gozi_rm3 | ad6d0f94a890ee4ef5b0a36ab1fa2845910d3b687ef7bc0c42f0dfc3e1952469

Analysis

max time kernel
300s
max time network
301s
platform
windows10_x64
resource
win10-en
submitted
09-09-2021 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4e5310572a5f15be59a84185d7bc999a47cef2f.exe
Size

880KB
MD5

8baf707c7afeb686ca13710762829052
SHA1

e4e5310572a5f15be59a84185d7bc999a47cef2f
SHA256

ad6d0f94a890ee4ef5b0a36ab1fa2845910d3b687ef7bc0c42f0dfc3e1952469
SHA512

a7e66d381dee8db04317cb70df7f7de03ab9381de8db7313d2613c478b345945c97ebc1bed94d167501b4bff7e005b9a6fdc1e2cda9c1c837d14b50fee1bf8e1

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0efbe47b8a5d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003ae891b8a5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000086f0f38f990567c526944554433a2abe398cad34380f9ae4828397e4aea9bbb6000000000e8000000002000020000000d36fc582c82779ace1258b93d42f4bdee1740c8a936211f02276a542c17f98b620000000955260bc110641f83366d650190dc433ca7e75ac635fd459c9ff849583170e52400000003c8da7d0a3accdba8366113c8ada1a2d7183247ecdc53c71d80f13c5b54b499e2710275fbdcdb406ec1916212cf2d494fcac961e5875ecb06ce9370be021b80f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 309ab2a5b8a5d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1062762182"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000003e6311ebe09fdd924223f0e0c3e3816702533e2e43db87a4b8855edf0702fc90000000000e80000000020000200000001963ec2183556d44f0a935fe74c526dfd73418ef587172cd494acc2a08ddac5b200000005f59542b73c0736265460405c383eb49e79cf93fbc29c48fc4aac5b975d0bde7400000001a4e39ee61a82537ce3b349197428d2e330a9d41446bc724534290236a822df4c4b73db92ae4226e99595e20aa46b029b2dbb51272f4e21d44a13f5880796d15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6AC2FA04-11AB-11EC-A248-DEF56552C284} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08a6fc0b8a5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000d13ac0306f6976a4e77ad81feef2c8871d8c0574df4454d87f2895408b1e2762000000000e8000000002000020000000c2281bb6964b55c41ed00babcbc0347db85eaec6afe5913cf3d9e0acf5a3513820000000077ddee2fd7384dad493944fa6e0215905f866138c970997c1aa9db3b4746ac0400000003d66f35b6a2acf1c7e9197160a66329beeb74f47bb71f5e3dfc9bde6e45103ed699f379d06d4ac6b8296e38137e9f0c5674e55a4853984134ef7ef391153343b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00320b40b8a5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000030cf5a7cbd26f0de6165637b0ea688dd53a085546f138026b55fce71ca1b2b47000000000e8000000002000020000000f3c43145df361c8b2cff8550bafe6c6beab7471d40df0ec972f6b19d013899a120000000201ac14c5395e39c58003815f38a67a76984588207ddf53af8dcccb4e51ccb4140000000455eedd1a12de19064a88a609ed6588ab77558e4fe6fc8ebcdb2c0ba672c3f3620fb312123b3bf633200552d6513bdc882d52c0de0d1ec50304e243245559775	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909880"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E2F18D10-11AB-11EC-A248-DEF56552C284} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FDAC275E-11AB-11EC-A248-DEF56552C284} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA6269CB-11AB-11EC-A248-DEF56552C284} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000005f04648b97cb566c6d17135d5e306d67e8bc2593f33e6efa7f7be62506fd0356000000000e80000000020000200000003d6a233287120c4cf81cdce95ff67af23deece0b082bb96f67e7afc4ffdafbbb20000000e628073aa3508481a633df998a62a9720e3d15e11fe093ada225b226863aa99140000000283048e7899453fa1664b449e3ae955678c8c65e30897cf206886a6db4954e29015c700f49a81b760dcc0ed798863f8ea004cd132f2b9373f41e5e75248e44f1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000067621e521214b72f66a4ed0ff4be8f16b8b2e739e4438e87a2d456bdd68c541a000000000e800000000200002000000061a4f0d6284fc8c721f6ce432d385b60194e654ad180e6c785eadd0543d0b4d32000000036db9b5448f11e29798eff174a56801c0da6b9d3f6220b37f88e8367ac9d4a8140000000db0c2a1a0cd2d89bcd853159f7716f7daa4791ca8336567ee4ece44db93be486af9569bd5f2047e8b67159725dc2a5d5aaacadb7aaf245bb3badd6096c234c92	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC0D3E40-11AB-11EC-A248-DEF56552C284} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0B830E02-11AC-11EC-A248-DEF56552C284} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
188	iexplore.exe
1464	iexplore.exe
2680	iexplore.exe
4220	iexplore.exe
3360	iexplore.exe
4072	iexplore.exe
4396	iexplore.exe
4376	iexplore.exe
2608	iexplore.exe
2260	iexplore.exe
5024	iexplore.exe
4600	iexplore.exe
3908	iexplore.exe
1384	iexplore.exe
4388	iexplore.exe
4344	iexplore.exe
400	iexplore.exe
2244	iexplore.exe
4280	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
188	iexplore.exe
188	iexplore.exe
4380	IEXPLORE.EXE
4380	IEXPLORE.EXE
1464	iexplore.exe
1464	iexplore.exe
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2680	iexplore.exe
2680	iexplore.exe
4020	IEXPLORE.EXE
4020	IEXPLORE.EXE
4220	iexplore.exe
4220	iexplore.exe
4492	IEXPLORE.EXE
4492	IEXPLORE.EXE
3360	iexplore.exe
3360	iexplore.exe
3452	IEXPLORE.EXE
3452	IEXPLORE.EXE
4072	iexplore.exe
4072	iexplore.exe
4400	IEXPLORE.EXE
4400	IEXPLORE.EXE
4396	iexplore.exe
4396	iexplore.exe
4636	IEXPLORE.EXE
4636	IEXPLORE.EXE
4376	iexplore.exe
4376	iexplore.exe
420	IEXPLORE.EXE
420	IEXPLORE.EXE
2608	iexplore.exe
2608	iexplore.exe
816	IEXPLORE.EXE
816	IEXPLORE.EXE
2260	iexplore.exe
2260	iexplore.exe
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
5024	iexplore.exe
5024	iexplore.exe
4996	IEXPLORE.EXE
4996	IEXPLORE.EXE
4600	iexplore.exe
4600	iexplore.exe
3568	IEXPLORE.EXE
3568	IEXPLORE.EXE
3908	iexplore.exe
3908	iexplore.exe
4492	IEXPLORE.EXE
4492	IEXPLORE.EXE
1384	iexplore.exe
1384	iexplore.exe
3396	IEXPLORE.EXE
3396	IEXPLORE.EXE
4388	iexplore.exe
4388	iexplore.exe
4440	IEXPLORE.EXE
4440	IEXPLORE.EXE
4344	iexplore.exe
4344	iexplore.exe
3780	IEXPLORE.EXE
3780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 188 wrote to memory of 4380	188	iexplore.exe	83
PID 188 wrote to memory of 4380	188	iexplore.exe	83
PID 188 wrote to memory of 4380	188	iexplore.exe	83
PID 1464 wrote to memory of 2008	1464	iexplore.exe	85
PID 1464 wrote to memory of 2008	1464	iexplore.exe	85
PID 1464 wrote to memory of 2008	1464	iexplore.exe	85
PID 2680 wrote to memory of 4020	2680	iexplore.exe	87
PID 2680 wrote to memory of 4020	2680	iexplore.exe	87
PID 2680 wrote to memory of 4020	2680	iexplore.exe	87
PID 4220 wrote to memory of 4492	4220	iexplore.exe	89
PID 4220 wrote to memory of 4492	4220	iexplore.exe	89
PID 4220 wrote to memory of 4492	4220	iexplore.exe	89
PID 3360 wrote to memory of 3452	3360	iexplore.exe	91
PID 3360 wrote to memory of 3452	3360	iexplore.exe	91
PID 3360 wrote to memory of 3452	3360	iexplore.exe	91
PID 4072 wrote to memory of 4400	4072	iexplore.exe	93
PID 4072 wrote to memory of 4400	4072	iexplore.exe	93
PID 4072 wrote to memory of 4400	4072	iexplore.exe	93
PID 4396 wrote to memory of 4636	4396	iexplore.exe	95
PID 4396 wrote to memory of 4636	4396	iexplore.exe	95
PID 4396 wrote to memory of 4636	4396	iexplore.exe	95
PID 4376 wrote to memory of 420	4376	iexplore.exe	97
PID 4376 wrote to memory of 420	4376	iexplore.exe	97
PID 4376 wrote to memory of 420	4376	iexplore.exe	97
PID 2608 wrote to memory of 816	2608	iexplore.exe	99
PID 2608 wrote to memory of 816	2608	iexplore.exe	99
PID 2608 wrote to memory of 816	2608	iexplore.exe	99
PID 2260 wrote to memory of 1612	2260	iexplore.exe	101
PID 2260 wrote to memory of 1612	2260	iexplore.exe	101
PID 2260 wrote to memory of 1612	2260	iexplore.exe	101
PID 5024 wrote to memory of 4996	5024	iexplore.exe	103
PID 5024 wrote to memory of 4996	5024	iexplore.exe	103
PID 5024 wrote to memory of 4996	5024	iexplore.exe	103
PID 4600 wrote to memory of 3568	4600	iexplore.exe	105
PID 4600 wrote to memory of 3568	4600	iexplore.exe	105
PID 4600 wrote to memory of 3568	4600	iexplore.exe	105
PID 3908 wrote to memory of 4492	3908	iexplore.exe	107
PID 3908 wrote to memory of 4492	3908	iexplore.exe	107
PID 3908 wrote to memory of 4492	3908	iexplore.exe	107
PID 1384 wrote to memory of 3396	1384	iexplore.exe	109
PID 1384 wrote to memory of 3396	1384	iexplore.exe	109
PID 1384 wrote to memory of 3396	1384	iexplore.exe	109
PID 4388 wrote to memory of 4440	4388	iexplore.exe	111
PID 4388 wrote to memory of 4440	4388	iexplore.exe	111
PID 4388 wrote to memory of 4440	4388	iexplore.exe	111
PID 4344 wrote to memory of 3780	4344	iexplore.exe	113
PID 4344 wrote to memory of 3780	4344	iexplore.exe	113
PID 4344 wrote to memory of 3780	4344	iexplore.exe	113
PID 400 wrote to memory of 4444	400	iexplore.exe	115
PID 400 wrote to memory of 4444	400	iexplore.exe	115
PID 400 wrote to memory of 4444	400	iexplore.exe	115
PID 2244 wrote to memory of 4464	2244	iexplore.exe	117
PID 2244 wrote to memory of 4464	2244	iexplore.exe	117
PID 2244 wrote to memory of 4464	2244	iexplore.exe	117
PID 4280 wrote to memory of 2128	4280	iexplore.exe	119
PID 4280 wrote to memory of 2128	4280	iexplore.exe	119
PID 4280 wrote to memory of 2128	4280	iexplore.exe	119

C:\Users\Admin\AppData\Local\Temp\e4e5310572a5f15be59a84185d7bc999a47cef2f.exe
"C:\Users\Admin\AppData\Local\Temp\e4e5310572a5f15be59a84185d7bc999a47cef2f.exe"
1⤵
PID:4680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:188
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:188 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4072 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4396 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4376 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1612

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5024 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4600 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3908 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4388 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4344 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:82945 /prefetch:2
  2⤵
  PID:4444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4280 CREDAT:82945 /prefetch:2
  2⤵
  PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-121-0x00007FF8A1F50000-0x00007FF8A1FBB000-memory.dmp

Filesize
428KB

Download
memory/400-153-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/1384-147-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/1464-123-0x00007FF8B0640000-0x00007FF8B06AB000-memory.dmp

Filesize
428KB

Download
memory/2244-155-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/2260-139-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/2608-137-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/2680-125-0x00007FF8B0640000-0x00007FF8B06AB000-memory.dmp

Filesize
428KB

Download
memory/3360-129-0x00007FF8B0640000-0x00007FF8B06AB000-memory.dmp

Filesize
428KB

Download
memory/3908-145-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/4072-131-0x00007FF8B0640000-0x00007FF8B06AB000-memory.dmp

Filesize
428KB

Download
memory/4220-127-0x00007FF8B0640000-0x00007FF8B06AB000-memory.dmp

Filesize
428KB

Download
memory/4280-157-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/4344-151-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/4376-135-0x00007FF8B1C40000-0x00007FF8B1CAB000-memory.dmp

Filesize
428KB

Download
memory/4388-149-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/4396-133-0x00007FF8B1C40000-0x00007FF8B1CAB000-memory.dmp

Filesize
428KB

Download
memory/4600-143-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download
memory/4680-120-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4680-117-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/4680-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4680-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/5024-141-0x00007FF8B21E0000-0x00007FF8B224B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads