gozi | c2246bff0c1ae5b9e3dcfa9f288520624fd6a7f0c3fbc11c2bbf7afd8915d61c

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3de929f98b66f1dd0e8c986c975506_JaffaCakes118.exe
Size

1.6MB
MD5

6a3de929f98b66f1dd0e8c986c975506
SHA1

f36591e736c97980790a605d134ed4b9f7f0fd12
SHA256

c2246bff0c1ae5b9e3dcfa9f288520624fd6a7f0c3fbc11c2bbf7afd8915d61c
SHA512

edc63fd8e3c1f5281909ad824d7b7734700ee05f31a533fb9ce6bf8c49c389c6bd4e69129412fab75ca97e2e5c97a74bf591b9f0922b929c5e2a97c9f9c13638
SSDEEP

49152:kB9NjHLDKvHd5GY++tqg2FsYmWVvP+FeBG+VBSaL12xN//Gag8:kBzHLDKV5GCtqgGsYmWVvP+FeA+H0xNn

Score

10^/10

gozi 3531 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
214107

Extracted

Family

gozi

Botnet

3531

gmail.com

google.com

k55gaisi.com

leinwqoa.com

bon11ljgarry.com

Attributes

build
214107
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb200000000020000000000106600000001000020000000ba8d0c2045b197f1acf34198636e087752b47afca7c6ebbf745d12cd37021258000000000e8000000002000020000000ea0d8cb582943cbd641b5cb125cf342164d58cdcee6b36602613032bc3ea51cf20000000e1983e3ca7ad3c6f799e4b7f796fc94adc4f9bc761ba150c0768d6c52b766f3840000000f7d88f7ac2e5405d41aa7cdcd64b405e7042ccd443e89b2fe40a2a09f45553aa4e88ed0e9d6b9eb44a255427ed73254ca74aa653c459d22d0600c992953e4909	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ED78800B-18D8-11EF-B8C0-5AA21198C1D4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{072CDA60-18D9-11EF-B8C0-5AA21198C1D4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2825160312"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108325"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102729bde5acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D3FFC083-18D8-11EF-B8C0-5AA21198C1D4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709c4cb0e5acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb20000000002000000000010660000000100002000000066b6bbf54c591453e89ebb7270bae6d9dd6492c23efe74ffe3e962082cfc5dcf000000000e8000000002000020000000be4a5a2ab9720ca44fced48667a425f0057264d2b8e448d064bcd60836ef1214200000001836757788636d769f4557aedec9c82964f3988c89c86379b24d4ea2a05e5a0740000000a667a5e31ea9bb5bba90a845c9661f0aa705057ceb42d6c0a7e33dd4d4b3a2fa0485c788d43cef3da27e8da05d3d28df364ee423e9353fe0ec9a0951542927e3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FA504B0B-18D8-11EF-B8C0-5AA21198C1D4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb200000000020000000000106600000001000020000000d69c4f328f4147167c65920d65bf604d0bd6528151e0a2dc804791bed7f18ca7000000000e80000000020000200000009f5444170e2af6eeebe022e024aa898b8232f4b1bf0ffe9010b3b7d4d1da680020000000cc4000947ccb16fd25c99bc63d9d6f2e00d01a0f4f88aaa4513fef0bb69f5e4e40000000e963a6f1a975035e982d1a5ae0113f7102a8f6b708077d1af412aa0638ea0afd2b226502291d79cdfbc90fb41c30e5cbc01b01fc8294956aba11ac3397379c9d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108325"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb2000000000200000000001066000000010000200000005f132d8fc72e96e2675d99973d384374399d7724658254c737a1a1c7259b0b1c000000000e80000000020000200000007448c80d8e35ee6c0a3a4fe86ab7f520f094b14a3dc0d8f00ea3562e4dd1efae200000008bc55ebf90b87a8179c0ed6395f010b922d37ff610f683951e374e3a607fb6d64000000012ecbfb029792f8072ad6fb9cad7cf282e28184d0921af5ea4535e87490cdb09fa5b24bf9ff8fa857984616111a00e3e47456af28e18c217d838af6d827a679c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2825160312"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb200000000020000000000106600000001000020000000ba1bbda23df10674499b39c60eb27c8fc6406309df69a80058916df824425b31000000000e80000000020000200000000745aa941b22a6a670cf66001a19ec9cbc7aec36b54e03d68c2ceca07ce638d6200000006bcc24e0652f567709d5c0624f1c4b793e15c2ab5916f06e7e78d53753c3733b4000000033e05d965a831969dab5a9515bbb943deb7712013828d44a336a1919f108e70fb8f23428bea870db93693c7a747529a1bdb55522a4a7edb33d77564f8aab7c56	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{14214207-18D9-11EF-B8C0-5AA21198C1D4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06f14d7e5acda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

3176 iexplore.exe
3360 iexplore.exe
2940 iexplore.exe
4648 iexplore.exe
3448 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
3176	iexplore.exe
3176	iexplore.exe
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE
3360	iexplore.exe
3360	iexplore.exe
4288	IEXPLORE.EXE
4288	IEXPLORE.EXE
2940	iexplore.exe
2940	iexplore.exe
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE
4648	iexplore.exe
4648	iexplore.exe
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
3448	iexplore.exe
3448	iexplore.exe
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3176 wrote to memory of 4044	3176	iexplore.exe	IEXPLORE.EXE
PID 3176 wrote to memory of 4044	3176	iexplore.exe	IEXPLORE.EXE
PID 3176 wrote to memory of 4044	3176	iexplore.exe	IEXPLORE.EXE
PID 3360 wrote to memory of 4288	3360	iexplore.exe	IEXPLORE.EXE
PID 3360 wrote to memory of 4288	3360	iexplore.exe	IEXPLORE.EXE
PID 3360 wrote to memory of 4288	3360	iexplore.exe	IEXPLORE.EXE
PID 2940 wrote to memory of 4412	2940	iexplore.exe	IEXPLORE.EXE
PID 2940 wrote to memory of 4412	2940	iexplore.exe	IEXPLORE.EXE
PID 2940 wrote to memory of 4412	2940	iexplore.exe	IEXPLORE.EXE
PID 4648 wrote to memory of 5100	4648	iexplore.exe	IEXPLORE.EXE
PID 4648 wrote to memory of 5100	4648	iexplore.exe	IEXPLORE.EXE
PID 4648 wrote to memory of 5100	4648	iexplore.exe	IEXPLORE.EXE
PID 3448 wrote to memory of 2944	3448	iexplore.exe	IEXPLORE.EXE
PID 3448 wrote to memory of 2944	3448	iexplore.exe	IEXPLORE.EXE
PID 3448 wrote to memory of 2944	3448	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\6a3de929f98b66f1dd0e8c986c975506_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a3de929f98b66f1dd0e8c986c975506_JaffaCakes118.exe"
1⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:2248

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3176 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4648 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3448 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
7575c39a544943a68ce6e709c586005a

SHA1
4874b30bd1d455b28a95c4e21c5aecd1ea043d7a

SHA256
4737de49245ace1ca1fdeaacd5feee9bbda88bc6f42c84a1ea7d316383792cf8

SHA512
abf3d85393725113e720cbe8980b369236511e3984e8cbfa795f19bb5d6e39822e80a835caeb498581797a74b349765ba1a27f26586a17a66ae1c88bd066a3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B381A9DE1A99F00B76BC46CB1F8CCB60
Filesize
472B

MD5
96bbdd53b91d569dff0a2886caa7f636

SHA1
79155f70f5bc6c1c6b336a1e9d936970b6d804a3

SHA256
c6ee3ee7acbe215bff82b5539cfb7652b61196e5d00e48b5d91597b371c6143d

SHA512
8a8355663483668bd1248bd6fa9a828879425d8937764af87e307deebab8e450e707478cedf6d2d73ae2e899cfa73e412e998439d34a5a345d1b30083997c4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
d35e8ef2ea845b517093168398a9ea08

SHA1
bc3ba62ab08a8238312c641b6d4fd0c1b8a1d1e8

SHA256
90bcaf54d0c07333fe50f9a59b793f88ca9a6b0ff9f02661d792267c7ef0eb5f

SHA512
9246ad211bf085bf81aaa3cf2a215a149c13bb3af899134d06a5f352a5f7a09c2f701c36c6568b2fcd075db51fbecb5e0874883b4e8804fd1973bd5e6d0b811d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
d8f35edda5d70c9e7e0814c3f3bb3a01

SHA1
f4196c4a71801a8897c528e171253ab96c51da8d

SHA256
b7b6f488aeec261074cc11a721f9770e1e55abf30a1295ab593496b048726885

SHA512
12673b41f080d86399afd0f6457da5be595b761a9e8723b0352ad37278b504145f770d2209dc00c9b6965009cff9018acc2b74832c553448bd65ca3edfd8da92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B381A9DE1A99F00B76BC46CB1F8CCB60
Filesize
402B

MD5
88a6d07a8c1a6285e740120b058f450c

SHA1
af46a63672b3fce3fbeb3a16e014b0335b7e43e3

SHA256
70c5e86f709eb19a86a830a26337a6329bf9b538edaff425b2e8516fb66ae4cd

SHA512
639b3878421124e87b99491453f181b6ecf4560019e3b5591d771e4d66166283777858f51afb4dd49ee3315f767693e32b1ea547d9877ee9f2939938d8533dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\robot[1].png
Filesize
6KB

MD5
4c9acf280b47cef7def3fc91a34c7ffe

SHA1
c32bb847daf52117ab93b723d7c57d8b1e75d36b

SHA256
5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

SHA512
369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\googlelogo_color_150x54dp[1].png
Filesize
3KB

MD5
9d73b3aa30bce9d8f166de5178ae4338

SHA1
d0cbc46850d8ed54625a3b2b01a2c31f37977e75

SHA256
dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

SHA512
8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF82F16755ECCBDCDD.TMP
Filesize
16KB

MD5
3c8f45ab354f7773fc7c955e8a6fc085

SHA1
253fa93ab5581581532ff3f32f1325e8629fcf62

SHA256
593579ad06b12b817368e95c93577964d0b32c2bfc80d9aca37b63d78c7b1285

SHA512
de673579ab6e973ec9d74c9e27bc2f9c3325a0edfb2e9e1276a8c2d0d6746926f9bb2561b85f410893ab63e4c18d50d7b720b35bac6e0ed8463fd4af7140287c

Download Submit
memory/464-27-0x0000000000800000-0x00000000009A8000-memory.dmp

Filesize
1.7MB

Download
memory/464-3-0x0000000002690000-0x000000000269F000-memory.dmp

Filesize
60KB

Download
memory/464-0-0x0000000000800000-0x00000000009A8000-memory.dmp

Filesize
1.7MB

Download
memory/464-1-0x0000000000972000-0x0000000000975000-memory.dmp

Filesize
12KB

Download
memory/464-2-0x0000000000800000-0x00000000009A8000-memory.dmp

Filesize
1.7MB

Download