gozi_rm3 | 7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec

Target

drfone.exe
Size

198KB
MD5

545f38fbb74881142712052a5b6eabce
SHA1

4cbaf1ecb48629b163f4387605c8a9011e89183c
SHA256

7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
SHA512

d58a0dd4dfce60fce85e7fbee653828dfcd6e0ff093ea3b92e5588bd8ca05bc5502e4f71145b7fa13645034db122c5ceb5c8b579d5525ceb4ec30ee161fd3673

Score

10^/10

gozi_rm3 201193204 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300932
exe_type
loader

Extracted

Family

gozi_rm3

Botnet

201193204

https://hapynewyear.xyz

Attributes

build
300932
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "876063991"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D672360-3DEB-11EC-AF2E-4AC12AF62747} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e47237f8d1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000004734f8eb2c4c319ea9599fdd307dc7254046581c135b60e00f7419e2ed85feab000000000e8000000002000020000000625afa7d283bf21a55cf3bba5cdaa5ec0e39593a3398f05d65441e8e81faddd4200000005ff287b60f2176a40b2ba67d2f2917161dc21def7f71965c415fa8310479c5314000000042286ec320a4360001fa27a67f4c0f2bce2ce1e0c3bb520964d34d7f1feb94ed47a329ac3cd8a2db261130f40d2b71ae3a48aedc37da4b8955fb7066ea543aaa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8AF1AFD1-3DEB-11EC-AF2E-4AC12AF62747} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000009e3da4f4a7f3c436d0bc533b4094f94d75d7ab72b9177a0e660d0013d72157e3000000000e8000000002000020000000b02aeda24a0ae387f33c4de26cd8ebe80d7dbe780c73cc00c3e46766adf0d121200000007b3699ff4fd9bf62aefc2ea133496127764c31d1c857ad36fde7ad39a5c9367c40000000bc1a22dad094b50dd1986ddbed2df67cf8e9f461d43dc84a05bac4fc9ca9a7d966ca41dbb7f87ccd16dd9f9c17646f401b0ad2e752e1a4f14f6071dc3561c90f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "876063991"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20688837f8d1d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90783e47f8d1d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000c6094ca19f77a75577e87f96e9841c5d93e1b317fbf9bb512ceb03273d4bbbde000000000e800000000200002000000042597d02d9e35cf3e0a14b080eac65ffb5fa83c6729dc17f5d39b9f5e62da68f200000007b87c7b59ee0c6db6df988d941b1b76d6c555e55eeeba4c0042d7154bffa65054000000055a37c06ed443987ab23322b5d0062440e9b521a25d6d09f57d29a6cca939b68166bdcbb92594d07accdbacf53a570b4308f12f2d1e37ee1f3d7077f0c5fdf7b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000020b8918841c4870ab0c5867212dafa14f770af5a8dc368129d5bba1674ec00b7000000000e8000000002000020000000988eeecf3df5a07d87ff0e65d56c2b5fc21506c66d146e291ceabfe5b3abc1f520000000cf2de01cc7d966574756ec2487bdc0a4893f9e0b6d71211b0457dedc05a9863f40000000c976e4546531d33ddba79407d0bdb0bf0462d3b321ab08fcb686f100e99af096cc0a2316263d5a6dae5eba927618608b01aa6879d9737f12387c31436043a891	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000004d191b3c9b8333c4792e73693e3e961b50c2b9f2a17f4df3cabd97893a37842b000000000e8000000002000020000000d2da2f3afc112268db588d4b6a09bf02c17336d73ca49365113a9a41af3dbc2320000000c5df4a107898a125e057742175d93258ad405327172b2b55fb81291805c59e2e4000000071f0840f7a6360cdfb5c8fc9287fd674543533de314b65a3835bd200f88df33aaae01e6813d83685b2d339f9bbd51194eb977787c47309f2a71190ce6e80cd9e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0148b64f8d1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30921208"	iexplore.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

4388 iexplore.exe
3384 iexplore.exe
2636 iexplore.exe
1964 iexplore.exe
2264 iexplore.exe
2756 iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
4388	iexplore.exe
4388	iexplore.exe
4108	IEXPLORE.EXE
4108	IEXPLORE.EXE
3384	iexplore.exe
3384	iexplore.exe
5012	IEXPLORE.EXE
5012	IEXPLORE.EXE
2636	iexplore.exe
2636	iexplore.exe
3636	IEXPLORE.EXE
3636	IEXPLORE.EXE
1964	iexplore.exe
1964	iexplore.exe
3540	IEXPLORE.EXE
3540	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
400	IEXPLORE.EXE
400	IEXPLORE.EXE
2756	iexplore.exe
2756	iexplore.exe
648	IEXPLORE.EXE
648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4388 wrote to memory of 4108	4388	iexplore.exe	IEXPLORE.EXE
PID 4388 wrote to memory of 4108	4388	iexplore.exe	IEXPLORE.EXE
PID 4388 wrote to memory of 4108	4388	iexplore.exe	IEXPLORE.EXE
PID 3384 wrote to memory of 5012	3384	iexplore.exe	IEXPLORE.EXE
PID 3384 wrote to memory of 5012	3384	iexplore.exe	IEXPLORE.EXE
PID 3384 wrote to memory of 5012	3384	iexplore.exe	IEXPLORE.EXE
PID 2636 wrote to memory of 3636	2636	iexplore.exe	IEXPLORE.EXE
PID 2636 wrote to memory of 3636	2636	iexplore.exe	IEXPLORE.EXE
PID 2636 wrote to memory of 3636	2636	iexplore.exe	IEXPLORE.EXE
PID 1964 wrote to memory of 3540	1964	iexplore.exe	IEXPLORE.EXE
PID 1964 wrote to memory of 3540	1964	iexplore.exe	IEXPLORE.EXE
PID 1964 wrote to memory of 3540	1964	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 400	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 400	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 400	2264	iexplore.exe	IEXPLORE.EXE
PID 2756 wrote to memory of 648	2756	iexplore.exe	IEXPLORE.EXE
PID 2756 wrote to memory of 648	2756	iexplore.exe	IEXPLORE.EXE
PID 2756 wrote to memory of 648	2756	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\drfone.exe
"C:\Users\Admin\AppData\Local\Temp\drfone.exe"
1⤵
PID:2220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4388 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3384 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-401-0x0000000000000000-mapping.dmp

Download
memory/648-462-0x0000000000000000-mapping.dmp

Download
memory/2220-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-118-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/2220-115-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/3540-340-0x0000000000000000-mapping.dmp

Download
memory/3636-279-0x0000000000000000-mapping.dmp

Download
memory/4108-145-0x0000000000000000-mapping.dmp

Download
memory/4388-146-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-154-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-128-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-129-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-130-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-132-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-133-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-134-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-136-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-137-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-139-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-140-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-141-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-142-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-143-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-126-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-125-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-147-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-149-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-150-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-152-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-127-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-155-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-156-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-160-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-161-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-162-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-163-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-164-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-165-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-166-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-167-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-168-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-169-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-173-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-181-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-120-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-124-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-122-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/4388-121-0x00007FFB851E0000-0x00007FFB8524B000-memory.dmp

Filesize
428KB

Download
memory/5012-218-0x0000000000000000-mapping.dmp

Download