cobaltstrike | c83d93a91e02c69b40def0cbc882f6dc9e10bb95570425018380b245d2a42849

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7v20201028
submitted
19-11-2020 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Curriculum_Vitae_Protected.doc
Size

259KB
MD5

61710a01068b7ce0edb6bad429d1a589
SHA1

cd5eaccdf2f547002ec573512e8495f6e28e18f6
SHA256

c83d93a91e02c69b40def0cbc882f6dc9e10bb95570425018380b245d2a42849
SHA512

f2d51026953e1c533d83f74e46179932377de58f3982b9e19a85cb47d2a9c3c2b6a18bba70f5c36a0a0fc06956caf52d9d8c7b3add4ad4a8129a0660b7179752

Score

10^/10

cobaltstrike metasploit backdoor spyware trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://d25bm6hkar6nys.cloudfront.net:443/CuMX

Extracted

Family

cobaltstrike

http://d25bm6hkar6nys.cloudfront.net:443/api/v2/status

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
d25bm6hkar6nys.cloudfront.net,/api/v2/status
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAADQAAAAIAAAAFX3NpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAEX3NpZAAAAAcAAAABAAAADwAAAA0AAAACAAAAAnE9AAAAAQAAAA4mc3VibWl0PVN1Ym1pdAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
injection_process
jitter
17152
maxdns
0
month
0
pipe_name
polling_time
50000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCggYu+B86qYK20olfyHZR+N8aFqAmVPRWTJDMbnVW/0NujEMsQ6MYc3rJLEjPf3Y+BfiOOjZ2R2ZpGeSBjNO5DGzRTebo7jSV1gPxvT1cgu6hek4V8SJWNFLXaDAfwlfR1sAlPpv1On8fOOgPG4lC1GLS7ehQAHCRykVM7I+ZvkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.532302592e+09
unknown2
AAAABAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
4.64002319e+08
uri
/api/v2/search
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

forfiles.exeforfiles.exeforfiles.exeforfiles.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1916	forfiles.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1916	forfiles.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1916	forfiles.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1916	forfiles.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1868843-919B-4FBB-BADD-9BED7359CBB5}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1868843-919B-4FBB-BADD-9BED7359CBB5}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1868843-919B-4FBB-BADD-9BED7359CBB5}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib\{F1868843-919B-4FBB-BADD-9BED7359CBB5}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\TypeLib	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE

pid	process
1960	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

pid	process
2008	MSBuild.exe
2008	MSBuild.exe
2008	MSBuild.exe
1184	MSBuild.exe
1184	MSBuild.exe
1184	MSBuild.exe
1176	MSBuild.exe
1176	MSBuild.exe
1176	MSBuild.exe
1716	MSBuild.exe
1716	MSBuild.exe
1716	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MSBuild.exeMSBuild.exeMSBuild.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2008	MSBuild.exe
Token: SeDebugPrivilege	1184	MSBuild.exe
Token: SeDebugPrivilege	1176	MSBuild.exe
Token: SeDebugPrivilege	1716	MSBuild.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE
1960 WINWORD.EXE

pid	process
1960	WINWORD.EXE
1960	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

WINWORD.EXEforfiles.exeMSBuild.execsc.exeforfiles.exeMSBuild.execsc.exeforfiles.exeMSBuild.execsc.exeforfiles.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1960 wrote to memory of 1548	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1548	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1548	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1548	1960	WINWORD.EXE	splwow64.exe
PID 436 wrote to memory of 2008	436	forfiles.exe	MSBuild.exe
PID 436 wrote to memory of 2008	436	forfiles.exe	MSBuild.exe
PID 436 wrote to memory of 2008	436	forfiles.exe	MSBuild.exe
PID 2008 wrote to memory of 1084	2008	MSBuild.exe	csc.exe
PID 2008 wrote to memory of 1084	2008	MSBuild.exe	csc.exe
PID 2008 wrote to memory of 1084	2008	MSBuild.exe	csc.exe
PID 1084 wrote to memory of 892	1084	csc.exe	cvtres.exe
PID 1084 wrote to memory of 892	1084	csc.exe	cvtres.exe
PID 1084 wrote to memory of 892	1084	csc.exe	cvtres.exe
PID 2008 wrote to memory of 1112	2008	MSBuild.exe	WerFault.exe
PID 2008 wrote to memory of 1112	2008	MSBuild.exe	WerFault.exe
PID 2008 wrote to memory of 1112	2008	MSBuild.exe	WerFault.exe
PID 2008 wrote to memory of 1112	2008	MSBuild.exe	WerFault.exe
PID 1968 wrote to memory of 1184	1968	forfiles.exe	MSBuild.exe
PID 1968 wrote to memory of 1184	1968	forfiles.exe	MSBuild.exe
PID 1968 wrote to memory of 1184	1968	forfiles.exe	MSBuild.exe
PID 1184 wrote to memory of 600	1184	MSBuild.exe	csc.exe
PID 1184 wrote to memory of 600	1184	MSBuild.exe	csc.exe
PID 1184 wrote to memory of 600	1184	MSBuild.exe	csc.exe
PID 600 wrote to memory of 1132	600	csc.exe	cvtres.exe
PID 600 wrote to memory of 1132	600	csc.exe	cvtres.exe
PID 600 wrote to memory of 1132	600	csc.exe	cvtres.exe
PID 1184 wrote to memory of 1664	1184	MSBuild.exe	WerFault.exe
PID 1184 wrote to memory of 1664	1184	MSBuild.exe	WerFault.exe
PID 1184 wrote to memory of 1664	1184	MSBuild.exe	WerFault.exe
PID 1184 wrote to memory of 1664	1184	MSBuild.exe	WerFault.exe
PID 1128 wrote to memory of 1176	1128	forfiles.exe	MSBuild.exe
PID 1128 wrote to memory of 1176	1128	forfiles.exe	MSBuild.exe
PID 1128 wrote to memory of 1176	1128	forfiles.exe	MSBuild.exe
PID 1176 wrote to memory of 964	1176	MSBuild.exe	csc.exe
PID 1176 wrote to memory of 964	1176	MSBuild.exe	csc.exe
PID 1176 wrote to memory of 964	1176	MSBuild.exe	csc.exe
PID 964 wrote to memory of 1744	964	csc.exe	cvtres.exe
PID 964 wrote to memory of 1744	964	csc.exe	cvtres.exe
PID 964 wrote to memory of 1744	964	csc.exe	cvtres.exe
PID 1176 wrote to memory of 1060	1176	MSBuild.exe	WerFault.exe
PID 1176 wrote to memory of 1060	1176	MSBuild.exe	WerFault.exe
PID 1176 wrote to memory of 1060	1176	MSBuild.exe	WerFault.exe
PID 1176 wrote to memory of 1060	1176	MSBuild.exe	WerFault.exe
PID 1800 wrote to memory of 1716	1800	forfiles.exe	MSBuild.exe
PID 1800 wrote to memory of 1716	1800	forfiles.exe	MSBuild.exe
PID 1800 wrote to memory of 1716	1800	forfiles.exe	MSBuild.exe
PID 1716 wrote to memory of 548	1716	MSBuild.exe	csc.exe
PID 1716 wrote to memory of 548	1716	MSBuild.exe	csc.exe
PID 1716 wrote to memory of 548	1716	MSBuild.exe	csc.exe
PID 548 wrote to memory of 624	548	csc.exe	cvtres.exe
PID 548 wrote to memory of 624	548	csc.exe	cvtres.exe
PID 548 wrote to memory of 624	548	csc.exe	cvtres.exe
PID 1716 wrote to memory of 1680	1716	MSBuild.exe	WerFault.exe
PID 1716 wrote to memory of 1680	1716	MSBuild.exe	WerFault.exe
PID 1716 wrote to memory of 1680	1716	MSBuild.exe	WerFault.exe
PID 1716 wrote to memory of 1680	1716	MSBuild.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Curriculum_Vitae_Protected.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1548

C:\Windows\system32\forfiles.exe
forfiles.exe /S /C "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe /verbosity:diag @path" /P C:\ /M "1119202013242120*"
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
/verbosity:diag "C:\Users\Admin\AppData\Local\Temp\1119202013242120_.TMP"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4eslaf3\h4eslaf3.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F8.tmp" "c:\Users\Admin\AppData\Local\Temp\h4eslaf3\CSCAF9006676F84DE794FAFDA35F32CB3.TMP"
4⤵
PID:892

C:\Windows\System32\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
PID:1112

C:\Windows\system32\forfiles.exe
forfiles.exe /S /C "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe /verbosity:diag @path" /P C:\ /M "1119202013243420*"
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
/verbosity:diag "C:\Users\Admin\AppData\Local\Temp\1119202013243420_.TMP"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gudkpvdp\gudkpvdp.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ECF.tmp" "c:\Users\Admin\AppData\Local\Temp\gudkpvdp\CSCF0A8E9B8292242F78D48F7D56A377E18.TMP"
4⤵
PID:1132

C:\Windows\System32\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
PID:1664

C:\Windows\system32\forfiles.exe
forfiles.exe /S /C "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe /verbosity:diag @path" /P C:\ /M "1119202013244120*"
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
/verbosity:diag "C:\Users\Admin\AppData\Local\Temp\1119202013244120_.TMP"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zefazsk3\zefazsk3.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE6.tmp" "c:\Users\Admin\AppData\Local\Temp\zefazsk3\CSC7C666C2CDFB744F4ADCFF61C94EF28B.TMP"
4⤵
PID:1744

C:\Windows\System32\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
PID:1060

C:\Windows\system32\forfiles.exe
forfiles.exe /S /C "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe /verbosity:diag @path" /P C:\ /M "1119202013244520*"
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
/verbosity:diag "C:\Users\Admin\AppData\Local\Temp\1119202013244520_.TMP"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4h35k0y\f4h35k0y.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFDD.tmp" "c:\Users\Admin\AppData\Local\Temp\f4h35k0y\CSCB665337C567548FEAF6DC259434D9A89.TMP"
4⤵
PID:624

C:\Windows\System32\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1119202013242120_.TMP
MD5
c70e87a7edf06daff6fbbb153aba9a4d

SHA1
42d1e3dbd4c20925ae99e595e0332bfc6fee3ff1

SHA256
036f5e118434effbd6bd06980b13b96e776ca3c3f0f5caca33ab4676c4d657a3

SHA512
fffc2649f0f4d8fc4b5a945cf7ed4b62262f662fd90be9ed979969d12b5159fd5a5083537c77e19903e8503c7a2eb45b0a5cf22fc8e992442168cdc756a2b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1119202013243420_.TMP
MD5
c70e87a7edf06daff6fbbb153aba9a4d

SHA1
42d1e3dbd4c20925ae99e595e0332bfc6fee3ff1

SHA256
036f5e118434effbd6bd06980b13b96e776ca3c3f0f5caca33ab4676c4d657a3

SHA512
fffc2649f0f4d8fc4b5a945cf7ed4b62262f662fd90be9ed979969d12b5159fd5a5083537c77e19903e8503c7a2eb45b0a5cf22fc8e992442168cdc756a2b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1119202013244120_.TMP
MD5
c70e87a7edf06daff6fbbb153aba9a4d

SHA1
42d1e3dbd4c20925ae99e595e0332bfc6fee3ff1

SHA256
036f5e118434effbd6bd06980b13b96e776ca3c3f0f5caca33ab4676c4d657a3

SHA512
fffc2649f0f4d8fc4b5a945cf7ed4b62262f662fd90be9ed979969d12b5159fd5a5083537c77e19903e8503c7a2eb45b0a5cf22fc8e992442168cdc756a2b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1119202013244520_.TMP
MD5
c70e87a7edf06daff6fbbb153aba9a4d

SHA1
42d1e3dbd4c20925ae99e595e0332bfc6fee3ff1

SHA256
036f5e118434effbd6bd06980b13b96e776ca3c3f0f5caca33ab4676c4d657a3

SHA512
fffc2649f0f4d8fc4b5a945cf7ed4b62262f662fd90be9ed979969d12b5159fd5a5083537c77e19903e8503c7a2eb45b0a5cf22fc8e992442168cdc756a2b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84F8.tmp
MD5
c18ac9ca69c7f5206a7be53037bba084

SHA1
1d582cd08e959e31672d3aba1b3fb2b09f1a272c

SHA256
5fb600ec95a7167d9dc51a84609d40df48b16a9790f2b4512a068c1fc290fb6b

SHA512
0de1c284bef4d6318762cae33526e4d2e8394c8dfe303bc37f5ac688d1719330c35e6367ba8f8fb0588caeca5701440eb4b00156e5381a616fcd4ad2c1874a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9ECF.tmp
MD5
e2d2efa859aead6f6603f804238c5521

SHA1
c36a407517c5ce48e7cfb355775daea28a1e75e5

SHA256
10a79fdd1f34b82ba8d20f473cef5c97465b3e64e7a03d0c9cd682617a2657bc

SHA512
8e6f8ae3527b90b734471726f0345bdcf9132796870b439c3ee200f85c1940ed471002595c19d27406eac072a33f73a78bbd91cd517eb2c9271eb90e29daba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAE6.tmp
MD5
e99e6c2e43650d654fa1eee98812393d

SHA1
d5b9976eb47e4c5906a6a1f4c5e3116f5da229a3

SHA256
9f4deb8e3e07990c8c6c52db65fa4dd34d4b77d425688b97ce420f031898f164

SHA512
8ac6e1fe40472e0985c4281149983de0cd3177c6e52911d2d5e31234d5e50f618ae678c6c4f7c58c6e345dd4f83dcaff7078cfe9199e7ecce93911ab23fd34a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFDD.tmp
MD5
79717f4386696d486406f77cc6724694

SHA1
496c4758df71a9c7c5ccc87c7c375df989730f57

SHA256
07e41174d7abb9ae5d7824f1c3b3cf44c9e2c5bde141cc6ab756a1975c95edd7

SHA512
4a7f290be0c9fbc8b0614f1e9179b0030cdf9ad523bf57492d34b967416f7a7ce22ed50fd03ba2ebcd34b1d2974aef9ff2e394e883778c2439fd098f9752df63

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4h35k0y\f4h35k0y.dll
MD5
401f4acdca1a76f635a984a5c734f617

SHA1
bcce8efc5696bdb724f21e091c1836155631a824

SHA256
fc90976e038a4fca375e6964549685a16cbd593c41553d5b126ece576ffd76b2

SHA512
b40a450ab80b5b0aeff9d4ea8790142cfa434449751e4cf66b2b81755219c21d20d29a45123097c8bbae1130f785266187cb742610de856ea97bffceaeb7ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4h35k0y\f4h35k0y.pdb
MD5
f97dfe8ee028b8ee2f828d4545305057

SHA1
168015ab0131e1f7e85d0be1f91188e0882b7469

SHA256
7e2788c07ffe4f66cfd4ceed2b470de67fe08ac3a61978f7f708bdcdca28dccc

SHA512
1640ec4ff34963aa3a35c56ca8db0c1450871deb8ae20934025885663830b3747990f74a045adfac4ed0afa5095c361d19950291e89c94d62373674b57fa0f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\gudkpvdp\gudkpvdp.dll
MD5
76424ba5729d360e5ba740f3757b9c2f

SHA1
382596664eca8db3ce3efad11eaaf3b66e9b016a

SHA256
9fb395d336c373e3efaea5375f3d1c2d8b888ed6272f41b5c138f85112bea684

SHA512
1a2599e6162a813ffd27c0caf045f435502a021aaa642cdfd3a32d3499dc27851410c421caada569f677b716dc8c334fae43faf8f423a4abf21d84565a08ced5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gudkpvdp\gudkpvdp.pdb
MD5
d6cc161348fbb95c6c50323fcb3ab362

SHA1
5cf4729a37be4d650bbcc9406e2311f6a9f224ba

SHA256
872dcbd324f86d8844f98fb4d23129119a32fc335476bff8944adcdd07d49cda

SHA512
5c182dc023749bcec08d28dc57875c7e57acffdbab75a54731f4aa934252c98d94ef012a83f8a399b929e8138d8d9ebe68024a9e5714f08133188b7fcb1490a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4eslaf3\h4eslaf3.dll
MD5
2f87ac2ebb3e65afb77e16967744389a

SHA1
aa8d96eca5a510d471b7cda406e7d5363d5c25f7

SHA256
fe7084ea2da37fac12c42a604cf405522823d6e123fbd7efc8e4a84fe81a8ab5

SHA512
fae199a9e069ea463d63ba80ffd634c9c97f2e2cdac03d682fcdcf8c0687a0df28d2a9ae89a60abf5178e92f409ec1992a17d99a330c84ba4079f57f9f7a2ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4eslaf3\h4eslaf3.pdb
MD5
228290e9456637dad70ab6922f90b6fc

SHA1
423f21908558075883a8746b92c00d50cfe9909a

SHA256
1177f39d1717220259273495f3183d67e17bd627e2c617e68799de31df08b03d

SHA512
d7e01adafe0aa48e99f01ff3d20df6610de7d113072df7ab5f1e7e4ffb3cdb5624d6a2fec2a7c33dcc8c1f8ebf3e64e41c5f8894112200d4f0452a5e224d8463

Download Submit
C:\Users\Admin\AppData\Local\Temp\zefazsk3\zefazsk3.dll
MD5
8eb2edfbe4f9d5177c848f0a3a3324d9

SHA1
4937f2656082c1cccd45b8298b43e3c8bfeff612

SHA256
477f5ccfa08303aa5a3dcdb4a9c3e48086521417ff3a6abbca6480db22efd07c

SHA512
103cdfc9edab70e74caee7c2a16b853e6c8bc55fe21e80b7c455b46abfc3ad4642fa3867ba6561cb4778063042990aaa66115147cfb208395347c8b7389dd6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zefazsk3\zefazsk3.pdb
MD5
5a9df3de1c3ef22626ee78a1bdba890b

SHA1
6bca1dbff4fd0c84b1ff1e5d47ebd2d221f08977

SHA256
081f6ab1ce36ab8779875c0e264794bc0e332cf918f4e0297c9b0630ddc83d8e

SHA512
209ead70db2fa945bc6c22d96d5be2be4d9ddb1cf1a9bc559bbf737f9f64a515826de1dd851c1960a485ed16831567ad8597d885b3ecfba4bfeb23cd4d716268

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4h35k0y\CSCB665337C567548FEAF6DC259434D9A89.TMP
MD5
21ad3a835c001207bc92366ae8be3162

SHA1
73ed94c54c6b66d97c1a1b6c2e44f63406d70904

SHA256
f746c933b89063561b84b313e773d4b16f493912f951897fb72207c3ddaccfa2

SHA512
7f676321b902def58f7c880421adf374cb4ec9c7bde1cd591976000f8ad92291bb56894e706e3f2d014881bee57789c80c8382fed493507556574b4d88807c4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4h35k0y\f4h35k0y.0.cs
MD5
2dbe2b48da83e52d529e2346cf56c27f

SHA1
71c8aa93451ac06353361b862692b7474632913b

SHA256
430ed654e25d1b9f789774fcc4343389cc196e231e3811f94ea3ef7fa2b2d9eb

SHA512
952c7be687a378759dc198f79350ca5e821231decc6cb9695a39a1fdf6bd09fd46509803242dd79fc6f2d862fde4040b3513f55b3d33a2263d5127e5447c80e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4h35k0y\f4h35k0y.cmdline
MD5
c702bf7784de215cb11ffe9efda30fd0

SHA1
00a25c2862b3ff9349fabfaac978ef2c3a9c4d26

SHA256
c2b8779b481c08f894b85561363355048dd0baef11fcec59f11e6a92170a9e35

SHA512
43fae2ce5c3c01c148bed4857c98b28fa7120d821f7422f87bb7da8dc2744e01f82072b7a193fe4ceb7d14704158743c800b131dc53bd857b12f5a80169eb069

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gudkpvdp\CSCF0A8E9B8292242F78D48F7D56A377E18.TMP
MD5
dd23dad1d18381be3c9423c29f6aac90

SHA1
54bc2667a3b1fee29acf12113c5cd0e3d76bb822

SHA256
ab5091cc264868a9f5b55c8747747f59bf5df419f2d3bb59ef56cf7943c96e77

SHA512
bbcad34f3e17285370a24b0158a1abca6f417dc99e645155a013bbcfcd1e29306fd50caf996d71fea64c162f15b4cbe9063d5ec36e44f8c4b2d3b50de17b04b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gudkpvdp\gudkpvdp.0.cs
MD5
2dbe2b48da83e52d529e2346cf56c27f

SHA1
71c8aa93451ac06353361b862692b7474632913b

SHA256
430ed654e25d1b9f789774fcc4343389cc196e231e3811f94ea3ef7fa2b2d9eb

SHA512
952c7be687a378759dc198f79350ca5e821231decc6cb9695a39a1fdf6bd09fd46509803242dd79fc6f2d862fde4040b3513f55b3d33a2263d5127e5447c80e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gudkpvdp\gudkpvdp.cmdline
MD5
fe94ed4d4fc2c45e7cfe75fd56e35906

SHA1
fbb7121d04da5e0480b84e72b22181bbcedc8565

SHA256
b82b17be69c8829f6b71119d2643fd7e2593e9a774ca36cbe9ea22043a36dec4

SHA512
02c455e28b359722d49f2f7480c5e44955beb5749b2688564d5496e5713679fa3b6f0fce8d8b0d3fd455cbb03ec5761a7c887d9ead5f75753c881b7e8a6546ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4eslaf3\CSCAF9006676F84DE794FAFDA35F32CB3.TMP
MD5
7f0ed4857a4ec16c7f7057a36d8e0b3e

SHA1
e6d967fb4e0a9fda569d9d08f8e942935442309f

SHA256
0c6e669889aab8daad56091f19db115c511dcfdbf7e21e21a0a00b459d25ba6f

SHA512
875b8d085bf5d7347a48e4b9e7c14a6685a87899b119ed0b7cd889e9ffec3008d41baa77412cbbba917a2a196d791bc9e93ed7f08954b37b2c2562ddd3c8f2e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4eslaf3\h4eslaf3.0.cs
MD5
2dbe2b48da83e52d529e2346cf56c27f

SHA1
71c8aa93451ac06353361b862692b7474632913b

SHA256
430ed654e25d1b9f789774fcc4343389cc196e231e3811f94ea3ef7fa2b2d9eb

SHA512
952c7be687a378759dc198f79350ca5e821231decc6cb9695a39a1fdf6bd09fd46509803242dd79fc6f2d862fde4040b3513f55b3d33a2263d5127e5447c80e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4eslaf3\h4eslaf3.cmdline
MD5
5be93a638d08794f97d3dc280e85857e

SHA1
155ab4b7b849adbaa9f15eb7cdd98a5cf84abbc8

SHA256
6ba727d7281364f0de31b9f572fd3444783f8c17f6d7055bc1118fe5b1f4e995

SHA512
1e6387bb0dc7be374403b1a00fff5e00309c45f5c67384ec619ee2f8e6527af6759e3847579b3b5968a992620b7defc524c85961b3a83af165c2cdcfcebfa433

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zefazsk3\CSC7C666C2CDFB744F4ADCFF61C94EF28B.TMP
MD5
25c3d8fb0418904341298f146e18addc

SHA1
22b74bde9a1fc91cece334b3fa186546eb5075bb

SHA256
76802eb5b4f5ddde3a62f90dbe944cff8a177ac9634d8579f18a7b0459404412

SHA512
600b286a82f3d68c776aa1e39e85d14fd1c8b85eda419fe6efaecad3781ebdce8269f97042bf02decc82d8473cde0c4aac6366e841eb4510ce44dc129ba05383

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zefazsk3\zefazsk3.0.cs
MD5
2dbe2b48da83e52d529e2346cf56c27f

SHA1
71c8aa93451ac06353361b862692b7474632913b

SHA256
430ed654e25d1b9f789774fcc4343389cc196e231e3811f94ea3ef7fa2b2d9eb

SHA512
952c7be687a378759dc198f79350ca5e821231decc6cb9695a39a1fdf6bd09fd46509803242dd79fc6f2d862fde4040b3513f55b3d33a2263d5127e5447c80e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zefazsk3\zefazsk3.cmdline
MD5
78e27141e1b05b1fd3759a30ff8dc191

SHA1
e1bca50634574855a8ee9f7202ef448d8aa77d74

SHA256
584564908270e8e9a120725861a2e1824c31122fe8f97ef5f3f188a02c53491d

SHA512
639e1445e8328ddd9da969433099ee5346f0f2b1e8f1f1c03e4227f9eb43e894d5b8695162e4109216c36fd15642afd49402f3a9ed4d2a1b31ca21951b0d368d

Download Submit
memory/548-100-0x0000000000000000-mapping.dmp

Download
memory/600-46-0x0000000000000000-mapping.dmp

Download
memory/624-103-0x0000000000000000-mapping.dmp

Download
memory/892-21-0x0000000000000000-mapping.dmp

Download
memory/964-73-0x0000000000000000-mapping.dmp

Download
memory/1060-84-0x0000000000000000-mapping.dmp

Download
memory/1060-85-0x0000000003010000-0x000000000346C000-memory.dmp

Filesize
4.4MB

Download
memory/1060-86-0x0000000003010000-0x000000000346C000-memory.dmp

Filesize
4.4MB

Download
memory/1084-18-0x0000000000000000-mapping.dmp

Download
memory/1112-27-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1112-32-0x0000000002F00000-0x000000000335C000-memory.dmp

Filesize
4.4MB

Download
memory/1112-31-0x0000000002F00000-0x000000000335C000-memory.dmp

Filesize
4.4MB

Download
memory/1112-29-0x0000000000000000-mapping.dmp

Download
memory/1112-28-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1132-49-0x0000000000000000-mapping.dmp

Download
memory/1176-81-0x0000000000940000-0x0000000000943000-memory.dmp

Filesize
12KB

Download
memory/1176-60-0x0000000000000000-mapping.dmp

Download
memory/1176-61-0x000007FEF4B20000-0x000007FEF550C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-62-0x000000013F7B0000-0x000000013F7B1000-memory.dmp

Filesize
4KB

Download
memory/1184-41-0x000000001B370000-0x000000001B371000-memory.dmp

Filesize
4KB

Download
memory/1184-42-0x000000001BC60000-0x000000001BC61000-memory.dmp

Filesize
4KB

Download
memory/1184-34-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp

Filesize
9.9MB

Download
memory/1184-36-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1184-35-0x000000013F0B0000-0x000000013F0B1000-memory.dmp

Filesize
4KB

Download
memory/1184-33-0x0000000000000000-mapping.dmp

Download
memory/1184-54-0x00000000008E0000-0x00000000008E3000-memory.dmp

Filesize
12KB

Download
memory/1184-37-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1184-39-0x000000001C7B0000-0x000000001C7B1000-memory.dmp

Filesize
4KB

Download
memory/1184-40-0x000000001CD90000-0x000000001CD91000-memory.dmp

Filesize
4KB

Download
memory/1184-45-0x000000001CEC0000-0x000000001CEC1000-memory.dmp

Filesize
4KB

Download
memory/1184-44-0x000000001C7B0000-0x000000001C7B1000-memory.dmp

Filesize
4KB

Download
memory/1460-30-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

Filesize
2.5MB

Download
memory/1548-0-0x0000000000000000-mapping.dmp

Download
memory/1664-59-0x0000000002E60000-0x00000000032BC000-memory.dmp

Filesize
4.4MB

Download
memory/1664-58-0x0000000002E60000-0x00000000032BC000-memory.dmp

Filesize
4.4MB

Download
memory/1664-57-0x0000000000000000-mapping.dmp

Download
memory/1680-112-0x0000000002FF0000-0x000000000344C000-memory.dmp

Filesize
4.4MB

Download
memory/1680-113-0x0000000002FF0000-0x000000000344C000-memory.dmp

Filesize
4.4MB

Download
memory/1680-111-0x0000000000000000-mapping.dmp

Download
memory/1716-108-0x00000000009D0000-0x00000000009D3000-memory.dmp

Filesize
12KB

Download
memory/1716-88-0x000007FEF4130000-0x000007FEF4B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-89-0x000000013FBB0000-0x000000013FBB1000-memory.dmp

Filesize
4KB

Download
memory/1716-87-0x0000000000000000-mapping.dmp

Download
memory/1744-76-0x0000000000000000-mapping.dmp

Download
memory/1960-1-0x000000000A7D0000-0x000000000A7D4000-memory.dmp

Filesize
16KB

Download
memory/1960-3-0x00000000005FF000-0x0000000000620000-memory.dmp

Filesize
132KB

Download
memory/1960-4-0x0000000006AD0000-0x0000000006AD2000-memory.dmp

Filesize
8KB

Download
memory/1960-2-0x00000000005FF000-0x0000000000620000-memory.dmp

Filesize
132KB

Download
memory/2008-9-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/2008-7-0x000000013F530000-0x000000013F531000-memory.dmp

Filesize
4KB

Download
memory/2008-6-0x000007FEF4A60000-0x000007FEF544C000-memory.dmp

Filesize
9.9MB

Download
memory/2008-5-0x0000000000000000-mapping.dmp

Download
memory/2008-8-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2008-17-0x000000001CEB0000-0x000000001CEB1000-memory.dmp

Filesize
4KB

Download
memory/2008-11-0x000000001C300000-0x000000001C301000-memory.dmp

Filesize
4KB

Download
memory/2008-26-0x00000000006D0000-0x00000000006D3000-memory.dmp

Filesize
12KB

Download
memory/2008-12-0x000000001CD80000-0x000000001CD81000-memory.dmp

Filesize
4KB

Download
memory/2008-13-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2008-14-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2008-15-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2008-16-0x000000001C300000-0x000000001C301000-memory.dmp

Filesize
4KB

Download