gozi_rm3 | c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
08-04-2022 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d.docm
Size

526KB
MD5

b3a054e49f4d87490a8208a801567112
SHA1

d038a9bc0564167a299abe43382eb6c3ef6ee88e
SHA256

c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d
SHA512

b9082cc341e8b85c4755095e741cc1e83f79194d8bc801cf97933fac712e9d3198409534fcb76f011f97c0b8e88f03a164d37791020f9e75503e5713e859440d

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

rsa_pubkey.base64

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4768	4820	rundll32.exe	23

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4172	rundll32.exe

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f97100000000020000000000106600000001000020000000becd752ce40382699aeed31f325009d42b15c4583c15bf9053c2996a8cd6ad90000000000e80000000020000200000004eb7ceb12431066c46274db2734323c191c2fd6d7c959f388ba9dcc0ab548988d0000000eeca07efc03cdfd8b95572b2fc2b9f1e1d0e9034eeebac893f65ade1fb9cae7a30c48c0f55590e15c2434f784024cd14341fe169f3d12189eacc6c0961f6b01c6c65a7fc073dcfec2378aee3e6e05f4ed5a02c6d3d8c637185d27eb25e273efbd326a6314767ae98971023473f6aa4966b901638b84b89436c7a74c17f939d83d75882fdcd3a2d27e3fb01e59d7d32a87030c1f1ce1f85daad3a3b44a0ee31f36d8221cef26d090cbd70149e57bd4ebd2c7d8f24505e5eff151a3ab0b78e962b5168483e2406eaf44277816f9f18e38240000000e6191d354b3509c772b14506d652a8b633609a8f6ff3e00ed4df0a84393c4eec9ed1d844ad452aaa41570f7bf927ed61ea80c7225b611dc5cf4e2bb801600691	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f97100000000020000000000106600000001000020000000ae98c1cadbac426396c880425a4dd37069e81bb6e3a8be644ef5329747638181000000000e80000000020000200000007762a66294d876a7fa409229b3bd6edd029ff4eb064fc68d0063cf5a0939f8f820000000d3e2b13d2d223f76aa9ea0e6688e89352051115657d794c9eea9271c1de484654000000002cd8c7a68f9232c386e8d126f33969ed4954696ab94a4072641016ce2a150c6e3eca4d1e5f6e25543c19fb8004fde027c52431aaa9577f03148c7fd4f8ed3a6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e3d95e594bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f971000000000200000000001066000000010000200000007388dc1a5dd11439f69fdaba1308235f8f861d6b0bd0456f10ac8c4843b634b7000000000e80000000020000200000001bd8d047718874341e6a9816e76401f9523cd7bf468c8e3f7b3589aae3b7949fd0000000ea3dc006565aad123f9a4b7f7ce136d71313af829a0aaf7960f4b54646403f3941df7683a6e98d1ab0b9072856007ba7d75eb15a9c85e977d12ae6e7bc95f1c2ff4bbdf2aa824c294215160077a40bf2469d6584001fdc18b4b756ae728baeeba3499d1b37cf13d96c1abe076911ee96e8415acd8c8942820f13ca863665b0ae44232ba9dde8150daefdc85a41e3d49eb696951689d93a5572341a1e2304b423efb113883cba6cb5f45bd140fb12286d20bc022cdee52474ebe1d6c05614d19dcaa21fcce682e0fe0fc2dd8c31c69ec040000000f6a1b39f5f36a74fa80ecb182677e551ba6b12ab694b4d679364b89217d39da625829167563433ee84fdeac6c02c2a4cdaa380ba385f311e585a1dea6dc2eca3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30952281"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f97100000000020000000000106600000001000020000000e13240706f8f70a4bfe93e143082619e147feff4f79d88648c92cd515407688c000000000e800000000200002000000057926fa902b799d9801fb5820b8e7603e55303c04ff14b6001253a18bc99284ad0000000c5889d22d001c487f1165fcbe991f6b18f8815de061eafa46823cf774c3989fb54d7c77b1e7d425b5960ff4582db8e5b386210957bbdde63fe9a0f307fe9ecaff08eb13c9aebb8b51634b991aa6c287eee13c738f1678e82ea5652231965573800742a23e1fa464be9c21090bdd3524c4881923f4b5dbc46d59f3b1cb791ead2954a987ad2da17187bab08e70c49b3d68c272d7cf35dc31f82449963af72a61f7e296461c70e5303d4ff14b9d9c277362c4484dccf4dbea89053ff5b7c805e925496fcc3193c081bf2e6e959a6e5457b400000004c3e6ec5788d93c64cb19edc9b08c9ae2824a6bf520d551f7e10e585d5aecac60755684bb4571795f827b228b8372a13bad64c0933155c5e0dfc1b1f1f0a1162	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f971000000000200000000001066000000010000200000008cf551a112c832182e83ca52f8c6462844917c28d0ca9d3c518591cfa07d3b6e000000000e80000000020000200000003f9d575e63ef10ea58f03ff9e5a9c727cc4e488504d3a70f59fdee736c052eefd0000000ff95b4fb5e147ed8958ff49ca438c40408023e61e6587e5bf20c5fd5216ec969389625d610a572a325f123e8961fcf19fde1b50e3643e1f0181e9c3f4a6794c3e28402316870412f1b0c4d2f99bb9015b153ae9f4608519a7ee2e71d47df71bcfd129432e07a27118638773e5ef58ce87b6088ae26693692edc3ca90bc249450514f580b2415099a43f79edd1706e84902404dc0e7b2399462cbdd6ac0aaa3f848bd1566c68ca1dd89c83471e629757afe9ff63b2d3fc6905d1bf85168fa0349c1419c4f1f462e95ef4946f6bfec22b5400000002ce8d52236bb9faca51bf4a15a8c0cf2ed268e29e2059a6f299f4da5321a79ec6934c6e0b8a2bd00e957b08706d0e6d50370898452502af33babbc862c5f74b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f9710000000002000000000010660000000100002000000065e75cfb6bdc9813183eb74a2b60ac2f0503d26cd08fe3f6b8f2e827982d6d30000000000e80000000020000200000004bd8309c96fc3cfc4c7a8a0c58062cfeae9051bd2cb8194a9ade7ec5cec8cd8fd0000000b50140a7fc95cc3bffe9f92ac2289c113851bc16af2f54b3cb3ae8d50424a2ff53c7c9761f066be9909c911fc56d9f94bcb93be7da0c4e44a654686455b8d634eb526dbce1ab8cb9226e6ea730867ff7a50d4d81509bb62b90b0529d139186700112feabd5871ba7b938aea2b17f8e760e7e6451d89dc2f8b37c3e307117d506e1e562746b132dbcf02e0ff63b0d324194feff3f63d937808b57d574b918794c419c22c0dc3a2d2164aee1adec2b73633fc6b30bef7994933d071bfee7093a821db65968780d2a2d2160895cc11b561840000000cc4e1f31bde0f69f9086b2f906260bbae1e29d250428a4a0aecbe3b464d356510f33b6849f81491cac4df998b18ffd2d5491bf6d35f6f6f5dbf5497da88d7581	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f97100000000020000000000106600000001000020000000aa4835dab72ed04b6105820f3fd5939358d76383c9ed5a9e9f64014263588669000000000e80000000020000200000006575796bac218b88d40ca9fa39cff2d728470091c74077ead26ee58f8cf4d1c3d0000000915c7f35f0693c5fdbe20606efda4b16d3f53ed63ebcfa06f92eb8519a6c8f1cbf3883a9be92f7bbd2e80a7cc487bc5867bf7341aa376ae8e19a3814d0647a6e9f540b8c23b8a67773f8c002c539bf5d3b043c59581604ef1e29fd32901e9bec5fc006e84597469f7105231698dc52ade71f490d49e84607520a7c4deee544ea416335f2a84da4c394438156b07b3487feaad3f2f3b2ed6faa28ac4efba7edeb99f4306dbda5b6c6460b2887a27d4d926e12f88f0056c517cb9a871a979fcce67fd2e3148b3c5d3a8f460b44725ac93f40000000aa41045ecb1e254a8d1c4955c5455feb4dcfdda7cd0703ca14c41cb97fb96b2cdcc2a1f3e05c98bf58c8d875e65994d15405d060a3c22ef835ee7fb43b3ea890	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f9710000000002000000000010660000000100002000000099c07c70e7e10d2bdcb287e0dee230b3076f68d7f53bc220c1ae6cc4ced22146000000000e8000000002000020000000120f298c4fb50da27138cdb7197e6762ed8236d992aeb84dca08086342a66846d00000008569e527361981fe5dbc8789abd51b2d76a4c145c4ba9b930b2b800362a74cad5fdba0ca1b903fb8bd46d0ba6b0f65f61ce071f173e9a5ad36e352f9583b79bc192bf308ee6870134f34703ce85e6efb8776042b66f1eadb5d761ac7ee7fbbed0d6b9354f78896637abaf6541650026d7151efc8016d66bb41e02a84f3f689883afff468845c0e1181e4dc842048a3beccf6f48f6904fd78e46a07d6b215c0152c8e93bbb15b6aff908e8863161a6a1432b0c0c44e2abebace369f369b5ec10e5bbc8c8ac240e3191c75be724f1235504000000041e345f33d5cca0008fb992313a980234cc2ef0448b9396b0b715a310036b0bec498008036c1868d1eed13d97871d6fa22f66bcf6f17e9b72338723ff7a62f8d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f97100000000020000000000106600000001000020000000b37fee8aa949eb7e9311726db3bb38f5a41a8f722cca0135774c698a50e662a0000000000e80000000020000200000006c5b52400199332958fcb0abadd9f0c3d908f2fbc8be299afb0b58f4bd662765200000003c393475b7fc77679ad6d46b328aa8939bc55703bd24f0db180489053d6702c7400000003065516066d853b65f43f9c841d39330a5f935125aea483cf43bc92c4edbe86cab36e099da5771a63692821826d5ecd7f3126b1c18f655e4ad90c91271e61a73	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006af1d4fbcefdcb48afc82ad132f4f97100000000020000000000106600000001000020000000dd0d63c4744b377d9141c865d905e72c885730449a828f3954fd27f3e6cb875e000000000e80000000020000200000006826a7a20f3a22d3ad66796ded8eb9a3124cc696ace145c5e2d0eb0269ccb87fd0000000e27446d427b01aca0b3ef7bb59418169a462ebe9e8a93800e28d19c99eb8ee1333684123bab1767f38aa54c177c25e25e512ad6f74de4fd96e9b167746670d65898f79ec7074f6b5dedfbfe46fcab0b5c0d169b7ad824ce84451329965a5c6471a61d9fa030f2e6a7ccaf15af8e3a1b820a5c16442fadaea51fe7d9c19e3a32333eaeea1ff763b0547faeba99b2dff21354663b426808bdf0caa6cf8dd14ff1a8c01948f79c75ce9bfd6071b031a1b24c45bde2cb0e6d9d76c5a16d5e2ca64011baa29830450a090bb3655902137265140000000f1f5dca906667b24c4705d30e51964500f4f8981a38a4ae77b560839f90383d3f7546cfb09df03dbb17a1cdad2ab8ded774d380feabb6bea85287efca881ed91	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1829936862"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4820	WINWORD.EXE
4820	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3280	powershell.exe
3280	powershell.exe
3280	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3280	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
4820	WINWORD.EXE
4820	WINWORD.EXE
4820	WINWORD.EXE
4820	WINWORD.EXE
2056	iexplore.exe
2056	iexplore.exe
616	IEXPLORE.EXE
616	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
4560	IEXPLORE.EXE
4560	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
3308	IEXPLORE.EXE
3308	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
932	IEXPLORE.EXE
932	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
1004	IEXPLORE.EXE
1004	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
3816	IEXPLORE.EXE
3816	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
3916	IEXPLORE.EXE
3916	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
3596	IEXPLORE.EXE
3596	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
3988	IEXPLORE.EXE
3988	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
4820	WINWORD.EXE
4820	WINWORD.EXE
4820	WINWORD.EXE
3880	IEXPLORE.EXE
3880	IEXPLORE.EXE
4820	WINWORD.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4768	4820	WINWORD.EXE	85
PID 4820 wrote to memory of 4768	4820	WINWORD.EXE	85
PID 4768 wrote to memory of 4172	4768	rundll32.exe	86
PID 4768 wrote to memory of 4172	4768	rundll32.exe	86
PID 4768 wrote to memory of 4172	4768	rundll32.exe	86
PID 2056 wrote to memory of 616	2056	iexplore.exe	94
PID 2056 wrote to memory of 616	2056	iexplore.exe	94
PID 2056 wrote to memory of 616	2056	iexplore.exe	94
PID 2056 wrote to memory of 4560	2056	iexplore.exe	96
PID 2056 wrote to memory of 4560	2056	iexplore.exe	96
PID 2056 wrote to memory of 4560	2056	iexplore.exe	96
PID 2056 wrote to memory of 3308	2056	iexplore.exe	98
PID 2056 wrote to memory of 3308	2056	iexplore.exe	98
PID 2056 wrote to memory of 3308	2056	iexplore.exe	98
PID 2056 wrote to memory of 932	2056	iexplore.exe	100
PID 2056 wrote to memory of 932	2056	iexplore.exe	100
PID 2056 wrote to memory of 932	2056	iexplore.exe	100
PID 2056 wrote to memory of 1004	2056	iexplore.exe	101
PID 2056 wrote to memory of 1004	2056	iexplore.exe	101
PID 2056 wrote to memory of 1004	2056	iexplore.exe	101
PID 2056 wrote to memory of 4124	2056	iexplore.exe	102
PID 2056 wrote to memory of 4124	2056	iexplore.exe	102
PID 2056 wrote to memory of 4124	2056	iexplore.exe	102
PID 2056 wrote to memory of 3816	2056	iexplore.exe	103
PID 2056 wrote to memory of 3816	2056	iexplore.exe	103
PID 2056 wrote to memory of 3816	2056	iexplore.exe	103
PID 2056 wrote to memory of 3916	2056	iexplore.exe	105
PID 2056 wrote to memory of 3916	2056	iexplore.exe	105
PID 2056 wrote to memory of 3916	2056	iexplore.exe	105
PID 2056 wrote to memory of 3596	2056	iexplore.exe	106
PID 2056 wrote to memory of 3596	2056	iexplore.exe	106
PID 2056 wrote to memory of 3596	2056	iexplore.exe	106
PID 2056 wrote to memory of 3988	2056	iexplore.exe	107
PID 2056 wrote to memory of 3988	2056	iexplore.exe	107
PID 2056 wrote to memory of 3988	2056	iexplore.exe	107
PID 2056 wrote to memory of 3880	2056	iexplore.exe	108
PID 2056 wrote to memory of 3880	2056	iexplore.exe	108
PID 2056 wrote to memory of 3880	2056	iexplore.exe	108
PID 3384 wrote to memory of 2604	3384	cmd.exe	113
PID 3384 wrote to memory of 2604	3384	cmd.exe	113
PID 2604 wrote to memory of 4588	2604	forfiles.exe	116
PID 2604 wrote to memory of 4588	2604	forfiles.exe	116
PID 4588 wrote to memory of 3280	4588	cmd.exe	117
PID 4588 wrote to memory of 3280	4588	cmd.exe	117
PID 3280 wrote to memory of 388	3280	powershell.exe	118
PID 3280 wrote to memory of 388	3280	powershell.exe	118
PID 3280 wrote to memory of 3452	3280	powershell.exe	119
PID 3280 wrote to memory of 3452	3280	powershell.exe	119
PID 3280 wrote to memory of 3876	3280	powershell.exe	120
PID 3280 wrote to memory of 3876	3280	powershell.exe	120
PID 3876 wrote to memory of 4192	3876	csc.exe	121
PID 3876 wrote to memory of 4192	3876	csc.exe	121
PID 3280 wrote to memory of 4336	3280	powershell.exe	122
PID 3280 wrote to memory of 4336	3280	powershell.exe	122
PID 4336 wrote to memory of 4344	4336	csc.exe	123
PID 4336 wrote to memory of 4344	4336	csc.exe	123
PID 3280 wrote to memory of 3056	3280	powershell.exe	36
PID 64 wrote to memory of 2468	64	cmd.exe	132
PID 64 wrote to memory of 2468	64	cmd.exe	132
PID 2468 wrote to memory of 4448	2468	net.exe	133
PID 2468 wrote to memory of 4448	2468	net.exe	133
PID 5076 wrote to memory of 3864	5076	iexpress.exe	138
PID 5076 wrote to memory of 3864	5076	iexpress.exe	138

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c04c112d33bdc2f8f333e9d64e4b8a7daa14d3f6df84e5c3860866af48a1421d.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\y6D16.tmp.dll",DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\y6D16.tmp.dll",DllRegisterServer
    3⤵
    - Loads dropped DLL
    PID:4172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwARQB4AHAAbABvAHIAZQByAG0AYQBnACcAKQAuAEEA & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwARQB4AHAAbABvAHIAZQByAG0AYQBnACcAKQAuAEEA & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwARQB4AHAAbABvAHIAZQByAG0AYQBnACcAKQAuAEEA & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwARQB4AHAAbABvAHIAZQByAG0AYQBnACcAKQAuAEEA
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAGgAcgBoAGMAZQB3AGQAYQB4AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAcgBoAGMAZQB3AGQAYQB4AGUAKQAnAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAGQAZgBvAG0AaABlAGwAcwBvAGgAKQA7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGYAbwBtAGgAZQBsAHMAbwBoACkAJwA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31j54ajo\31j54ajo.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1925.tmp" "c:\Users\Admin\AppData\Local\Temp\31j54ajo\CSC4D225D715C1A459D8CEFE1BC3341DF6.TMP"
        7⤵
        
        PID:4192
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\05cyzmnd\05cyzmnd.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BD5.tmp" "c:\Users\Admin\AppData\Local\Temp\05cyzmnd\CSCE5EFFF1DEE9F4D4D975913CB32DDE89E.TMP"
        7⤵
        
        PID:4344
- C:\Windows\system32\cmd.exe
  cmd /C "net session" >> C:\Users\Admin\AppData\Local\Temp\B2DC.bin0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4448
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\B2DC.bin0 > C:\Users\Admin\AppData\Local\Temp\B2DC.bin & del C:\Users\Admin\AppData\Local\Temp\B2DC.bin0"
  2⤵
  PID:3684
- C:\Windows\system32\iexpress.exe
  iexpress.exe /n /q /m C:\Users\Admin\AppData\Local\Temp\E734.bin
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\system32\makecab.exe
    C:\Windows\system32\makecab.exe /f "C:\Users\Admin\~Arclogic.DDF"
    3⤵
    PID:3864

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82948 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82954 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82956 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4124
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:17422 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3816
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82960 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:17426 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82964 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82966 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a492ccea224253b98abcf2f9fc92503a

SHA1
99d3513a3283046809b22c40a6a383def2db3fb8

SHA256
cd76b3da88c7c4ebc6af73012fb6436c2eb678cda351564d96503bbe7509a87e

SHA512
231667ed3dbbab7f6371b5e12bf720c4bf027c0b0e2ac505e8b3fb9f5402f6a8bc6d60d244fb14f0e84e764e4ad3c0b5edb7576de0657da99fd82aebf28247a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1mvpbnk\imagestore.dat

Filesize
430B

MD5
f9ce046917310d1cef3852cbe88c1787

SHA1
ea61b56dcba9f854d4254856c217812e8a2acea6

SHA256
2a248cb230bf38471560c640047d71f08c6c7b4fc7617616809a9c3eb8372f90

SHA512
1036690709599f535c8b8c333d15ed046e6c7f16f92d401db6820b4a01df452f9ae3f44d311e2e8ec563dfe0adfbc13a11874fba42dcca4e82b024de466e3d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\861E6A62\favicon[2].ico

Filesize
318B

MD5
a976d227e5d1dcf62f5f7e623211dd1b

SHA1
a2a9dc1abdd3d888484678663928cb024c359ee6

SHA256
66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

SHA512
6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b53429e28f910e125239e95e23ef267

SHA1
8963b2eb63e21642545b2a023e7fb41332a23e13

SHA256
20f516fc915cd85d967a78663cdc344b70d99fcb79fc0f96bb199def8c7b4cd2

SHA512
db592560dc8c20866634be7cc0a576873e5e0efab6d8ba700eb5a822aa8fc409a337a474320df161bb45503608a6065664a15d685dc04994960706d5bc986055

Download Submit
C:\Users\Admin\AppData\Local\Temp\05cyzmnd\05cyzmnd.dll

Filesize
3KB

MD5
46341844b0c2ce3fbbbfe495231a2ba2

SHA1
4407f906686061ead8bbb6ffec4d7f71870281b1

SHA256
201d1e27ed628035d7228ed0ccc1a7bb91ea6704aaf183f5acaef8efe3fa0d33

SHA512
9bc40cfbd017c17815c8e27dbaad07658200ce50f07bbe4b249367c3ab4b381438baa74cfd324558d345119ae9263a93aab98d4bcd82bba846e83ff571104110

Download Submit
C:\Users\Admin\AppData\Local\Temp\31j54ajo\31j54ajo.dll

Filesize
3KB

MD5
2b1b913a7fd146638b40656e325342c9

SHA1
01f4cde7c41d6860ed41374f4a0f3ec32d46e582

SHA256
332bd0a19ad6dab99f4c35a965c24dd4f4fed2e1aa49d642c8ba42987e09ac99

SHA512
3028d0775d0ece45b2b9fadebd5ea73366f9beaf16079ec0681b12f5f8eb56fd3034394440b3909e1053d11a23a1cd04432e0f10b9606db2896569fe5ed59e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2DC.bin0

Filesize
37B

MD5
768165e0abf16bf3056836d5431a7296

SHA1
9fb3196be60e49bfc319ebd9e0b103954d711e34

SHA256
b44c505b721e93e2a596577018cc65b993cd632b9fe7620a4b3db54031afff5d

SHA512
1250ec40ba20f39a5b9a3aafd45c63cb6f1bf48b89acce1f885470c936fb48a803081943c68458ba1adce92d5fe79d3e45682285f56ecb29884d41974269992d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1925.tmp

Filesize
1KB

MD5
1407f40160d6c0ce2144b20189e7f171

SHA1
c9ed5e7d7f70fc0bd5764121a07812f555fbdfb3

SHA256
991c08ab3ee1ca95946e95dd847cf5c7ad2fb3cf254a4daba6731111309389f1

SHA512
3b54a154e8bb3d2e23c80e7ab0b59a4029bc821a58acab30617d9c588045227f97bf17ce47222a3c8f7435129f753c5caa7e4fa1b69391b44d78b5ee611e019c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BD5.tmp

Filesize
1KB

MD5
69396bb21fc12ceda323b861b4dc4691

SHA1
aae877a93fe7c2e32077959acdd2d1cb0165bcbf

SHA256
d9b044124f5f171e798384913f38b16662f2d19a0db30efb8c159f46fad79de2

SHA512
437a6d4d6197bf87726e3a8acc5b47f8d565825af9954815d91995c9bedc07680cc0a1a1fadf9d8a28abafc42fc26b4b819ed9e7d24a4bba78880436c7597fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\y6D16.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\y6D16.tmp.dll

Filesize
151KB

MD5
55ab2f304f8c2da30aeee7713a95064d

SHA1
aae939cf3995905399e427097fc90c5b62f3d4c3

SHA256
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547

SHA512
08bbf78b4154f725399055dfb8a4338ce873297af847a5e30c8b6708e44feeae071fbf7efff9ff2c0b397fdffec5ca52a9591f742092a8f50287e54ce89307d3

Download Submit
C:\Users\Admin\~Arclogic.CAB

Filesize
135B

MD5
aa3ef2d4e5db756358ad6f37527d172a

SHA1
3739622948c6033859dfd0b973872526023b13eb

SHA256
d0d424f7130d5f73861e03546ec986e3b2ba8adab0db3b23acd7925fe047afd7

SHA512
319cc2cbec6153bb3c25e59dd6d02b5f097bf06a9d6a7a7daa8fadcd87dd084ea932b0fe5be187ac0c8815d6f54d1ad344334b6cc718c36ac829c146f0414a27

Download Submit
C:\Users\Admin\~Arclogic.DDF

Filesize
770B

MD5
42098c248200706615adc0cadb882dce

SHA1
e3521041a2fc66fd08fda1c64a3fe44997fb0592

SHA256
0cd65afe4b9608f12cdd0bc0a9f54440de8a8ed7b361b1d3f83c53ed590b3851

SHA512
5b87d19a2d7ed75d716b13f78688936be03f965e9b92b14b8b54b0c7714085251731c0dd78416874a604b875dc7bf5b86241d3a5d1d512a7976bb9ff6b15704c

Download Submit
C:\Users\Admin\~Arclogic.RPT

Filesize
283B

MD5
9c41e51dcfd23fa9c7df3baa94e5e8b7

SHA1
1fd1fb7e82ab0220823d7de0e1b336817004d7f6

SHA256
a6d759a91bf9c4a63acf914516d3e819ee15e0c394eafe7f73b0e9bda5cb2f8e

SHA512
09bdb7016f4cb5f4c140135f162f540878cd8d65cd311dd7b3bfccff630a1033815e131bcc90e235f66d787e8cb85d8e26602861ee680ee07367d9b03efed561

Download Submit
C:\Users\Admin\~Arclogic_LAYOUT.INF

Filesize
966B

MD5
32fdfa04ec4ba48448fa93aeb6b30081

SHA1
6f99145e37a24f2dc0bdf0e3564db53933911d5d

SHA256
eb50a213f07df5973017da5e047cf422e2eda085029cbb15cbb86588257ed520

SHA512
9b92545d11cbd5f1d0ac74823217ee136f7000ea78855e08cbeca8ac233fdc6bab39d63f60f51f5f69a4aa8515f9d2339b9b647ce943c8a4162c8e7fc61821b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\05cyzmnd\05cyzmnd.0.cs

Filesize
416B

MD5
e991aa9d35bfffc8f1e0d5dcf4c95ed1

SHA1
02d81b5b8cfd7b25d4fa0dab40d6ce6db3129501

SHA256
2598df56dcfc916eb9ae7b571c67d2feb92740843e36caccf9df705c03145265

SHA512
e0205253f43832674a3ea5dbe376e82fe0a59722ca10bed0184ff8fa298111957437db32aefb725b8c525f62aa8c7bc14922fa665ec9ced0d465d91837da126b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\05cyzmnd\05cyzmnd.cmdline

Filesize
369B

MD5
40e47278c108d2901a273c5f49bdf431

SHA1
59903b062fbbaf40b7b3de7d991e0ce69b04853b

SHA256
ae9fa5d564920eacfdfaed0c6a9f4fe555c7267b8a93d0da97505896ead26072

SHA512
3dd2a54459788bebd6bbe864f11ac953a96083a23bff03a63c601a784f81ff2d59ca4cb41cf3331794b54ebf8261b1e15a8a46cc133f76afe61e4826df6e7707

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\05cyzmnd\CSCE5EFFF1DEE9F4D4D975913CB32DDE89E.TMP

Filesize
652B

MD5
28db40815034abfe3e669e55360b0f81

SHA1
295b13af11e3604a73c76a64164d345459a430bc

SHA256
076814d6f5f74f53a4a49d0a2b024aada24de418e3ff0870009e4f758f8d78e4

SHA512
e2a398596aad4e38fac5dbc1ec98645da0bc3097152e6d40f1313b64288dbe85550d14988b44281c81ac2a772c932e0ec24a5cb240cb36b25d55038ffc8b2870

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31j54ajo\31j54ajo.0.cs

Filesize
417B

MD5
cdc42ce046de74fa8cb97234640cfcc5

SHA1
8a6aa5bda682fbb11bc974d752408593aec799cc

SHA256
7fca4a3b3889149b375ce11cd1614298a244c05e3dd5fa343be56986aaa675c5

SHA512
c2663ca8817dc7a375c06cfc4adb529ab61b098663a550feba5dabe8b9c6269a5e878419d5198cb463b9c6b4d5acb504587ffd5721eab568068a7e9d45d55d13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31j54ajo\31j54ajo.cmdline

Filesize
369B

MD5
67058a8e45fe9a8a9c759c0a09045547

SHA1
282e38fae6a62c46742104f2766fb5bf19e5d82e

SHA256
5b5fe6e2ea8ba043362a0e1fc5478ef96183405dff4c983ffb66964a4b5439e4

SHA512
a6d5d0f538076f48d80b26a992e3e9b2e22ab42f90fe987ec66da46b1dbc1156bbf492c84b8eb7419fcbe0eaedf31381ea7a3457be183e2a3ea3d1fbdb49d756

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31j54ajo\CSC4D225D715C1A459D8CEFE1BC3341DF6.TMP

Filesize
652B

MD5
c875cfd95f9d0a70a2e100267192e825

SHA1
0a1ea2009703f27850042f70821591cb1c4cd619

SHA256
0eb5a4768618ff12487464c94f15c6cc8b4002ef3bfb4394ee22da6b443385b2

SHA512
0a6b87bc1b503f37a7c0933a688f88db5dec7ca6fb70a01fc1af3c8a22d379655898ee062d572f5c255fb84a5f6553d132b7151e93e9c73a0615cfbb4c90e4a1

Download Submit
memory/388-155-0x00007FF949490000-0x00007FF949F51000-memory.dmp

Filesize
10.8MB

Download
memory/3280-180-0x000001CB69A70000-0x000001CB69A83000-memory.dmp

Filesize
76KB

Download
memory/3280-160-0x000001CB677F3000-0x000001CB677F5000-memory.dmp

Filesize
8KB

Download
memory/3280-153-0x000001CB696D0000-0x000001CB696F2000-memory.dmp

Filesize
136KB

Download
memory/3280-158-0x00007FF949490000-0x00007FF949F51000-memory.dmp

Filesize
10.8MB

Download
memory/3280-159-0x000001CB677F0000-0x000001CB677F2000-memory.dmp

Filesize
8KB

Download
memory/3280-161-0x000001CB677F6000-0x000001CB677F8000-memory.dmp

Filesize
8KB

Download
memory/3452-164-0x0000022AF40A3000-0x0000022AF40A5000-memory.dmp

Filesize
8KB

Download
memory/3452-162-0x00007FF949490000-0x00007FF949F51000-memory.dmp

Filesize
10.8MB

Download
memory/3452-163-0x0000022AF40A0000-0x0000022AF40A2000-memory.dmp

Filesize
8KB

Download
memory/4172-140-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/4172-135-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4820-130-0x0000022316650000-0x000002231668F000-memory.dmp

Filesize
252KB

Download
memory/4820-124-0x00007FF937E90000-0x00007FF937EA0000-memory.dmp

Filesize
64KB

Download
memory/4820-129-0x000002231234A000-0x00000223123C3000-memory.dmp

Filesize
484KB

Download
memory/4820-128-0x00007FF937E90000-0x00007FF937EA0000-memory.dmp

Filesize
64KB

Download
memory/4820-127-0x00007FF937E90000-0x00007FF937EA0000-memory.dmp

Filesize
64KB

Download
memory/4820-125-0x00007FF937E90000-0x00007FF937EA0000-memory.dmp

Filesize
64KB

Download
memory/4820-126-0x00007FF937E90000-0x00007FF937EA0000-memory.dmp

Filesize
64KB

Download