gozi_rm3 | 2f206f6c5b458da0a0ed4057780d8c90c00cd0f8e31846ab626d55331e81b614

Analysis

max time kernel
4294676s
max time network
655s
platform
windows7_x64
resource
win7-20220311-en
submitted
07-04-2022 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

request.docm
Size

526KB
MD5

2f66e607c3dc705034713fa5ae67bb9d
SHA1

2fc6a71d0b3298e59852b57f27b2b24bfbc25d32
SHA256

2f206f6c5b458da0a0ed4057780d8c90c00cd0f8e31846ab626d55331e81b614
SHA512

8189dec15803be9ec0aa56db832450177dcbad48477096280b6c1b961a56aadcf127ef335f31daaf25b1c6b54869d76ffb46772acd9fce59caaf342a7b6ec7f4

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

rsa_pubkey.base64

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1004	308	rundll32.exe	21

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2708	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2704	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
892	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000080f14fb00e4d25323f2c90831eb38b69e85f1e2903ae3354436946f137e8595000000000e80000000020000200000003cc969038b66ea5dce40bc41bfacc88209408500d3b52f6639b9bbd3d3e21f1c30010000352996cf1018bcf53b1700a22979aaa5227091a98e465a6adf08961f0f875fff2a45793cf59a3df6ba8963b0e405b39fadd0775559cf17b1e8615740b3d14c4fc270f3d35a87bc2eea8401ac7711d8c8f072edeaadf62c28c4f4000afbbbf4b0226951fe67314e34509294d93dfa907ebb01437bd7ef2c8b1dad03bf2e5791ae8d61120c2360c04188224514951c14a3b292a2450ba4569d1e26773e1c0beda71dac3be832932b93b8a4417c6bdeba9ae618ae875c7ce5adc8993e93a761f9e946c9ebcb2d80734b7ef554741586f6d6c7e614dc036a39a87a35dcefdc6264f4b6a3ceffc287ac3616c774bc32329302671fa56da096b41edebc1fe54b01a2e1dbff77a0c43cc4dee38b2c139c8d8125f1d7b398af00a9a61245b0ee143c720a2431f6cad38c2043deeb419910cc051e40000000539cc55a4565a26e85cabdb620e63d66d7bc04882ae6833711df27a2917d31193e4e68db559e102930d01f82979f96f61924a408bb0f17d383c2677168281ad1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000b0a96c5cb45d7b6e148981769cd9b4f3c0446e7eeb5f95a44a0e88e4719dd5df000000000e8000000002000020000000bd9b3bd24eb39fb87ee4e876bb5a54b1d277e795e98fd22c8e327cd8a8161a79300100004be955f4d324407a116c6c48e5b8c5e4d14a7fdb10e352be4c84b14df38526e20d2fba1ad1d92023fcd7d6c3228174a873846a458aea6e80d1b73591e1cec76b69a9b41019686b85c45e521a21df49cb8f7c816a9b2803e14cc9f3bbb5b86e518e5fb85a1ca3b037c1553db77e98909923a6dc05f1cbbcbde00b8453422c7e1c08d0d869e99169ac5abfdd401f28b39ad947a1c0ae0b9482c0f5ee465606fd5958854320ceb96d4f0ce0d7e59c3e19740d5920015d0e56d61eb93db151d95ae9c19070aade71d604e9e2968c542fab27b315af4181f0ba99e4632a087f52c773c99bc0effde99cf9e84ca56e13e5ac0a40defe841cee1e4638fb1120eef7abf28d4267b9dc40cdc75396ae68b624dd064f2d47a755f62bf400267cd01312775d52b0314134439be00b0abc10e9cb87d04000000069966ef4fd9e627e5b55e13673892c4c365ac01a951e7cc042662c9df8b16ffba0e0a44fd06ca75516b63044ba9f1f6d0a15cb9682a9c61228f11843eeb26a5f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc0000000002000000000010660000000100002000000011249911b80859a0d9bea2fb74addde4a0dbadda6f222cd4b7d4ffd1e575a282000000000e8000000002000020000000624d6be57121a5f52eb4299dbd11255b758556beb1a7da76c53110f33289e25030010000e4b7532f7b1d403ebf7cf88968c68e1c672421cccda8e85ab56c13f9a96a6dd5a1012390751611333a41007f15f0c3800686ed83e24a36b3c379fe18d9d6a544b2894683bba4a345ffc8430039547e8ee21f3672afd1ce065729a0896f2167de51812a6d2d7e44ff4838138ac1dc4e474915488eb43666ff9575a6a96b8ba35af85ded82a5db9ba59a882abdac8e41b960410f4d7238427d9373f91e1fa8376b31fa915682324ddbecb43d8887a22f398277d07f5416cbc425153f0563f531761581be3a9806bcb7d43fd51503d61a1db7003194a175374be491b4702ad9b47691035caec1a01960b77a92694ed531b6436cbf5882a7b82b22d38d496040da1933f9804f2290505f4c0a0f26fbb775b2e11a80f4c1f251ecd759f25d97faa97d6fe14092fa712c6166b09cbd09a33a6f40000000f340c3224923704738b9582278d91c33ab7409858cf5465f1a0d74561542b5f93f3bf75755a0b64952e0bcf9ce705368a6ed0c6cd432d8708725e3208292f0f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000f92cdcfa0a8d3ed3698c98fdd6ce181a8b1acd3353377a57c892b30683d1b999000000000e800000000200002000000054744670bcda5a049e214caabdecbf3fdf5584cbaffb96acba1a226d9120048b2000000077e4fd0d619077c55a9ab8bd9f94948a8c1166c8cf75c2ae2de19462ab935ab940000000f8b01928ece63631da811f2ded67a28247565e4254e7231cfc0cb153fd269d169f4a34684d57dd0b3c081815386462f1db5c4ebf5f29c4362cf405798cc2f348	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000e50e00be16254d1bc1fd08203e7228ca580e233448bedcef137262ce4481f81c000000000e80000000020000200000007ca6ed2bbe9fa0edcb8f6bc6c94cca49841ccb3bb91d37a7c536a59ff881a121300100003b179e618efc6eba39c4b8dcb8c78ec0bdc79a21b9d917abde4744e4d9acbc62aa0e1cf60328a4252eab23b6cb292e7a93c36850cd8d7deb0c9ba59e8130cdd8bb583ad401c9c815e1aec54f2e361a7ded01ac117d80234868f55d561306925f6601f70d6801d5a8b5250559043e9c0879fea2f5dce763f11579206eff36eb2ab962ff73723dc8d15465deb02aee2b883c9e90a253357a55621a818dd8c2a83380127a53c1f418fa8c8cfacef3b2fef9b6157b98cf7f38f41cdd34e4a656fdf2df4d073148c08bd404bbaf406aaf6d6b14026f41ed5acfd3f509e257a5f76f18790e8949aecae35fb66f020f8f5a0a3b4aab66f20b03856cb51424528ce89c2b572d5b5b58d7d301d2b1334a66ca099ecc6dd421985e56780ad1391d75c5ac51dba679b8f5afbf7004f592f4925d4f5c40000000ec9ef36ec43c48ce5206eebd3958ec79d792e0de564b09d266e78cc49e6adadd23d910a8924e61047e2d60b66273676e6efe95995cc6d81b59449d17cee193dd	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9009c4ca944ad801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000939226b750ef5cd2f3abdfffe6bb99bec258ed04b3f00d92bf1cd83d7d9f0bc4000000000e8000000002000020000000b1fabe43b707326dbfbc83edeae6b169790f6e21b22d43ecef4e65086c72a141300100008266ffed3a1d8927c3d1c5a686ebbbfb72ead9b401ed3ce15eff5c99cd4931c5bd9403f09681401a3262e7d0563eb2c3da6eb3f5e6e69f1d509515ae45bf276ccc40d3fc27e25df551a52bbda404cc2f161148ec82a450d9d5d0b5c9f072dce0ec8787168026986ec0aeda2972445d4e41959a610b990cb0a154221b65ecac24d526ff0bf591c4695538397c75b5220d2fdb788c6ddae17ee8f690b64243a982b05b982b009ed17f9e75c9915d1ffe94fb8db0565941057e52f25350a224ae0491dd47f659af2ea74876285b443e5a3fb5d06926ea24a807c178a830db0e75f20d464da140ce8fc6619fdc7e330b1560bb63b75ebc3464f754aabe566b1c23ef501ec62e14b63bb1849ee994d6ba3a3463a82162aff3a9f80ea84df28ffcd3497dc22b9b9d46310f6ad6cab7849543b940000000ebc99212af0e552d08e5696a25f906fcd4199b37c05f6e362206bceda1eefb781120c8f140f5ed4d57cf84fad409f92df12accc3785ee5c22bce4226412b7519	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000007fd59b8ab492600ff2485aaf03eeaae2a27aea5ce368b225b93441c166dc57ad000000000e800000000200002000000059bb3e9ceead7cb273a05f7be8c523c20a6162eac9fa7a9124fc5cf0f8a6f6db30010000b8a34a316ec11f1231ab0239e0689595f9607b042e32d4086adb710eb5abaa3fa761eb4b1e2ce43cbb3076632b952d34415a2d48d148f1b6898029e705acb259644ed550257bdabb531b4bec6e206d1e0a453e4539aa31c06a289be714e4dab764c450fe7302b125e4697527df9b71d7ccbdf7791bf9ccd65cc269f35bbb279c22126f8bb71fc426c3933ff5cc14d653bf5b271aab67d7b2644f723019863abfe2a59211ae80aef785fef08f9e869d732a056146c1a69de1ee04baf64bf4389d635f23d488e614c249d8e47c17e3dd52806af24b47d57644cea92e8887fe424dfabd2a29a4e7ce6eea0e8b7bba4c5770e50c435cf31e50d89f4839a817f6ebfdf3f3f925104db68f458823c5397d6f37ecca9b1da803b33575d7adaee90cf6940d1426ae47421ce3a382e56903b60d06400000003a3d974e6dcbafbdcac51268b8169c1d4326532cc175c305e8b75607a384c559d918e3cdde0556a581c8874af5eb7185b8a09508c1b0666cb4a739c166367b78	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000962a6a91ecea25e17fcf3d6a9fc7436a0d00d7602ec408a4e368ef79cf37d864000000000e8000000002000020000000bfc5f456ae1c2b1fac542eb50be3dc513b339a23aa424dc2134acc8d7f49c9f99000000004758e82c5171021740f2165b6db64318d1d80f5de7477fe470e080df2ece3f08ae0ddd3c59ad76f9c1e53d549bdc3eca02a0734ee41a7f17cc9b9a06b5cf35f6e9d2759cacbf8a801371f57c898f0dbeb0f90294e078b7af9e7d77dbbe73f48531326d270eb7cf2f73a20bb2f5db675efdbda8c305fdabf0d2625e49e197df1a21134fd4c82d90f58ae50ede35dd50a4000000099af479654a50ee60dc4b215939adcb72e2f16c4601221ee3c8a13971ffee5cdede5d9fd088d502f450f5a4922407186cb1331925df1d7af7091213573353742	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03642141-B688-11EC-97AA-EE9A3EE681AE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
308	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2624	powershell.exe
2692	powershell.exe
2772	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2624	powershell.exe
1004	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2428	whoami.exe
Token: SeDebugPrivilege	2704	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeSecurityPrivilege	2424	WMIC.exe
Token: SeTakeOwnershipPrivilege	2424	WMIC.exe
Token: SeLoadDriverPrivilege	2424	WMIC.exe
Token: SeSystemProfilePrivilege	2424	WMIC.exe
Token: SeSystemtimePrivilege	2424	WMIC.exe
Token: SeProfSingleProcessPrivilege	2424	WMIC.exe
Token: SeIncBasePriorityPrivilege	2424	WMIC.exe
Token: SeCreatePagefilePrivilege	2424	WMIC.exe
Token: SeBackupPrivilege	2424	WMIC.exe
Token: SeRestorePrivilege	2424	WMIC.exe
Token: SeShutdownPrivilege	2424	WMIC.exe
Token: SeDebugPrivilege	2424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2424	WMIC.exe
Token: SeRemoteShutdownPrivilege	2424	WMIC.exe
Token: SeUndockPrivilege	2424	WMIC.exe
Token: SeManageVolumePrivilege	2424	WMIC.exe
Token: 33	2424	WMIC.exe
Token: 34	2424	WMIC.exe
Token: 35	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeSecurityPrivilege	2424	WMIC.exe
Token: SeTakeOwnershipPrivilege	2424	WMIC.exe
Token: SeLoadDriverPrivilege	2424	WMIC.exe
Token: SeSystemProfilePrivilege	2424	WMIC.exe
Token: SeSystemtimePrivilege	2424	WMIC.exe
Token: SeProfSingleProcessPrivilege	2424	WMIC.exe
Token: SeIncBasePriorityPrivilege	2424	WMIC.exe
Token: SeCreatePagefilePrivilege	2424	WMIC.exe
Token: SeBackupPrivilege	2424	WMIC.exe
Token: SeRestorePrivilege	2424	WMIC.exe
Token: SeShutdownPrivilege	2424	WMIC.exe
Token: SeDebugPrivilege	2424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2424	WMIC.exe
Token: SeRemoteShutdownPrivilege	2424	WMIC.exe
Token: SeUndockPrivilege	2424	WMIC.exe
Token: SeManageVolumePrivilege	2424	WMIC.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
308	WINWORD.EXE
308	WINWORD.EXE
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe
1980	iexplore.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
308	WINWORD.EXE
308	WINWORD.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 540	308	WINWORD.EXE	27
PID 308 wrote to memory of 540	308	WINWORD.EXE	27
PID 308 wrote to memory of 540	308	WINWORD.EXE	27
PID 308 wrote to memory of 540	308	WINWORD.EXE	27
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 308 wrote to memory of 1004	308	WINWORD.EXE	30
PID 1980 wrote to memory of 968	1980	iexplore.exe	37
PID 1980 wrote to memory of 968	1980	iexplore.exe	37
PID 1980 wrote to memory of 968	1980	iexplore.exe	37
PID 1980 wrote to memory of 968	1980	iexplore.exe	37
PID 1980 wrote to memory of 1628	1980	iexplore.exe	39
PID 1980 wrote to memory of 1628	1980	iexplore.exe	39
PID 1980 wrote to memory of 1628	1980	iexplore.exe	39
PID 1980 wrote to memory of 1628	1980	iexplore.exe	39
PID 2560 wrote to memory of 2584	2560	cmd.exe	44
PID 2560 wrote to memory of 2584	2560	cmd.exe	44
PID 2560 wrote to memory of 2584	2560	cmd.exe	44
PID 2584 wrote to memory of 2612	2584	forfiles.exe	46
PID 2584 wrote to memory of 2612	2584	forfiles.exe	46
PID 2584 wrote to memory of 2612	2584	forfiles.exe	46
PID 2612 wrote to memory of 2624	2612	cmd.exe	47
PID 2612 wrote to memory of 2624	2612	cmd.exe	47
PID 2612 wrote to memory of 2624	2612	cmd.exe	47
PID 2624 wrote to memory of 2692	2624	powershell.exe	48
PID 2624 wrote to memory of 2692	2624	powershell.exe	48
PID 2624 wrote to memory of 2692	2624	powershell.exe	48
PID 2624 wrote to memory of 2772	2624	powershell.exe	49
PID 2624 wrote to memory of 2772	2624	powershell.exe	49
PID 2624 wrote to memory of 2772	2624	powershell.exe	49
PID 2624 wrote to memory of 2844	2624	powershell.exe	50
PID 2624 wrote to memory of 2844	2624	powershell.exe	50
PID 2624 wrote to memory of 2844	2624	powershell.exe	50
PID 2844 wrote to memory of 2864	2844	csc.exe	51
PID 2844 wrote to memory of 2864	2844	csc.exe	51
PID 2844 wrote to memory of 2864	2844	csc.exe	51
PID 2624 wrote to memory of 2892	2624	powershell.exe	52
PID 2624 wrote to memory of 2892	2624	powershell.exe	52
PID 2624 wrote to memory of 2892	2624	powershell.exe	52
PID 2892 wrote to memory of 2912	2892	csc.exe	53
PID 2892 wrote to memory of 2912	2892	csc.exe	53
PID 2892 wrote to memory of 2912	2892	csc.exe	53
PID 2624 wrote to memory of 1416	2624	powershell.exe	12
PID 1004 wrote to memory of 1416	1004	rundll32.exe	12
PID 2052 wrote to memory of 1964	2052	iexpress.exe	56
PID 2052 wrote to memory of 1964	2052	iexpress.exe	56
PID 2052 wrote to memory of 1964	2052	iexpress.exe	56
PID 2532 wrote to memory of 892	2532	cmd.exe	60
PID 2532 wrote to memory of 892	2532	cmd.exe	60
PID 2532 wrote to memory of 892	2532	cmd.exe	60
PID 2184 wrote to memory of 2708	2184	cmd.exe	67
PID 2184 wrote to memory of 2708	2184	cmd.exe	67
PID 2184 wrote to memory of 2708	2184	cmd.exe	67
PID 2352 wrote to memory of 2408	2352	cmd.exe	72
PID 2352 wrote to memory of 2408	2352	cmd.exe	72
PID 2352 wrote to memory of 2408	2352	cmd.exe	72
PID 2872 wrote to memory of 2428	2872	cmd.exe	77
PID 2872 wrote to memory of 2428	2872	cmd.exe	77
PID 2872 wrote to memory of 2428	2872	cmd.exe	77
PID 2552 wrote to memory of 2892	2552	cmd.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1416
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\request.docm"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:540
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\y2A3D.tmp.dll",DllRegisterServer
    3⤵
    - Process spawned unexpected child process
    - Loads dropped DLL
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA== & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBlAGMAdQByAGkAdAB5AGMAYQBjAGgAZQAnACkALgBMAA==
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAGgAcgBoAGMAZQB3AGQAYQB4AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAcgBoAGMAZQB3AGQAYQB4AGUAKQAnAA==
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAGQAZgBvAG0AaABlAGwAcwBvAGgAKQA7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGYAbwBtAGgAZQBsAHMAbwBoACkAJwA=
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqd_3ltd.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE8B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE7B.tmp"
        7⤵
        
        PID:2864
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjz6tuqf.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF18.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFF17.tmp"
        7⤵
        
        PID:2912
- C:\Windows\syswow64\svchost.exe
  C:\Windows\syswow64\svchost.exe
  2⤵
  PID:1148
- C:\Windows\system32\iexpress.exe
  iexpress.exe /n /q /m C:\Users\Admin\AppData\Local\Temp\1094.bin
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\makecab.exe
    C:\Windows\system32\makecab.exe /f "C:\Users\Admin\~Desclass.DDF"
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:892
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 1" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  cmd /C "net view" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:2708
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 2" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 3" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:1256
- C:\Windows\system32\cmd.exe
  cmd /C "whoami /all" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 4" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:1472
- C:\Windows\system32\cmd.exe
  cmd /C "net localgroup administrators" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\net.exe
    net localgroup administrators
    3⤵
    PID:2892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2644
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 5" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2900
- - C:\Windows\system32\net.exe
    net group "domain computers" /domain
    3⤵
    PID:2580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group "domain computers" /domain
      4⤵
      PID:2168
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 6" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:3056
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 7" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2460
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 8" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:1116
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- 9" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:652
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more" >> C:\Users\Admin\AppData\Local\Temp\FEA0.bin0
  2⤵
  PID:1096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\FEA0.bin0 > C:\Users\Admin\AppData\Local\Temp\FEA0.bin & del C:\Users\Admin\AppData\Local\Temp\FEA0.bin0"
  2⤵
  PID:2856
- C:\Windows\system32\cmd.exe
  cmd /C "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\1754.bin0
  2⤵
  PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:734213 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a3c023253b5a69c7c5b0132392fcff44

SHA1
9e2460f738e4ba93d529d9f569151d0d35e83d1b

SHA256
1ba7a674c3dff2af28ebfb77c820a27516d6ae5c4790bce012d8c901c98fda6e

SHA512
54aab5f24c5d2be61a626184cab0143d4c11390e9f88e1aa1bb94eb8f64d618e9cbcf28956e9ce3fae9750004db5f6204720258810bc1e5d478fe504e3c6c8a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbba2ac5dce87a73a615f8f7f32a7f11

SHA1
fd24ba2bd4be06da6bb753e841f7a351dcbf3e34

SHA256
dffdfa40732de1769e69a8077d7d273ac8763b940f34dba3afba76ff411d48c4

SHA512
139b91487894d5569db44607bf86829efcb3e6977368322a3a0febf0227dc7351b237ee1f8426d066ac5b2d7182ee0df6d4b4f00c594709e2fafe59418c5d5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat

Filesize
430B

MD5
d70dd001a2319055bf80bb3f6cf21afe

SHA1
69f7a6acd3fd6ba33b9cbbfed0daa3dc426a9b2f

SHA256
ce6441ef6e933a4977358d7cc903d3341895efda84f7b2be22c500fb7b578d62

SHA512
aeb44a12b4514f6d3eb60c431850d110c27eb29e4f0897e9af8ab82d044b712ff9aad250a28442d510f7aa9be75ce501af2a5a10154b4520f388b7bc0faa2c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VWB6EIWR\favicon[2].ico

Filesize
318B

MD5
a976d227e5d1dcf62f5f7e623211dd1b

SHA1
a2a9dc1abdd3d888484678663928cb024c359ee6

SHA256
66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

SHA512
6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
2KB

MD5
9e6c398a4502cd6779dc1d62dd05af27

SHA1
6e4d87531129571a0d1899ae8599ae800dbb6b1d

SHA256
0ed61e20d11e91b971f2c88efd30ce8014add0d3ce0eb259bfeccaf61ab67d34

SHA512
88fc1413a3fe876a0dd9528dbadd7e7fbdcb931e54870b5dde23189da03972c59eea4ddac35548fce0f4799ef7e670ebca0928fb968a74ff75cace521878eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
2KB

MD5
10be6c0e8eabab3ea4f5b58a2672454a

SHA1
d727596f668ce3658fa78d205a898ab348550c8d

SHA256
f30026d6703967301e89b26c9d0f81bf8f2792ce72e8047ddd7231bf6e814c60

SHA512
b68cfe890e03436f5e61ac43085c18921e9469f3c13b3538e01dc51e135a3b33eb9a73e9353ffd203c8ae0215636df66cdce263a388d5e42fb98b276b0e9a200

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
2KB

MD5
146f3080e18e6b08e8c366794584bb16

SHA1
a65ad520a7170f69cae1483e83429e459bb32c33

SHA256
03a841903ed5e38739dfcb852b801754dae1811dc9efc140fddbfec5537a549b

SHA512
f8b5582515f62273d3304b50c01ed2edc28f185f46d001eee91e6c36879411fc9253cff88cc24e482f6da5eb396bb97b41a3982ad5f7e18f9a23840713ec07f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
2KB

MD5
d53c0828d5cac7cb105d19eeb44ac9bf

SHA1
80b39fb07590fa14ad72e83a638d507a455bda97

SHA256
8ddddd421194a691034f0e22838e35b4d8248940b112a6e9bbddb2b448a98555

SHA512
6a8d56290525d80baf9f2ce0c0f91a37e33dec0b810e8bef8d8d1b97afd366188da676ada08beb946c4c949a59400ba0a1ae0c983b6c096dcba9b5ae0e7a263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
2KB

MD5
d53c0828d5cac7cb105d19eeb44ac9bf

SHA1
80b39fb07590fa14ad72e83a638d507a455bda97

SHA256
8ddddd421194a691034f0e22838e35b4d8248940b112a6e9bbddb2b448a98555

SHA512
6a8d56290525d80baf9f2ce0c0f91a37e33dec0b810e8bef8d8d1b97afd366188da676ada08beb946c4c949a59400ba0a1ae0c983b6c096dcba9b5ae0e7a263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
6KB

MD5
84cecb70592f1b83c8d43a8fec0b04df

SHA1
367e91e913a5cb80a7df063b948b9ef77e8caaaf

SHA256
49c483311ebddf778328b8d7c64fc4c92e6c25fd3679117c52f4a918a2beb9f4

SHA512
3225d415b8c39c666e19045dc2b19197b6256174af9b8c480688111f3251ab8e8e063e6068d03b749bb3c326d944ce94bdf7209667c3984caa93a5ef6462e6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
6KB

MD5
84cecb70592f1b83c8d43a8fec0b04df

SHA1
367e91e913a5cb80a7df063b948b9ef77e8caaaf

SHA256
49c483311ebddf778328b8d7c64fc4c92e6c25fd3679117c52f4a918a2beb9f4

SHA512
3225d415b8c39c666e19045dc2b19197b6256174af9b8c480688111f3251ab8e8e063e6068d03b749bb3c326d944ce94bdf7209667c3984caa93a5ef6462e6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
6KB

MD5
20ae79e4a299aa710a817bdb3ce21bb2

SHA1
241d9e3b63d8b470204437b582ab2f73d435ac60

SHA256
67dab4d7070426cfa9f784504e55c4fe95e8821d565dc4a43862c5c6eaa657f9

SHA512
3252caa408fc2be2c0e96b65da37f237f4faaf63e0dc7c95575a3887b5210882a3c25fa66e0b6098e832cb7342ae2579642a0fe2e73ff70d35102944a3d7bb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
6KB

MD5
20ae79e4a299aa710a817bdb3ce21bb2

SHA1
241d9e3b63d8b470204437b582ab2f73d435ac60

SHA256
67dab4d7070426cfa9f784504e55c4fe95e8821d565dc4a43862c5c6eaa657f9

SHA512
3252caa408fc2be2c0e96b65da37f237f4faaf63e0dc7c95575a3887b5210882a3c25fa66e0b6098e832cb7342ae2579642a0fe2e73ff70d35102944a3d7bb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
6KB

MD5
0d5d671cf969316bdcdd1eb829d0f0a9

SHA1
643e01cc8bacdb3933918eb46e0e63bc15c9a270

SHA256
132f3ca9c60b90d417b1e877d5c7ecbde977d9bbc055e169646400a10e1d87ca

SHA512
f5319ea7e9f24b9608563ed8fe8faf1e6c4e585148d9f6f5d700e5008662ec5eca58a0f26f6c275e97617e60c98d6449b9f80045e394df3693ceef8da5862f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
6KB

MD5
2d6d7b57702adaa406e32c3698526c45

SHA1
6dc026076b34fdac62049fb7270b5ebf130f16cf

SHA256
131d24ba72fa871ab2e01deee9f5db43f6ff957d1bbf9381ce8261cbb6e9fce1

SHA512
51a7a8fbcd9dc8e079944fe51a4182f23fdf6cbc7812811357c764882d79f3caee67cdb14cc421be66ec31ddd2756a56ccc982039d3c9271e9ccc75d8ca78879

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
9KB

MD5
14cd4b9d0e4c45fcf306200f25a30629

SHA1
bb95e1cf602bacb054d92fa863f1e41940b928d5

SHA256
f607d5cae84cb2a3ddc9964425fa3a7ae0210739842be4b50394f1f977799dc0

SHA512
8634a5bfce6901448ccb9a1a5b7b3b78c9c937b00eb6fd9c8248e49152e5cd0dfcda3087ce217e452a98071c4bc18c4cf773d3e77d9e7073711c5240af8041a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
9KB

MD5
14cd4b9d0e4c45fcf306200f25a30629

SHA1
bb95e1cf602bacb054d92fa863f1e41940b928d5

SHA256
f607d5cae84cb2a3ddc9964425fa3a7ae0210739842be4b50394f1f977799dc0

SHA512
8634a5bfce6901448ccb9a1a5b7b3b78c9c937b00eb6fd9c8248e49152e5cd0dfcda3087ce217e452a98071c4bc18c4cf773d3e77d9e7073711c5240af8041a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
26KB

MD5
3a9eb69665dcae35ff4dc993a52ed032

SHA1
18be454e10975dacf597ea2929d81fb713b878f8

SHA256
fd3527c95aa3df43f6d7c5167ac80db9a32c6f9a7f9bdd1d8e3f80e692accf14

SHA512
a1b9bb7e2b6fd2bff1cfde4a09a5b34f8360882b39504bc4477020d770e53c1ab6057f9d300681c8e0a9e298d791659b391fcfaa224bdbf738ba00f4d7f7926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
26KB

MD5
3a9eb69665dcae35ff4dc993a52ed032

SHA1
18be454e10975dacf597ea2929d81fb713b878f8

SHA256
fd3527c95aa3df43f6d7c5167ac80db9a32c6f9a7f9bdd1d8e3f80e692accf14

SHA512
a1b9bb7e2b6fd2bff1cfde4a09a5b34f8360882b39504bc4477020d770e53c1ab6057f9d300681c8e0a9e298d791659b391fcfaa224bdbf738ba00f4d7f7926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
57KB

MD5
a21606c846cde6ac8b7fe90177d38dad

SHA1
1b1ebb7ca26853073c36127e876f6e51e5e2ab99

SHA256
4a01b83a53ad45f385af52b2c551a8947f5097f55584215cab38f4f995f0d9d4

SHA512
7759a44076a9bb9d64f6a9bce73cb35dc2343f1b041d4ea7e88cf0d9e91f61b120f1342ec6d098aa256735d418cb34df4e539f2a0c61d80f172ae8bc964cced6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEA0.bin0

Filesize
2KB

MD5
9e6c398a4502cd6779dc1d62dd05af27

SHA1
6e4d87531129571a0d1899ae8599ae800dbb6b1d

SHA256
0ed61e20d11e91b971f2c88efd30ce8014add0d3ce0eb259bfeccaf61ab67d34

SHA512
88fc1413a3fe876a0dd9528dbadd7e7fbdcb931e54870b5dde23189da03972c59eea4ddac35548fce0f4799ef7e670ebca0928fb968a74ff75cace521878eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE8B.tmp

Filesize
1KB

MD5
881a6a201ccd753f50e3a415864a5d5c

SHA1
1bc269a6ede6059665fb4d0432e5057b0742624a

SHA256
facd376c69875eb39ae90022a93d501ed7c81b475263c5da29977ed9fd8542ad

SHA512
99ed6981bd166daafce16c572e3a25b94ed02eff64290aea6348abdf03991374d51bbff14a68a6ce6fc057c1ff7b8594c7885c2226e6fef1a581e909ecb0aaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFF18.tmp

Filesize
1KB

MD5
e1355869932c462dd0b57bc869ee3e66

SHA1
a900a141df788f0512d1e46a109fa1c689076c95

SHA256
6e8dcc599607c9f07e322b4cb1d4f92453fa23f70834781ee1603758e18625e4

SHA512
cf7dc097ea5dd784c280552ec577e3482052e34c1afffee0d3d9dc46336e8bb9a956df6cb98bfb23f63726d76450355556c67f5c146181668941ea84b922b7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjz6tuqf.dll

Filesize
3KB

MD5
b012cf7ff077c58e3e19d54b96f70dd4

SHA1
de0f86ba0576dfcb48bae3f1859446da4c40f056

SHA256
a37d311ff9c575e90958bae7f01ff86aa2b653a1a4ad360c1a75a084024a9d4d

SHA512
b70eede7e7b2cd9d8b2c82cf0ca7ce0f6000cbf967d5752a2aac95f1ff1a5a9dadffeb28e088bcc44b0b88caefb2223cba55dd55b0c5ac939a14e7d3ac30b3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjz6tuqf.pdb

Filesize
7KB

MD5
d4b576341bba3b0a77161f91b8ac3f0d

SHA1
91cf3699312faf19dc65f048af5c26b9c4b037f0

SHA256
bf55e45e96c9dc4f9472e01755961e36a535a24d2b131820b9b38b8e9d5e6500

SHA512
7ca0738b1c2e36ced97caff76fbecc8591bd2271dd50d3e422bde0aadcfaef84c984386cbf9aac680aabf742f2432ed0f7cfc19ac0421bd2ec30ad865107f4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqd_3ltd.dll

Filesize
3KB

MD5
924995df7ef2c4ad04cd0fb0faac4f12

SHA1
a4d46b80f0eea0c9a6fd14eba81de28577f9c353

SHA256
c4dabd23d2e9d6425e02b1b752de72c7a47281f387bbff920cff6866f12fe43f

SHA512
e4e2f723bf128eadd2428f7c869e0f057dc63b181c97b20e7fe2b64e7fbbeff2701f445fa8c6471140ea8d2affc82b2a4b34727e50e3ed82fdd47bbc4f1a9ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqd_3ltd.pdb

Filesize
7KB

MD5
9fc733788eedd18b3302866aae955b93

SHA1
14f820faed10cb2c0185af72b09d78ff7fe51d36

SHA256
ad7b75fc40c6e8b63df6207b4438d8a0072916d91017aecbdcac5b76c93bd515

SHA512
41be69ddc6b2e6cd106ebacb63bf5544a9cfd9ba7999fb5f7fe52f81746f35e2380ec8423f3d19bde4c22775b8cb65b06ae62e49cbf8d890e1954b654ca05b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2A3D.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7df99fa8d80812c0316d754f10e79b20

SHA1
9b5cca706d898979f1cee4019cecc9cba8d7d958

SHA256
f93e0934bc951cfcc41d1baf0d33245724bdd594de38286b7779d8b1a01f980f

SHA512
e8eed144ea4deb0415f0cebd877dcd62fd18edd497982fc53373e66a47f384b5afb0794bd1eea274275fd099d8e73d738e79e9d189f274519946c73b5b3b77e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7df99fa8d80812c0316d754f10e79b20

SHA1
9b5cca706d898979f1cee4019cecc9cba8d7d958

SHA256
f93e0934bc951cfcc41d1baf0d33245724bdd594de38286b7779d8b1a01f980f

SHA512
e8eed144ea4deb0415f0cebd877dcd62fd18edd497982fc53373e66a47f384b5afb0794bd1eea274275fd099d8e73d738e79e9d189f274519946c73b5b3b77e8

Download Submit
C:\Users\Admin\~Desclass.CAB

Filesize
137B

MD5
43c9ca1ff253a3ef2cdbd6fbbfe387fd

SHA1
fbf9c5537d1e9a571cd6fe697dbecf9e2a556ede

SHA256
48a6acce667608b9e0c6debe29d23f881a9488ea34d1d7de20b048914d29ac71

SHA512
eb025e1e6051141d331d85baf34e0b4696152863f55149895c9b4d6b13a68d7c3f3b697aeb5cc7a5304a420b054605449c20c2324e6eef9aded12a5c76384ea8

Download Submit
C:\Users\Admin\~Desclass.DDF

Filesize
770B

MD5
448603179374da0a1ff362091466db84

SHA1
07e1d649ac2d04605766e49474f03833b0bfd747

SHA256
07f6e9c4452fc83bcb45b79f4224c56389afc43a972fa4c2eb76ab72076b2d82

SHA512
e0816c9928fa71a3f3ef5c9bdc83f00661e8e78d6f90e814d3297dca728ab733e2f71efe8baad443cba803a25bc4dc93494d11a9d4c31a6a782abef2180819ef

Download Submit
C:\Users\Admin\~Desclass.RPT

Filesize
283B

MD5
959935e72d1d68511a4c74fa92b87967

SHA1
5a93bfac2f8c11dbd61e0f112b08998733db2689

SHA256
61d0a792454f03e1dab5983d04ac2f7e3ebcff97d7626ae2fe923bbc2416f8fd

SHA512
682fe473e2ad249b6b3f61e7a46200e81de393918d41424ef0bf2054574d41cd79323c44a3e58ddf92e47f426a796484e678db6d3e2daa2a6659c544ec08d71b

Download Submit
C:\Users\Admin\~Desclass_LAYOUT.INF

Filesize
983B

MD5
f765686b20e078c2367fb5bf2f80cc61

SHA1
4c4afcca98b29da5fb2696ecb8464b280e93dd64

SHA256
7fb80804b05c9410a76e9a6c19a5e0ed14a9089d01599e32a8787b2b1eb09c86

SHA512
ab436f6a3fbf5b0b19db6ced9bb2ae299e2d6931d65a0ff86ec60452b323f55ebc67c645741959fbd326c842f1180353aea2ee1dda73f098b884252809591120

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFE7B.tmp

Filesize
652B

MD5
dcaa425d95a085909f1e1b6c247c44e1

SHA1
f791c769a57f5cbcd341c80a3e5f29821d057a04

SHA256
0a23f50a5b2057789421cf4e8247ceee563b419de33be69958c4af0c173eae51

SHA512
c6cfd4f0a581627c97bdbf038449c343509fa2a4698c8268dc2a55657a9cf0820b570d6786d1c285a94ec856b7088e0aa4e25f6f1321d7f045e3b4d1a1d13b7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFF17.tmp

Filesize
652B

MD5
63f0d5e6af4aa04075cf3d72b2576375

SHA1
565d6d681fc1dec1dc299422e825e043bf2d8fa8

SHA256
e39a89d421427e3638a3dc9146c8a01f048b60c8aa1194c6a34eae396f08f0f2

SHA512
5b8a2e82b7425975db72d411cdd1007917c9f3372f0abb25ee8ecb2bed1977c39295a3cc14a2384a743e8bcd0820984ac2ef8203f3f8dc50a3f305d7491fd675

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjz6tuqf.0.cs

Filesize
416B

MD5
e991aa9d35bfffc8f1e0d5dcf4c95ed1

SHA1
02d81b5b8cfd7b25d4fa0dab40d6ce6db3129501

SHA256
2598df56dcfc916eb9ae7b571c67d2feb92740843e36caccf9df705c03145265

SHA512
e0205253f43832674a3ea5dbe376e82fe0a59722ca10bed0184ff8fa298111957437db32aefb725b8c525f62aa8c7bc14922fa665ec9ced0d465d91837da126b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjz6tuqf.cmdline

Filesize
309B

MD5
8c6273f70ae950f3dfeb77038e61dfe9

SHA1
fb73a6e1d4beca072a98013df0c32cad0bfda0d7

SHA256
1557ffc62f87342f8288d7a3dd83a43f1bd370f7f7694ade173273be5bc29d9a

SHA512
3c6a891ede147a45bff72f45326e0b1ce6638b75ea0972d295efcb7ab8715d0dde831548fa27767a3191aa3f32e761f81a2f1f3eb10c1ec6875ac9619cb46fc0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqd_3ltd.0.cs

Filesize
417B

MD5
cdc42ce046de74fa8cb97234640cfcc5

SHA1
8a6aa5bda682fbb11bc974d752408593aec799cc

SHA256
7fca4a3b3889149b375ce11cd1614298a244c05e3dd5fa343be56986aaa675c5

SHA512
c2663ca8817dc7a375c06cfc4adb529ab61b098663a550feba5dabe8b9c6269a5e878419d5198cb463b9c6b4d5acb504587ffd5721eab568068a7e9d45d55d13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqd_3ltd.cmdline

Filesize
309B

MD5
3d7d86c9f893be8ca00cd26bde2f8aaf

SHA1
7114a1ccea2e6bbaa873dd03ec8533de351428aa

SHA256
37346b95485f001231604ac718d33091ab432cd9433e093a94684df3560dc353

SHA512
47d81c04eab6035251795228e39e13d3f56c2fa71fcecdf77772d11f4734f09e6f3623d928ab05c816c6f3becad7d3aaf2c96ff5f4e86c61fe4633bb102c94b3

Download Submit
\Users\Admin\AppData\Local\Temp\y2A3D.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
\Users\Admin\AppData\Local\Temp\y2A3D.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
\Users\Admin\AppData\Local\Temp\y2A3D.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
\Users\Admin\AppData\Local\Temp\y2A3D.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
memory/308-57-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/308-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/308-54-0x0000000072DE1000-0x0000000072DE4000-memory.dmp

Filesize
12KB

Download
memory/308-58-0x000000007184D000-0x0000000071858000-memory.dmp

Filesize
44KB

Download
memory/308-55-0x0000000070861000-0x0000000070863000-memory.dmp

Filesize
8KB

Download
memory/308-62-0x00000000005E0000-0x0000000000617000-memory.dmp

Filesize
220KB

Download
memory/308-61-0x00000000056D0000-0x000000000573C000-memory.dmp

Filesize
432KB

Download
memory/540-60-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1004-81-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1004-75-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1004-70-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1004-127-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/2624-91-0x000007FEF3560000-0x000007FEF40BD000-memory.dmp

Filesize
11.4MB

Download
memory/2624-92-0x00000000028B0000-0x00000000028B2000-memory.dmp

Filesize
8KB

Download
memory/2624-126-0x0000000002960000-0x0000000002973000-memory.dmp

Filesize
76KB

Download
memory/2624-93-0x00000000028B2000-0x00000000028B4000-memory.dmp

Filesize
8KB

Download
memory/2624-94-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2624-95-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/2624-97-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2692-100-0x000007FEF3560000-0x000007FEF40BD000-memory.dmp

Filesize
11.4MB

Download
memory/2692-101-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2692-102-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2692-103-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/2772-107-0x000007FEF3560000-0x000007FEF40BD000-memory.dmp

Filesize
11.4MB

Download
memory/2772-109-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2772-108-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download