gozi | 892356bd0a480bab24daaa62d66d31b957cbc2bc4414e07a70ec86fba39af0f1

General

Target

31b021a4ea9e67758113887dfdf4ee89_JaffaCakes118.exe
Size

1.8MB
MD5

31b021a4ea9e67758113887dfdf4ee89
SHA1

ccf28cd9451e330c498d4f9b23b19fe471e1427c
SHA256

892356bd0a480bab24daaa62d66d31b957cbc2bc4414e07a70ec86fba39af0f1
SHA512

7f41bc4c454def40edd3769286daa68aa5e3ebedc4358997556c9ebe9046ed613862e97be8e72c8975e700c3f27a8de8ffa8d89779438c2fef0a8c11119ffe9d
SSDEEP

49152:wK+Hl4vGdpSL5ktmiMb6eMxbqgu+uZtn7ONp7bd4r54pHduC:j+Hl4vEpbtmiMb6ehgu+uZtnCH7bd4r2

Score

10^/10

gozi 3493 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
214098

Extracted

Family

gozi

Botnet

3493

C2

google.com

gmail.com

lsammietf53.com

p28u70webster.com

ploi7260m71.com

Attributes

build
214098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{635F2B2F-0F29-11EF-B865-76A3C14B7D9C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107fa60536a3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "84025332"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3093CDB8-0F29-11EF-B865-76A3C14B7D9C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31105846"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2035a40536a3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000c3ae41aec968c0002c19e43be3950c3fa44cc5000bf45f7105be0f695ac53d6b000000000e8000000002000020000000d764347c24ef0d19e3a0c09972a55f2d8c03c70bd3516d51c114941c11fa9f1b200000007cc7e3cc6eec84d7d8cf595607da6cbb195279099f56901f55de4eef27460c13400000007a73e5979947d10ea7b07a13c511fe9e79b3941b323cd29b1e6776673bd2da11e008344e9f0ebe02967b8dc8660e52963dce4daf2b39e97d07863fafeda66e69	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000a1be03b4d57501e969f929b98d795b429d8d036524da1aa277da4f1d98c07a3a000000000e80000000020000200000001a089e9bf17c25e700a4ee25c2988808d23de05e3a0e3a7df62d263bd0e7378e20000000e320d0f7718928f0436d1079522068794866b2d887948caf6121bcd35ea23e4840000000af495154a3bd8704615caf2c8ec2867c5967e881219873f42a5c15625dc7db6786d8b5cceb3135554f914c27509e0db958f247383be9b70213bb08617c914d5e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0011730c36a3da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f8440000000002000000000010660000000100002000000068bf53229e6a67651618d963cecf98067fb6fb9096030ffa4d73b36a76586d28000000000e80000000020000200000009cbfcc75427cdf81931943e4d593a82b03e59605252a5576e590e49133e2d1e22000000046b467c6af6c1e80bb691dddb62c6aa4de5f9f0acb96077bd7ea73c5f1ddc21f4000000091739a458bba27995249db54767c77bb1d8bfbc7fb06f29555135c78ca2b1c61047a1808f0c5b6731e21de3b2797a7530ff4457c7d254ac6cd22c2cbe752382a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f84400000000020000000000106600000001000020000000912eef774947e1e3fd834aecaed259ede0e933e24b8e5d29cf06dfd80f0186d4000000000e80000000020000200000002907a862c1e394f97b24a43f3dad08562c7a90aa78effed8064666c647a6ed63200000004a819b348358967d82d7373877cc801701eafeb5ca08c8eab1ed73fd6c0d9134400000007f52209972a9f125df07631dfd6cace4c8a1fa9d8cfa945aceee44628816a7ded6f4a3959c0ec1b715bfbdf29353bd7f7ed946899e306323ef1724e5a742f349	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31105846"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{49CC2FC7-0F29-11EF-B865-76A3C14B7D9C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "84025332"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150dfb3d7d297149b53fa5015b24f8440000000002000000000010660000000100002000000017eafa3381c4b5f9de262fe1002fc6639532aef372fb99fabd48c4d9126218b6000000000e8000000002000020000000bf7c37d548d65dd96c6b8af659770e4997500faded4b9cc55aa9dbc5a60aeaaa200000005c65ec17ec6d902feb7beb6b60ec3090c028b1b98a9bf920990e1a1b451b0a8e400000001289137f5255b5b9f8beecdedc3fd1722bddd8ab2c53ab683c2c045b205164b040c57545083bf98d3adc94a22301808ab447a898f9d726e3c0f104aa92ed2606	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c83c2636a3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{567DD5C8-0F29-11EF-B865-76A3C14B7D9C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50246c1936a3da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

3632 iexplore.exe
1372 iexplore.exe
520 iexplore.exe
2220 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
3632	iexplore.exe
3632	iexplore.exe
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE
1372	iexplore.exe
1372	iexplore.exe
3340	IEXPLORE.EXE
3340	IEXPLORE.EXE
520	iexplore.exe
520	iexplore.exe
876	IEXPLORE.EXE
876	IEXPLORE.EXE
2220	iexplore.exe
2220	iexplore.exe
3400	IEXPLORE.EXE
3400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3632 wrote to memory of 4008	3632	iexplore.exe	IEXPLORE.EXE
PID 3632 wrote to memory of 4008	3632	iexplore.exe	IEXPLORE.EXE
PID 3632 wrote to memory of 4008	3632	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 3340	1372	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 3340	1372	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 3340	1372	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 876	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 876	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 876	520	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 3400	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 3400	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 3400	2220	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\31b021a4ea9e67758113887dfdf4ee89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31b021a4ea9e67758113887dfdf4ee89_JaffaCakes118.exe"
1⤵
PID:4800

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3632 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:876

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:17410 /prefetch:2
2⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\robot[1].png

Filesize
6KB

MD5
4c9acf280b47cef7def3fc91a34c7ffe

SHA1
c32bb847daf52117ab93b723d7c57d8b1e75d36b

SHA256
5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

SHA512
369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMMYN4JX\googlelogo_color_150x54dp[1].png

Filesize
3KB

MD5
9d73b3aa30bce9d8f166de5178ae4338

SHA1
d0cbc46850d8ed54625a3b2b01a2c31f37977e75

SHA256
dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

SHA512
8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE697A5B812B6E458.TMP

Filesize
16KB

MD5
5c1eb8243da51533ca9eb05ac14d0d83

SHA1
ec4bbfe8aa7f970265cf15f2a64163780a58fef3

SHA256
8646305dbb3650ce6c2daa6068bdf4ef4e8942641ae4bb9401fba85efac77789

SHA512
7e87db3d969caaa9c3def480d839e4eaadaf603e1dd5dc06142f7105734a873fa2e292b6eddff884c7029397928e1345353597e93b5b3b252a778d64957ce63a

Download Submit
memory/4800-0-0x0000000000840000-0x0000000000B9C000-memory.dmp

Filesize
3.4MB

Download
memory/4800-3-0x0000000000840000-0x0000000000B9C000-memory.dmp

Filesize
3.4MB

Download
memory/4800-2-0x00000000009EC000-0x00000000009F1000-memory.dmp

Filesize
20KB

Download
memory/4800-1-0x0000000000840000-0x0000000000B9C000-memory.dmp

Filesize
3.4MB

Download
memory/4800-4-0x00000000027C0000-0x00000000027CF000-memory.dmp

Filesize
60KB

Download
memory/4800-17-0x0000000000840000-0x0000000000B9C000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads