gozi_rm3 | 51cf2c22cc0652dd7bf86ac8ce3345e474d6dda1933a7f8c4e51abe71a41973d

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51cf2c22cc0652dd7bf86ac8ce3345e474d6dda1933a7f8c4e51abe71a41973d.exe
Size

880KB
MD5

9f478e035aa7141ce9d2810222b45d57
SHA1

45d2fc0078ea8eee4d6008681605ce4ccdf0abb1
SHA256

51cf2c22cc0652dd7bf86ac8ce3345e474d6dda1933a7f8c4e51abe71a41973d
SHA512

757dc91f2a34fe0ca65c4b97558d0fd397403cad919a73bd9c48cd0791a7a68290838283e9f11ea096af09b794d4a9b1a23bc4876275df5bc1ee80080f697058

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26B2A876-11F9-11EC-A248-CEA12FD0BED8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60104d1706a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20650f2c06a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000b8e17a09115fa4c1a758ca0cc46ab39cdeee28f42b4b51522350537ac77f4ab8000000000e8000000002000020000000a72d4ed70ebc9acc26be1797ebbcffdea2f5c629d7f990b32129c84d8fac30082000000065fc9863d8cfadbfd77bf4322308d3c97cc46e6da1957d2b5e717fcfbcbd72dc4000000093545945f983cdd718d9c2868f79fa6fd399f56778abec91c5d1cb94dbfbf454b56c5d32290e8b193507e6b9f1ee47e29d99c49c62ec42204ae156cec99edcc5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62608852-11F9-11EC-A248-CEA12FD0BED8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000553b6003b070fc28a559f1ffc4074b942cd3a7a6892387efca6096680d6daca3000000000e8000000002000020000000f8b6ba10854f1e8f0c2d46d4c2978fa19896f8614103ac704911a197745337d3200000000214370ab7aed9a1e4b49c101cfc4c3a3852e0de9184766086b16dcfcde0237140000000796c3319e7b4153aa77b23de8faae0fbb97dce72ec31bf940c3995095fa66bd011479c9e7d8c5519675d60e134529adba773c543b7c2a34af2f7e8b65f380b36	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5489A07E-11F9-11EC-A248-CEA12FD0BED8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000f795a573bbdf3af85871c92141e2b9edd5a7226e166942543c986e10cb443e1e000000000e80000000020000200000005bef140592b5dbcce99fbcbc6062ab427d5be4d711465720e6116ccb5703c39920000000040130f9b72589881753d08245ac6f753d3b45b66b289ae0143f3d86454982c54000000036edfcc80a6f7d472f6c31ac279775bc650772885e9853607ef5af5705e26a817b895946ac990c650cd61dafeee44feb6d14aa3d34c99e6d2958acbc3ed258ab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f074381e06a6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39C31647-11F9-11EC-A248-CEA12FD0BED8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0cca8fb05a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40AE8E3D-11F9-11EC-A248-CEA12FD0BED8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000004e730a16def50bd0efc72baae938ac41d61cffffb0d783430afed4bfb7538232000000000e800000000200002000000034e8abb861cc5cba535c4c24c3955075c9f37976d04d1196b7598a831213f73e20000000b575b01024909b07a10e8740b50e487b5d2cf036a1470f86517c5b43dd80da3f400000003041cc93cedc4697f15a84ca1d477fa1d716ca95e0383046d164ad5320e9d0a10bf628e674a9f5af632ad0d6647811700025d0251743e8d0189134864f6c7531	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000cd6aca563339e04b573bfc87f1ca9bbe9b9dfefe09c26c2e249b9989cc305a0a000000000e800000000200002000000041d095ad5c7e962fd311b8a1aa4db103dac136e7a9b957680984a68dc395901920000000a2de9238c5ee9f3c0e963487425de73b4267fcf9f4fd4b6f360e7cff3070cfe64000000042732dd5d76b4f19789da5900bb92cafa5eb2423a467ea2415a36c0c5e72783473e13690bd595dcd3e3213bb835e05fbf268e8eaa16de2270607173a019d5927	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2784	iexplore.exe
1192	iexplore.exe
4052	iexplore.exe
368	iexplore.exe
1436	iexplore.exe
764	iexplore.exe
1880	iexplore.exe
2156	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2784	iexplore.exe
2784	iexplore.exe
3768	IEXPLORE.EXE
3768	IEXPLORE.EXE
1192	iexplore.exe
1192	iexplore.exe
3108	IEXPLORE.EXE
3108	IEXPLORE.EXE
4052	iexplore.exe
4052	iexplore.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
368	iexplore.exe
368	iexplore.exe
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE
1436	iexplore.exe
1436	iexplore.exe
3376	IEXPLORE.EXE
3376	IEXPLORE.EXE
764	iexplore.exe
764	iexplore.exe
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
1880	iexplore.exe
1880	iexplore.exe
3268	IEXPLORE.EXE
3268	IEXPLORE.EXE
2156	iexplore.exe
2156	iexplore.exe
3704	IEXPLORE.EXE
3704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3768	2784	iexplore.exe	82
PID 2784 wrote to memory of 3768	2784	iexplore.exe	82
PID 2784 wrote to memory of 3768	2784	iexplore.exe	82
PID 1192 wrote to memory of 3108	1192	iexplore.exe	84
PID 1192 wrote to memory of 3108	1192	iexplore.exe	84
PID 1192 wrote to memory of 3108	1192	iexplore.exe	84
PID 4052 wrote to memory of 1940	4052	iexplore.exe	86
PID 4052 wrote to memory of 1940	4052	iexplore.exe	86
PID 4052 wrote to memory of 1940	4052	iexplore.exe	86
PID 368 wrote to memory of 4048	368	iexplore.exe	88
PID 368 wrote to memory of 4048	368	iexplore.exe	88
PID 368 wrote to memory of 4048	368	iexplore.exe	88
PID 1436 wrote to memory of 3376	1436	iexplore.exe	90
PID 1436 wrote to memory of 3376	1436	iexplore.exe	90
PID 1436 wrote to memory of 3376	1436	iexplore.exe	90
PID 764 wrote to memory of 2288	764	iexplore.exe	92
PID 764 wrote to memory of 2288	764	iexplore.exe	92
PID 764 wrote to memory of 2288	764	iexplore.exe	92
PID 1880 wrote to memory of 3268	1880	iexplore.exe	94
PID 1880 wrote to memory of 3268	1880	iexplore.exe	94
PID 1880 wrote to memory of 3268	1880	iexplore.exe	94
PID 2156 wrote to memory of 3704	2156	iexplore.exe	96
PID 2156 wrote to memory of 3704	2156	iexplore.exe	96
PID 2156 wrote to memory of 3704	2156	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\51cf2c22cc0652dd7bf86ac8ce3345e474d6dda1933a7f8c4e51abe71a41973d.exe
"C:\Users\Admin\AppData\Local\Temp\51cf2c22cc0652dd7bf86ac8ce3345e474d6dda1933a7f8c4e51abe71a41973d.exe"
1⤵
PID:3936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4052 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-127-0x00007FF9AE110000-0x00007FF9AE17B000-memory.dmp

Filesize
428KB

Download
memory/764-131-0x00007FF9AE110000-0x00007FF9AE17B000-memory.dmp

Filesize
428KB

Download
memory/1192-123-0x00007FF9AE110000-0x00007FF9AE17B000-memory.dmp

Filesize
428KB

Download
memory/1436-129-0x00007FF9AE110000-0x00007FF9AE17B000-memory.dmp

Filesize
428KB

Download
memory/1880-133-0x00007FF9AE180000-0x00007FF9AE1EB000-memory.dmp

Filesize
428KB

Download
memory/2156-135-0x00007FF9AE180000-0x00007FF9AE1EB000-memory.dmp

Filesize
428KB

Download
memory/2784-121-0x00007FF9AE110000-0x00007FF9AE17B000-memory.dmp

Filesize
428KB

Download
memory/3936-120-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3936-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3936-117-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3936-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/4052-125-0x00007FF9AE110000-0x00007FF9AE17B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads