gozi_ifsb | f3bd51c1bd71274daa1112b90a478ab08ee9644c117cc5405b53d37b839e8fdc

Analysis

max time kernel
130s
max time network
136s
platform
windows7_x64
resource
win7
submitted
06-07-2020 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Emmett.mpa.dll
Size

264KB
MD5

f2468454850c605558c6e959e07483b8
SHA1

78a426659ffff4152573b41a55270a868f8220f0
SHA256

f3bd51c1bd71274daa1112b90a478ab08ee9644c117cc5405b53d37b839e8fdc
SHA512

5628bd8f9dcea25426b6242296cb9c34f86cfa75a36b14829d001594f040a83043f538da796fcf14d9eedc8aaac24af8a53c780ac57d524d9b90f994ec4e1180

Score

10^/10

banker trojan gozi_ifsb spyware ursnif discovery

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1160	iexplore.exe
1160	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1060	iexplore.exe
1060	iexplore.exe
520	IEXPLORE.EXE
520	IEXPLORE.EXE
1060	iexplore.exe
1060	iexplore.exe
916	IEXPLORE.EXE
916	IEXPLORE.EXE
1060	iexplore.exe
1060	iexplore.exe
520	IEXPLORE.EXE
520	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeDebugPrivilege	1472	tasklist.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1888	net.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Checks whether UAC is enabled 5 IoCs

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1352	systeminfo.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1160	iexplore.exe
1060	iexplore.exe
1060	iexplore.exe
1060	iexplore.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	powershell.exe
2044	powershell.exe
1208	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f7076eaa53d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b0829a874ca164698fa08cb019bbab80000000002000000000010660000000100002000000044e1215d02abdff82bdc57e63c0a6aa6c90383635421d93981328fb51ab01389000000000e800000000200002000000001f5795f0424596c4609095b56bff0077914c2748c283e550ad39337339c57c620000000081af893bfa2a2204d54e42498884038b42fd609ca31ebd26dbea4eabf5b99fa400000002b2d152eb66b5bc29e9611a3a13a17a36b85b1b80c084b87eae78b583ff9a0d51ff87e19cc4057c434969448e346dd76ad5bd122344ff76fb83056885289e14c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2477E71-BF9D-11EA-9D3F-7AC743829A74} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96BCD5B1-BF9D-11EA-9D3F-7AC743829A74} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b0829a874ca164698fa08cb019bbab80000000002000000000010660000000100002000000067724aeb1ccdefdbf295db05f6d1be03b23a1ea98f128382f88c685894421ed4000000000e80000000020000200000009927b657a9b298a2c72fa1d839ba6b44d214346f440372d846fe03ffa24d21ee900000003ae192ec59a57d17566297463e86532c6fb36f54cd715928b5ef0759c716e3d4152ae051b836f403415ad63a5c4fb12e7b508572763cd46927eeb103304ab37c6090ff622f534aec8e337ae28f6d864b618ce1f0a6c25a5f142c540ea06a3e3eab221461672afb26608792e0f4aaa2d751caf690c1b86e23649c9765c114a8f3f5fcaf179f4c006a101403dba0ffa54040000000ab2813d74bc55b109192a4b54dad77af425357f3078316a533ee3465e1de938a5d6bd2ec5e05fce92fd6f65e2f060973ed4100c9419da1a231d6d17da7946089	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1472	tasklist.exe

Checks for installed software on the system 1 TTPs 39 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe

Suspicious use of WriteProcessMemory 127 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 608 wrote to memory of 1184	608	rundll32.exe	24
PID 1160 wrote to memory of 1816	1160	iexplore.exe	28
PID 1160 wrote to memory of 1816	1160	iexplore.exe	28
PID 1160 wrote to memory of 1816	1160	iexplore.exe	28
PID 1160 wrote to memory of 1816	1160	iexplore.exe	28
PID 1060 wrote to memory of 520	1060	iexplore.exe	33
PID 1060 wrote to memory of 520	1060	iexplore.exe	33
PID 1060 wrote to memory of 520	1060	iexplore.exe	33
PID 1060 wrote to memory of 520	1060	iexplore.exe	33
PID 1060 wrote to memory of 916	1060	iexplore.exe	34
PID 1060 wrote to memory of 916	1060	iexplore.exe	34
PID 1060 wrote to memory of 916	1060	iexplore.exe	34
PID 1060 wrote to memory of 916	1060	iexplore.exe	34
PID 1592 wrote to memory of 2044	1592	mshta.exe	38
PID 1592 wrote to memory of 2044	1592	mshta.exe	38
PID 1592 wrote to memory of 2044	1592	mshta.exe	38
PID 2044 wrote to memory of 108	2044	powershell.exe	40
PID 2044 wrote to memory of 108	2044	powershell.exe	40
PID 2044 wrote to memory of 108	2044	powershell.exe	40
PID 108 wrote to memory of 1700	108	csc.exe	41
PID 108 wrote to memory of 1700	108	csc.exe	41
PID 108 wrote to memory of 1700	108	csc.exe	41
PID 2044 wrote to memory of 1520	2044	powershell.exe	42
PID 2044 wrote to memory of 1520	2044	powershell.exe	42
PID 2044 wrote to memory of 1520	2044	powershell.exe	42
PID 1520 wrote to memory of 1864	1520	csc.exe	43
PID 1520 wrote to memory of 1864	1520	csc.exe	43
PID 1520 wrote to memory of 1864	1520	csc.exe	43
PID 2044 wrote to memory of 1208	2044	powershell.exe	20
PID 2044 wrote to memory of 1208	2044	powershell.exe	20
PID 2044 wrote to memory of 1208	2044	powershell.exe	20
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	44
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	44
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	44
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	44
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	44
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	44
PID 1632 wrote to memory of 1776	1632	cmd.exe	46
PID 1632 wrote to memory of 1776	1632	cmd.exe	46
PID 1632 wrote to memory of 1776	1632	cmd.exe	46
PID 1632 wrote to memory of 1776	1632	cmd.exe	46
PID 1632 wrote to memory of 1776	1632	cmd.exe	46
PID 1632 wrote to memory of 1776	1632	cmd.exe	46
PID 1208 wrote to memory of 304	1208	Explorer.EXE	47
PID 1208 wrote to memory of 304	1208	Explorer.EXE	47
PID 1208 wrote to memory of 304	1208	Explorer.EXE	47
PID 304 wrote to memory of 652	304	cmd.exe	49
PID 304 wrote to memory of 652	304	cmd.exe	49
PID 304 wrote to memory of 652	304	cmd.exe	49
PID 1208 wrote to memory of 1496	1208	Explorer.EXE	50
PID 1208 wrote to memory of 1496	1208	Explorer.EXE	50
PID 1208 wrote to memory of 1496	1208	Explorer.EXE	50
PID 1208 wrote to memory of 1468	1208	Explorer.EXE	52
PID 1208 wrote to memory of 1468	1208	Explorer.EXE	52
PID 1208 wrote to memory of 1468	1208	Explorer.EXE	52
PID 1468 wrote to memory of 1748	1468	cmd.exe	54
PID 1468 wrote to memory of 1748	1468	cmd.exe	54
PID 1468 wrote to memory of 1748	1468	cmd.exe	54
PID 1468 wrote to memory of 1620	1468	cmd.exe	55
PID 1468 wrote to memory of 1620	1468	cmd.exe	55
PID 1468 wrote to memory of 1620	1468	cmd.exe	55
PID 1208 wrote to memory of 1244	1208	Explorer.EXE	57
PID 1208 wrote to memory of 1244	1208	Explorer.EXE	57
PID 1208 wrote to memory of 1244	1208	Explorer.EXE	57
PID 1208 wrote to memory of 616	1208	Explorer.EXE	59
PID 1208 wrote to memory of 616	1208	Explorer.EXE	59
PID 1208 wrote to memory of 616	1208	Explorer.EXE	59
PID 616 wrote to memory of 1352	616	cmd.exe	61
PID 616 wrote to memory of 1352	616	cmd.exe	61
PID 616 wrote to memory of 1352	616	cmd.exe	61
PID 1208 wrote to memory of 1784	1208	Explorer.EXE	62
PID 1208 wrote to memory of 1784	1208	Explorer.EXE	62
PID 1208 wrote to memory of 1784	1208	Explorer.EXE	62
PID 1208 wrote to memory of 1492	1208	Explorer.EXE	64
PID 1208 wrote to memory of 1492	1208	Explorer.EXE	64
PID 1208 wrote to memory of 1492	1208	Explorer.EXE	64
PID 1492 wrote to memory of 1888	1492	cmd.exe	66
PID 1492 wrote to memory of 1888	1492	cmd.exe	66
PID 1492 wrote to memory of 1888	1492	cmd.exe	66
PID 1208 wrote to memory of 1184	1208	Explorer.EXE	67
PID 1208 wrote to memory of 1184	1208	Explorer.EXE	67
PID 1208 wrote to memory of 1184	1208	Explorer.EXE	67
PID 1208 wrote to memory of 1772	1208	Explorer.EXE	69
PID 1208 wrote to memory of 1772	1208	Explorer.EXE	69
PID 1208 wrote to memory of 1772	1208	Explorer.EXE	69
PID 1772 wrote to memory of 2008	1772	cmd.exe	71
PID 1772 wrote to memory of 2008	1772	cmd.exe	71
PID 1772 wrote to memory of 2008	1772	cmd.exe	71
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	72
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	72
PID 1208 wrote to memory of 1632	1208	Explorer.EXE	72
PID 1208 wrote to memory of 2028	1208	Explorer.EXE	74
PID 1208 wrote to memory of 2028	1208	Explorer.EXE	74
PID 1208 wrote to memory of 2028	1208	Explorer.EXE	74
PID 2028 wrote to memory of 1472	2028	cmd.exe	76
PID 2028 wrote to memory of 1472	2028	cmd.exe	76
PID 2028 wrote to memory of 1472	2028	cmd.exe	76
PID 1208 wrote to memory of 1424	1208	Explorer.EXE	77
PID 1208 wrote to memory of 1424	1208	Explorer.EXE	77
PID 1208 wrote to memory of 1424	1208	Explorer.EXE	77
PID 1208 wrote to memory of 1392	1208	Explorer.EXE	79
PID 1208 wrote to memory of 1392	1208	Explorer.EXE	79
PID 1208 wrote to memory of 1392	1208	Explorer.EXE	79
PID 1392 wrote to memory of 1640	1392	cmd.exe	81
PID 1392 wrote to memory of 1640	1392	cmd.exe	81
PID 1392 wrote to memory of 1640	1392	cmd.exe	81
PID 1208 wrote to memory of 1468	1208	Explorer.EXE	82
PID 1208 wrote to memory of 1468	1208	Explorer.EXE	82
PID 1208 wrote to memory of 1468	1208	Explorer.EXE	82
PID 1208 wrote to memory of 1696	1208	Explorer.EXE	84
PID 1208 wrote to memory of 1696	1208	Explorer.EXE	84
PID 1208 wrote to memory of 1696	1208	Explorer.EXE	84
PID 1696 wrote to memory of 976	1696	cmd.exe	86
PID 1696 wrote to memory of 976	1696	cmd.exe	86
PID 1696 wrote to memory of 976	1696	cmd.exe	86
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	87
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	87
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	87
PID 1208 wrote to memory of 616	1208	Explorer.EXE	89
PID 1208 wrote to memory of 616	1208	Explorer.EXE	89
PID 1208 wrote to memory of 616	1208	Explorer.EXE	89

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2044	powershell.exe
1208	Explorer.EXE
1632	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1776	PING.EXE

Runs net.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1208	2044	powershell.exe	20
PID 1208 set thread context of 1632	1208	Explorer.EXE	44
PID 1632 set thread context of 1776	1632	cmd.exe	46

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1776	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1208
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Emmett.mpa.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Emmett.mpa.dll,#1
    3⤵
    PID:1184
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\981CEC34-17F7-8AA9-614C-3B5E25409F72\\\Bdeudler'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\981CEC34-17F7-8AA9-614C-3B5E25409F72").CIRC2022))
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pryq4wo0\pryq4wo0.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:108
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB5B.tmp" "c:\Users\Admin\AppData\Local\Temp\pryq4wo0\CSCD1A78453B19D4A4680715A89E17211E.TMP"
        5⤵
        
        PID:1700
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u1jyjw5j\u1jyjw5j.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABF7.tmp" "c:\Users\Admin\AppData\Local\Temp\u1jyjw5j\CSC7604553CC88444A5A9FE7F8530E043FC.TMP"
        5⤵
        
        PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\Emmett.mpa.dll"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  PID:1632
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1776
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B474.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:652
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B474.bi1"
  2⤵
  PID:1496
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1244
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:616
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1352
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1492
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1888
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1184
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1772
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1632
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:2028
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Enumerates processes with tasklist
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1424
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1392
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1468
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    - Checks for installed software on the system
    PID:976
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\39F4.bin1 > C:\Users\Admin\AppData\Local\Temp\39F4.bin & del C:\Users\Admin\AppData\Local\Temp\39F4.bin1"
  2⤵
  PID:616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:1816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:2896909 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-6-0x0000000006310000-0x0000000006333000-memory.dmp

Filesize
140KB

Download
memory/1816-3-0x00000000041B0000-0x00000000041B3000-memory.dmp

Filesize
12KB

Download
memory/1816-2-0x0000000005F80000-0x0000000005FA3000-memory.dmp

Filesize
140KB

Download