd7907971c9b1f6f6dee4f3b4f92fb8e48c0666799cc05e7a998c4c277d26a25cd2d71381d646b1a98800358646a067	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000a33ebbcc7f74dcc2135c1eef87c4d99dacf9972fc9f531d067d95e69e01a8dcb000000000e80000000020000200000005f937f26c806257009a81b7ccaae4912fa9a1cdcdf5c7e726ae6ac2cccf5cf5dd0000000710dd32d9aaf78eee5c2094056f3bb9fc2eb60d18367facbed6466f144c8bc4f718a400e53a47425189137298912971f1fd124b53dc63d39373e1b9b055db543fcbf0e07f63fa79c16f9cafe941851d51f5e7e5ffdb0fc8cef55b9abd5d788eecbc533184fd534c0df1b839e195930d2f78a489a9224f16fb2792d88f592d7529857c2a16e4f66060e657293f74a9aa9f6276eb3a0a70a952c539b45402bbffbb6eca1501fa58754dee1d48db0b239b476bedbf197e1b57645b9e3210039f6c26a760178f30f5029777a42acd265f9b9400000009485977e92fc77e0c36f966882f892dbce51a3be1bf519defeb0416179ff8e3488378e893eb422c62d09e1710c5d06d8c3a5726f2a79d17f0a6189bd8ab4d309	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000ad60ba9c7b58a7303157320d745b2d6292127479f8835eddd42c154f970410c3000000000e800000000200002000000085ef141372dc2a2fee45fc6b9d995f7c9ff4f9ff566d052cd943cd2d891d19e5d000000044f2ab9235ac0c0592351eebd716c66c3ca982297b56fa0b10fe7b49d72c2791a9ba16c6a1f434fda1f26bcbd132a69e7b24a266a39ed3da97cece1bc3368a578863fb06342cb5f759672fbfb7bf5dfd515e7b6de20bf58f4b1383628594b2ff137b6ba336c85c7823e139b568dcaa9a31801815404d0f418b54de5a21508d32cc240a94051fea5cd3046507eb8f9d868bc4dd45c7e981b9499f4dafb8ff3ede404f7873a6811db47ca4b85499f29881f27af459d2dd516a753198cee1f54e4a1d77ef87812d4a5e37769685b34da5b640000000357685e3d4eafc08a7defeddbb0c48b4bb1a0b69e897a8c9a975a78acd1d631dc9547975e1ac8fce92832cc45c655ecfbc2b9068e4e368ab06c07caebf38e704	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CA82DA32-B67A-11EC-B9A4-4E256AF39849} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000a46809623a1f4b8ed25a9925f6dbfc712567322b63b743d03cc9a2047e85689d000000000e800000000200002000000065d7f91019d626a9609edb4c8fe0df3e6752af1f87a3cd95ca3093d6fd0a6e2fd0000000254c3705c71b65fcfc74a1ae01176eb3f9e50484ec116bc5503117e362fa31145ffdde20a5721e50d73c1219b79d4e65f25338c42b631aa9e73208a91fd488ad893e397e8dfcc18eefa2ba1da04800bcaa2fa62e2cc884f2bedab44256f23ebbdf2251fcf0d7c57f41c48d0792a952f47ec27911393a9de287639a785d511c37af225d78bc6be1f89aae21b9c1b0b1305856fe75c799a1838fb84eedc7e295afd6e8c2f2550758d9a9db30abc4be746c91cecbfc9ac110c18abed8d884cbfc02710a003c3e06ce2bc756f6d3f1c1cc4b40000000d232aac6f8883873aef1f60b409b5f5cfc48bf0a34469ae018c709af5ff52a9ae821e4a8abe4482e8b1ad8af142b26eefe53e3d9698677cecd68c1b411e149a8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000c6c7ffac5e4d9fa4eb82a35a45b4dda9116906376c571de927d5c188225aa925000000000e8000000002000020000000993a2c7c25b135e6930ef78f19b855378ed52ccf078236cab69c7f6a616c7ac4d0000000d191cbe9a1844b1b1fc50b06fbc2183dfde9771e13f84db0ae76f018265bad6b5efcb6e1c731b53886d76a9b0fdf3b8a719033dfc12523918adfe56b0535a63428e7df8f4bbf2138c6f99079c558a021ad59a57972be52d99131d894375802eea48fb8c649872f02c2e2161af55df812894382a4d028ae9bcd44dce871a0d8e9d6acf1647fd49bd0bdc21e3523b08e90ca51e9989e91deb6a5e0e9e75153316e969af124d065b62e69226672e6cd5e6c1d87002bf82a083334d06c781cd47cdcebde4b6464ce068aeb8c5d96e1b2af93400000005793d20e3a14cf600c52f02f65757bc500468c95c8ba06e8232bbd38d1949ef3bfadabf4b71052d1bba69de3d6ac7128f0f4e0db6d871db39f03dbc69e60a7fb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000004bec7fb39d2f55787a71f369a4fd7c679a39a963a2c59cc8ff7c22bc44d28bf7000000000e8000000002000020000000c3a5e2227addd5ff5ab69a6aa3d72ebc29945e5cb3b65511107a0aef2e377e4f200000002591bf12f42e0c3d7c4f20448ff07bc0044f933494ff3f157ec0335cd9c9ab7d400000009ba6040f60e3db290edd5b86e07352a9febdde3445be1ff139495da44b924626f9ed70c8d168f753dca8c42734113134216b8f7760425180a82df46181ca91dc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000b1cda533b92e9cbd7d8472357cf1b20184969165c9f5b5be9f49871c4540a74e000000000e8000000002000020000000628cd260aaa15ce8fa1737badbd55361eddb565825a8b2fde7db979c5e2ffa68d00000008b25c2623129eba89eda96a14568050380caca5a5e6a6d9397744237faa8ebb0494ed82fdddef995a362454ff5169340dc551c67e50221470c4cb6fdb4d7f02248d4fa0d8d798ee0b3c54e5c70254ea69c00837a7f53f5f1fd66e6ed7b5aaa0aee5c07340b318f2e10a6c59917a5634220034db498f0da39d3ac8d490d9f89c03b0e435b275bba404a547d4dfcc1ba82b547065852438b268b6687f78a7db03b8685338b8a06f6e5385b99e02a9fff5761fb9662ce8cd40b141755caa15dd2c74c2e8fba2d1564d9112aad5636574e96400000008dd286092ff728c6225ed63dccaec40ed5b5bd0d8309ca248f8246bb889f0620eb84e43a87b8ca83c486f7caf0ce02ecc7b1262b9e55abdf5d04fe3aff0d2b46	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2664417667"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a00000000020000000000106600000001000020000000c864722aa73cf0c17730e2e4d9a882759bc2bad9289b44136d5ead7546067e9c000000000e8000000002000020000000622efbae070ab24d69d9469c4b35ad71cc1f139cdcc62c3ed5c2dafc090b3d232000000000ae50a7b606700a7ae542f70ea6b82e2f932b0fb8d4faee5f9777d10c08472840000000164d19565ca4effe5e83f94b1890aea71faba19224e75142f8350f1d35dcd8281190644b21d2ebaf25682a584e531cf96a429395ae55071a3f869f2c935b3714	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000062f768c99b00d1984670fb22d2ea31d20ebd73321caa60ac3144182f6c7bdfce000000000e8000000002000020000000a09c35c3e9fc51215cde310b55b618a0e46202008419442fe1c7a6f7683d3ba8d0000000eca21f855e93c8498e4e0fd263d01a73192b17d2a50e2ee2d934e218191f18fee99631628e94f860142b7c9c156815bde6d1594756d475f0ae3f195ae1e6e5804c04042910609e2e61f3ade372bf5ded75d12025e3b21c7dd41e7fc132af53d3f40b99d3086c08c28e0d3e9763f42a3a177f1a579202347bf7feb35aec3855294480c413bcc14d3f59d5dec0396a3546284beb17e56e158d832988c1566adcdd1afeef5e70e4fe28f272c2e5cd35879add66cc5a87dbd82142507c3acc84ef477d01ad1aee1dfeba02796c22800a5a9e400000001c7be460ff867d4d0ae42614b13571be212c3c3e9cd47478703478abc6cda1a4c644ff605212ee182e019cbff91f40943fc79674e9d82a38c5d014eb36ac9075	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30952071"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3304	WINWORD.EXE
3304	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2696	powershell.exe
2696	powershell.exe
3532	powershell.exe
3532	powershell.exe
3532	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2696	powershell.exe
4548	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe
1140	iexplore.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
3304	WINWORD.EXE
3304	WINWORD.EXE
3304	WINWORD.EXE
3304	WINWORD.EXE
1140	iexplore.exe
1140	iexplore.exe
4856	IEXPLORE.EXE
4856	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
4252	IEXPLORE.EXE
4252	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
1132	IEXPLORE.EXE
1132	IEXPLORE.EXE
3304	WINWORD.EXE
3304	WINWORD.EXE
3304	WINWORD.EXE
1140	iexplore.exe
1140	iexplore.exe
3304	WINWORD.EXE
3420	IEXPLORE.EXE
3420	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
4572	IEXPLORE.EXE
4572	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
3104	IEXPLORE.EXE
3104	IEXPLORE.EXE
1140	iexplore.exe
1140	iexplore.exe
4444	IEXPLORE.EXE
4444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3048	3304	WINWORD.EXE	80
PID 3304 wrote to memory of 3048	3304	WINWORD.EXE	80
PID 3048 wrote to memory of 4548	3048	rundll32.exe	81
PID 3048 wrote to memory of 4548	3048	rundll32.exe	81
PID 3048 wrote to memory of 4548	3048	rundll32.exe	81
PID 1140 wrote to memory of 4856	1140	iexplore.exe	86
PID 1140 wrote to memory of 4856	1140	iexplore.exe	86
PID 1140 wrote to memory of 4856	1140	iexplore.exe	86
PID 1140 wrote to memory of 4252	1140	iexplore.exe	87
PID 1140 wrote to memory of 4252	1140	iexplore.exe	87
PID 1140 wrote to memory of 4252	1140	iexplore.exe	87
PID 1140 wrote to memory of 204	1140	iexplore.exe	91
PID 1140 wrote to memory of 204	1140	iexplore.exe	91
PID 1140 wrote to memory of 204	1140	iexplore.exe	91
PID 1140 wrote to memory of 2792	1140	iexplore.exe	95
PID 1140 wrote to memory of 2792	1140	iexplore.exe	95
PID 1140 wrote to memory of 2792	1140	iexplore.exe	95
PID 1140 wrote to memory of 3672	1140	iexplore.exe	96
PID 1140 wrote to memory of 3672	1140	iexplore.exe	96
PID 1140 wrote to memory of 3672	1140	iexplore.exe	96
PID 1140 wrote to memory of 1132	1140	iexplore.exe	98
PID 1140 wrote to memory of 1132	1140	iexplore.exe	98
PID 1140 wrote to memory of 1132	1140	iexplore.exe	98
PID 1140 wrote to memory of 3420	1140	iexplore.exe	100
PID 1140 wrote to memory of 3420	1140	iexplore.exe	100
PID 1140 wrote to memory of 3420	1140	iexplore.exe	100
PID 1140 wrote to memory of 2836	1140	iexplore.exe	101
PID 1140 wrote to memory of 2836	1140	iexplore.exe	101
PID 1140 wrote to memory of 2836	1140	iexplore.exe	101
PID 1140 wrote to memory of 4572	1140	iexplore.exe	104
PID 1140 wrote to memory of 4572	1140	iexplore.exe	104
PID 1140 wrote to memory of 4572	1140	iexplore.exe	104
PID 1140 wrote to memory of 3104	1140	iexplore.exe	105
PID 1140 wrote to memory of 3104	1140	iexplore.exe	105
PID 1140 wrote to memory of 3104	1140	iexplore.exe	105
PID 1140 wrote to memory of 4444	1140	iexplore.exe	106
PID 1140 wrote to memory of 4444	1140	iexplore.exe	106
PID 1140 wrote to memory of 4444	1140	iexplore.exe	106
PID 1304 wrote to memory of 3604	1304	cmd.exe	109
PID 1304 wrote to memory of 3604	1304	cmd.exe	109
PID 3604 wrote to memory of 4132	3604	forfiles.exe	111
PID 3604 wrote to memory of 4132	3604	forfiles.exe	111
PID 4132 wrote to memory of 2696	4132	cmd.exe	112
PID 4132 wrote to memory of 2696	4132	cmd.exe	112
PID 2696 wrote to memory of 3532	2696	powershell.exe	113
PID 2696 wrote to memory of 3532	2696	powershell.exe	113
PID 2696 wrote to memory of 3788	2696	powershell.exe	114
PID 2696 wrote to memory of 3788	2696	powershell.exe	114
PID 2696 wrote to memory of 4224	2696	powershell.exe	115
PID 2696 wrote to memory of 4224	2696	powershell.exe	115
PID 4224 wrote to memory of 4668	4224	csc.exe	116
PID 4224 wrote to memory of 4668	4224	csc.exe	116
PID 2696 wrote to memory of 3260	2696	powershell.exe	117
PID 2696 wrote to memory of 3260	2696	powershell.exe	117
PID 3260 wrote to memory of 3436	3260	csc.exe	118
PID 3260 wrote to memory of 3436	3260	csc.exe	118
PID 2696 wrote to memory of 2712	2696	powershell.exe	23
PID 4548 wrote to memory of 2712	4548	rundll32.exe	23
PID 1844 wrote to memory of 3024	1844	cmd.exe	121
PID 1844 wrote to memory of 3024	1844	cmd.exe	121

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2712
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\request.docm" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\y3C4B.tmp.dll",DllRegisterServer
    3⤵
    - Process spawned unexpected child process
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 "C:\Users\Admin\AppData\Local\Temp\y3C4B.tmp.dll",DllRegisterServer
      4⤵
      Loads dropped DLL
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA== & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVgBlAHIAcwBpAG8AbgBkAGEAeQAnACkALgBCAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAGgAcgBoAGMAZQB3AGQAYQB4AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAcgBoAGMAZQB3AGQAYQB4AGUAKQAnAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAGQAZgBvAG0AaABlAGwAcwBvAGgAKQA7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGYAbwBtAGgAZQBsAHMAbwBoACkAJwA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\egkdud3f\egkdud3f.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES334D.tmp" "c:\Users\Admin\AppData\Local\Temp\egkdud3f\CSCCFB4F460216A4B1E94B7C02DC93EA71D.TMP"
        7⤵
        
        PID:4668
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xq11admz\xq11admz.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34A5.tmp" "c:\Users\Admin\AppData\Local\Temp\xq11admz\CSC641A5E0419CD4897B376AE9FF58C438.TMP"
        7⤵
        
        PID:3436
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\7CFE.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:3024

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2132

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4252
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17422 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17428 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17434 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17440 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1132
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:82946 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17450 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2836
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17456 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17462 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3104
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17468 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d54855bf8c978d6881061a312a75333c

SHA1
9f9aa8fa71f3303ed698314afb8fba1619c219cf

SHA256
f67682e075a617f3e515ee10afc379de518474ba79a2c05f23beece24f5f6885

SHA512
00e7c63a7221e8c9f1f6e0d4c4cbe0512d7066c8bc8577b3b60704dc98e9e0f3f113dea521b984105f1bbdc8a0fba26ba3255983fb784ad2b83dd7ddfa312525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ves0881\imagestore.dat

Filesize
430B

MD5
78b511d855aeaeaecb11a56e5688b33b

SHA1
587dc3bf982a864ecc1f05e25c7a2b47669041c5

SHA256
23b6b63e9c1b265a58dab316ebc104bed61c4da22ca414aeecc3f1576a106877

SHA512
35e67e2e15419541d44f0147a20cbe446c2e8ee78fabd609bb3328e0cc6051987859492179124f92fc6b37cb9f250c7c5d881c39e31b3279faf55fc4d810f173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\favicon[1].ico

Filesize
318B

MD5
a976d227e5d1dcf62f5f7e623211dd1b

SHA1
a2a9dc1abdd3d888484678663928cb024c359ee6

SHA256
66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

SHA512
6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
56eed407989b43f7fc53e2e7a47ab967

SHA1
a5c6b2f493199a08fabee50e6d588773952148f0

SHA256
efee8d1f6796868b832708e0b20a86e65736958419f2f7bbc97eb5d93346c6d3

SHA512
c15dfa9eb19eb2f7859043956f68f231c173c752409150f76fc0555cec11faf77aca175207ece0cad37767d72bd92af1969aba39f7be7c8df2fe0521bb426e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES334D.tmp

Filesize
1KB

MD5
5741de2bc9b0d5ecef48b3028df0dd9b

SHA1
29f3fbae54db2849ef2615f0d17f06f7f12bff8e

SHA256
cfc3d7579b799c2f16631273e91f55474cc719b0409b3fe87c4a14911c85056f

SHA512
84b9a04799667fe83f061903ba8b7494d2aea5eed83daf96b007ffe74e0ca78d4e05e48ff96524359d7e8634be8bc15d5f0a7c81e9b6e94a1b1cc61506f76868

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES34A5.tmp

Filesize
1KB

MD5
d0a800edf452d688094a90420d5b456c

SHA1
28b7c784e2b4a628110486670092516958016bc0

SHA256
aa1541327ae78726444da0c45b242430d3eb06fd33272ae1d08d3278cf708f2e

SHA512
bfef179f5b72366d22d11e06084bbaa6b832b36c4ff2cf77167b261858ad7997057d119da11ba667a4474f2363bb19e42fad8ba8a9189c7d65ff4350d1ec8665

Download Submit
C:\Users\Admin\AppData\Local\Temp\egkdud3f\egkdud3f.dll

Filesize
3KB

MD5
80e18b55cee5e8af4d3ff4ee134b34fa

SHA1
4155ac37939d6eeb45452690ab64738c1e3ab615

SHA256
4ad2c5581b3f9d9082d4e25a6d5180242e7fdfa7541cb6a007801961285494b0

SHA512
363d2263863a3ede29693945c1a0de9ba1ba2ceb6d8c241edbae674b85d495666b0d1045b5272d3010324f70bab1891b6eca44d5990889e173c7682c3df8890d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xq11admz\xq11admz.dll

Filesize
3KB

MD5
64cb19d64dec3b03e1e1dca2211c4b75

SHA1
e5885ef88b716de48cb3c69f84abfd1456815c44

SHA256
1e3876a0b563af7ad9561cf1117da1a838c87edf2e8928b6d20a2cee85a23ed8

SHA512
33009acf143f4870dba14de82a95bda53e6c3c1e948dfc10259c6926151174250c66ebcc45b20a89bf08ad737998f289de973bebc8c208f6fcec39cb103310a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3C4B.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\y3C4B.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\egkdud3f\CSCCFB4F460216A4B1E94B7C02DC93EA71D.TMP

Filesize
652B

MD5
361fa3afdf10716d56e8be0162c0551a

SHA1
b29f0930a116169ac0dc2f412f20da5f7c7a965d

SHA256
447858db58f02ec13d1b4b18f1cf704910bf405c3eebd82b1575c301efd71a05

SHA512
37d03c9b2dc2d98fea28898af3f37a201b882266fa4e2dfdd66b9b6125774d4e62364000353d6b184116fbd14921f79e11c0732d640b07a092d5d1e7243bd13b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\egkdud3f\egkdud3f.0.cs

Filesize
417B

MD5
cdc42ce046de74fa8cb97234640cfcc5

SHA1
8a6aa5bda682fbb11bc974d752408593aec799cc

SHA256
7fca4a3b3889149b375ce11cd1614298a244c05e3dd5fa343be56986aaa675c5

SHA512
c2663ca8817dc7a375c06cfc4adb529ab61b098663a550feba5dabe8b9c6269a5e878419d5198cb463b9c6b4d5acb504587ffd5721eab568068a7e9d45d55d13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\egkdud3f\egkdud3f.cmdline

Filesize
369B

MD5
06e9e918041f721534398e79ddb9a8c5

SHA1
d77e5e8cc9a9b737b0ded3654cbd906803ff230e

SHA256
066a48b39e430bdd3bb5bdc9cf69d3837d2077aa487f228e245417081db08e36

SHA512
c320500c1cd58cabf2a445ba159216cd000e1f4533e3636efb9da9d0998926857014d22632fad0c69537b92826486b760675bb4c933a354efabbd706ecf6ed89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xq11admz\CSC641A5E0419CD4897B376AE9FF58C438.TMP

Filesize
652B

MD5
cd8a3b1e1b08b13d7171528dfb1857ce

SHA1
a69cf691c6f4416e61a5b53f64466c168ac22f50

SHA256
ea4275ea72627c2a727005c014b99bdb28bef84917a68d0fa341de1cb1037480

SHA512
22bcb7c489dbf1eeaf2393d05e028f87a709b5fafd6f6ed60b9155ce27d88ecb020109ead10e8ba2753a480757a104a23068860c70ff7f99303f8cea3d8cf52e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xq11admz\xq11admz.0.cs

Filesize
416B

MD5
e991aa9d35bfffc8f1e0d5dcf4c95ed1

SHA1
02d81b5b8cfd7b25d4fa0dab40d6ce6db3129501

SHA256
2598df56dcfc916eb9ae7b571c67d2feb92740843e36caccf9df705c03145265

SHA512
e0205253f43832674a3ea5dbe376e82fe0a59722ca10bed0184ff8fa298111957437db32aefb725b8c525f62aa8c7bc14922fa665ec9ced0d465d91837da126b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xq11admz\xq11admz.cmdline

Filesize
369B

MD5
463dc4318014012ea9a23c72cf95026d

SHA1
88bed4062987c7933796449bee0af1f9636677f2

SHA256
7dc11a816badbbc03863a3f971f22a47caad2abed15ceb47c66c2c919dc26eb4

SHA512
fb9b7e99143bbf863abc29d26dd2b94fc18efd7ea844964a827163bc0c8e6830801049a3ad7c3054fed6e69d82ebb7ef146a4f082001dfb3a4a1757f38de027a

Download Submit
memory/2696-166-0x00000277EBF53000-0x00000277EBF55000-memory.dmp

Filesize
8KB

Download
memory/2696-161-0x00000277EBF60000-0x00000277EBF82000-memory.dmp

Filesize
136KB

Download
memory/2696-189-0x00000277EC2E0000-0x00000277EC2F3000-memory.dmp

Filesize
76KB

Download
memory/2696-163-0x00007FF9993B0000-0x00007FF999E71000-memory.dmp

Filesize
10.8MB

Download
memory/2696-165-0x00000277EBF50000-0x00000277EBF52000-memory.dmp

Filesize
8KB

Download
memory/2696-167-0x00000277EBF56000-0x00000277EBF58000-memory.dmp

Filesize
8KB

Download
memory/3304-136-0x0000024DD2937000-0x0000024DD29B0000-memory.dmp

Filesize
484KB

Download
memory/3304-133-0x00007FF986FD0000-0x00007FF986FE0000-memory.dmp

Filesize
64KB

Download
memory/3304-157-0x0000024DD280F000-0x0000024DD2811000-memory.dmp

Filesize
8KB

Download
memory/3304-131-0x00007FF986FD0000-0x00007FF986FE0000-memory.dmp

Filesize
64KB

Download
memory/3304-132-0x00007FF986FD0000-0x00007FF986FE0000-memory.dmp

Filesize
64KB

Download
memory/3304-134-0x00007FF986FD0000-0x00007FF986FE0000-memory.dmp

Filesize
64KB

Download
memory/3304-135-0x0000024DD280F000-0x0000024DD2811000-memory.dmp

Filesize
8KB

Download
memory/3304-130-0x00007FF986FD0000-0x00007FF986FE0000-memory.dmp

Filesize
64KB

Download
memory/3304-137-0x0000024DD69D0000-0x0000024DD6A0F000-memory.dmp

Filesize
252KB

Download
memory/3532-164-0x00007FF9993B0000-0x00007FF999E71000-memory.dmp

Filesize
10.8MB

Download
memory/3788-172-0x000001C99ABB6000-0x000001C99ABB8000-memory.dmp

Filesize
8KB

Download
memory/3788-173-0x000001C99ABB0000-0x000001C99ABB2000-memory.dmp

Filesize
8KB

Download
memory/3788-174-0x000001C99ABB3000-0x000001C99ABB5000-memory.dmp

Filesize
8KB

Download
memory/3788-171-0x00007FF9993B0000-0x00007FF999E71000-memory.dmp

Filesize
10.8MB

Download
memory/4548-147-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/4548-142-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4548-191-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download