cobaltstrike | bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-06-2022 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Size

6.3MB
MD5

1519311bb7f672fd407d30f8dfa11717
SHA1

4cddd8e4123f28b4acfdad06af3197238b97d3bb
SHA256

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e
SHA512

403f52efe0cf16408400091997d8354c09c3931829b78822bea7a93e689cff6478790c2828b6d850ee7ce9a2cbcffea045dacfda352329a96dcbe6d3059c1eb0

Score

10^/10

cobaltstrike 1 backdoor suricata trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://oa.shfe.tk:2053/download/jquery-3.3.1.slim.min.js/3

Attributes

access_type
512
beacon_type
2048
host
oa.shfe.tk,/download/jquery-3.3.1.slim.min.js/3
http_header1
AAAAEAAAABFIb3N0OiB3d3cuc2hmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABFIb3N0OiB3d3cuc2hmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
2053
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSxvLGOfCLYSdegye7emv/rBkydlvUzd1J9K8kb59Wgs5q0yP/pkDpagevO7rwN5BY6Hei/Dxb6td3ANMzc217zApkp17E6ch/LaFAnP6WaAyOdA2HmziFjZc2YlC8BpyoUd1Fb/X1lmkqDIxx0hxYdtyGxxcssKeDLjI6UWMeVwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.702512128e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/download/jquery-3.3.1.slim.min.js/4
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
watermark
1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata

Loads dropped DLL 25 IoCs

Processes:

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

pid	process
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1968 WINWORD.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

WINWORD.EXE

pid process

1968 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

pid process

1044 bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

description pid process

Token: 35 1044 bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1968 WINWORD.EXE
1968 WINWORD.EXE

pid	process
1968	WINWORD.EXE

pid	process
1968	WINWORD.EXE

description	pid	process
Token: 35	1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe

pid	process
1968	WINWORD.EXE
1968	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exebc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.execmd.exeWINWORD.EXE

description	pid	process	target process
PID 1672 wrote to memory of 1044	1672	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
PID 1672 wrote to memory of 1044	1672	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
PID 1672 wrote to memory of 1044	1672	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
PID 1044 wrote to memory of 2008	1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe	cmd.exe
PID 1044 wrote to memory of 2008	1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe	cmd.exe
PID 1044 wrote to memory of 2008	1044	bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe	cmd.exe
PID 2008 wrote to memory of 1968	2008	cmd.exe	WINWORD.EXE
PID 2008 wrote to memory of 1968	2008	cmd.exe	WINWORD.EXE
PID 2008 wrote to memory of 1968	2008	cmd.exe	WINWORD.EXE
PID 2008 wrote to memory of 1968	2008	cmd.exe	WINWORD.EXE
PID 1968 wrote to memory of 1472	1968	WINWORD.EXE	splwow64.exe
PID 1968 wrote to memory of 1472	1968	WINWORD.EXE	splwow64.exe
PID 1968 wrote to memory of 1472	1968	WINWORD.EXE	splwow64.exe
PID 1968 wrote to memory of 1472	1968	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
"C:\Users\Admin\AppData\Local\Temp\bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe
"C:\Users\Admin\AppData\Local\Temp\bc37c01615f39bfaa06017a02e71d24c5aa4bb0159604230ff8ab325f29e685e.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "..\..\..\asd2-13z5-zz54-348.docx"
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\asd2-13z5-zz54-348.docx"
4⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
5⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16722\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\_bz2.pyd
Filesize
87KB

MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\_ctypes.pyd
Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\_hashlib.pyd
Filesize
38KB

MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\_lzma.pyd
Filesize
251KB

MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\_socket.pyd
Filesize
74KB

MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\_ssl.pyd
Filesize
120KB

MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-conio-l1-1-0.dll
Filesize
19KB

MD5
84a950e3c162d67f98516bb1744139e0

SHA1
05ff2fe60c5748c33ba8605aaf609b3bdfe2772f

SHA256
91f4db05c69c58ecb2493e30acc5297043c41b1ce6db50cee4e2922cd4bcd7f2

SHA512
7328c6a512d450f2538efeabf3f467489a898ed7c1d45c1952b98d118d898083510c9849182bc425411a408c113a351a28b41bedeb5b8de61427144b3fa87c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-convert-l1-1-0.dll
Filesize
22KB

MD5
d749afffa2b3be4b2a9edac50c20b28b

SHA1
972253ed12c344b85290f7b3d5f9608a7f7b0670

SHA256
e64fbac3491b4693e79a3f7b0db1d788f93608d3fc82133edf25a868c80d2153

SHA512
4447b6960a6c178f7c37dbd38e9aec24ba5a0c58e19afcfaa2b70dca7d7bbe87ad7aa1ac9d48ab9b56b1f375768d4c4cb28d5afcf714102f9757faa2b3e728d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-environment-l1-1-0.dll
Filesize
19KB

MD5
7a2874fe036f7dc86ed5f712adaa38e6

SHA1
440f2dc5379ceee35d29571c195dc7a76e8b70e7

SHA256
dd054e4de84144c2130fa8d28d563252a7c4089a58872e49d63bc43c9a1a3cb8

SHA512
d20811025f714b5fd3754d607422f4fb5cd6c456ffceef139edcb0cfaacd9b63a694ce2ea737db78385f0b23ddcfc283282a319b79e7a0e4bd50034e87aacb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
20KB

MD5
73e14d927d075ca273b3237116351e8f

SHA1
0c15cea3c83c7f7e692dc6f8bd856b615c727d49

SHA256
966a7f15bfb2e0ff7888d583638ebd675d8f46b264194cf332f78140b7c129e1

SHA512
664f72d7adf48f8499321f8a5df952c6043532aae09bae9ffbd59da77b161cd43211a3aaef1ba85529dfe00498d1ac3a933a7c9cf437095c6a337c9bc0816b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-heap-l1-1-0.dll
Filesize
19KB

MD5
01370c79ebabd534e7b58d35072d2866

SHA1
8cd0cd21ff838a2a314246def4bd858bab184a5d

SHA256
742bb9bf4c232f84ad8008af4af8eda7a1ec3eb76f05d9d7ebb95f6a5cabd2d8

SHA512
b07d9634ac804b476d61b6a0fc87894947e88744cc3eecf7d68ede3714acd938fae14452e43f9110919b8f8f9f5d4222e9de2ca97a915dd07b3231d674729761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-locale-l1-1-0.dll
Filesize
19KB

MD5
bacb72fa56de18d5ac63e4a0a3fe768f

SHA1
7db19efe649d30337781afd62616c0549255046e

SHA256
25905676b543c4f05e9dae135f929c03a57686a6941ce59be2b3450521feb943

SHA512
78d82962c11e5928e77c5bd0377ecb6b00c2eca242d637f76e68fbf907bce7381f3a5294100d055c30f6e2aee164db0b95dcf0c0c77e39edcec4a046cfc63ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-math-l1-1-0.dll
Filesize
27KB

MD5
85893a96a568ba9781f50f876ed303cd

SHA1
fb7473bc5b1e88e978b7e5664b45d69770c8f4fa

SHA256
08e34f12de24e89379a0533f21a23ce6fecbea05d4062796d4ffd4adc3012316

SHA512
864fa39423b8ca9c43fa177aca1484ec2ffae4868a434e7a8016efe88f396b67fb8ca3766f611de7218e9983653a8b7b88b07c2591b252dd93a0d9638980e7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-process-l1-1-0.dll
Filesize
19KB

MD5
9ee275466394a2088d7dfbbc0c716671

SHA1
4d2f94674587251c60805889395ab7377e8c5e17

SHA256
c68a61c260454c0aeb051ddb2bed52cbca44b96d50046017cbc351b41f225dc0

SHA512
996212d07b0b6e55f54e17d6a053f017b1fd00f50906db9de25b8ae5632eeac9c197e91db1c293e7abf0e8b823937cb18e26f43e166f76c02a6914c9776a72b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
23KB

MD5
55b80c522731ecb92914bf9cded028c2

SHA1
424c61bc659caf04281959ede1b1f03b703934ed

SHA256
4c787ff8d40bb803e75fe6218fec36a672cfa6cfc7f6e80e68a7eb0b77a10e5a

SHA512
3779b530c7dba624369cb0f5d15154d89547adc3c4c7cc0571f1e8326588165098b9b5768d0052ecf1ea4f2dc84ae7dcf4712e3bc9ebdadb5fca4b0f4de43812

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
24KB

MD5
4614d03a94d46c0e9d1c5d96a3fe1d78

SHA1
cacb73ca3c7e31a4b8f749854060b7a422497050

SHA256
c7919be431ce2fa1906ff9eeb19e4cb19a30a4680107ef8737ce894654b21a5a

SHA512
4f30e8c5893662d7889a049c206b08559ad1a34eb7927be313086d6dae40dca3571de3852dba2ad9324e028fa86e8a391a58ec48ba5dbd5c4a88660ffe8b30df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-string-l1-1-0.dll
Filesize
24KB

MD5
7a2799f4bc45505e7104e06dc8e254f8

SHA1
323bc35e0101b351a4abde1fce698520832518a8

SHA256
92f72f495a6897f7d7cf2c2064b2b65f6b4fbd4f30911a534a5cd0de73395ebe

SHA512
2627da183779f17fcc9709a6da2e2916a296f61124adb9bf563c80d723ada9b769806cab8fbc4ed916f54fd4cde18f25e7ad53ed6c75e7e61fdef37c2f1ec9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-time-l1-1-0.dll
Filesize
21KB

MD5
38b633f132f8e2b3abc268537fa415ec

SHA1
ccccb8c3e31dce7b6b952022d245c11ff3ae8122

SHA256
46cb7b3a9f8aac5adcdbe23494e458f3195adf4b8ed1c71f2d934ddde651e57e

SHA512
23bd77d61c20b1af7f13b5bcbeb9fa74ee807f809bb3d4dd40c7709ca4870078fa6e8e94eefc83a725c0245c0ce02e3adbd4f370d6b986f0c9442ccbc2c2ab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-utility-l1-1-0.dll
Filesize
19KB

MD5
5cde35104a68606913af6e5bd3b1adea

SHA1
f1f28141585c000753ab4db9ffc61f90929d4a1a

SHA256
111f6dd2e7247071a33d75bf98d521a8d09c4071f90483a82e6ed9af69bb52c4

SHA512
caa5f80ac380a6e0242104f297fbfe6091260d743ef967fb1010720dbcba2a575baf8cb1f666b11fe780428d71a04767e2cc63d1bd9638d5f1af1063e3f43f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\base_library.zip
Filesize
759KB

MD5
abe36d1d1b98e5b392acea5dfe42dc7e

SHA1
446b8c98a19156f8174f4ae3e629ac7fcdacd094

SHA256
b7e438ae429320e23e65667f1017347c34312609ddb972a88cbc295a26f9885d

SHA512
9babd20c6cdebdcec6839f8e26051336ff73c88487795d22c516b24c188e0012aea5491406192f8a0f4b5116e7c89e26672500f7972c2fb00cdbb02836f278a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\libcrypto-1_1-x64.dll
Filesize
2.4MB

MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\libssl-1_1-x64.dll
Filesize
517KB

MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\main.cp37-win_amd64.pyd
Filesize
111KB

MD5
8fcb582b5ddec4bcc706cb73c8bc52b7

SHA1
a248c79657e676d14769cd6b4cf0b0c2c09afba7

SHA256
7f69a0f922f6ff15a25bcd0f2df6b46ea89632e163223c7b5587dd10214ababe

SHA512
600dbfda799fa7b1984201eb6f5ca77db3c0ea72a07fc545360e53d6b63e08b3abec7c32eb2c5cdbea92be623139240e1b4047f5aed85b3c002ab17a441420b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\python37.dll
Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16722\select.pyd
Filesize
26KB

MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\asd2-13z5-zz54-348.docx
Filesize
9KB

MD5
fd69b615c5b97f8d0b314d54ed49d283

SHA1
7fea8fcea15d1b831da71033b635c4c12dac4599

SHA256
48817d92087ca991df1a9d37d5c22bd703de4d15f9b4b0c66621652bc73adafa

SHA512
0e2862d0932000c6ff8b15b12b67be57ea1311b10deb5c4d10d84f6fd24cee3c4789e75a3db2a72545bee4efc27f584d2eba729a639ff2a428a03800a982d407

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\_bz2.pyd
Filesize
87KB

MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\_ctypes.pyd
Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\_hashlib.pyd
Filesize
38KB

MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\_lzma.pyd
Filesize
251KB

MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\_socket.pyd
Filesize
74KB

MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\_ssl.pyd
Filesize
120KB

MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-conio-l1-1-0.dll
Filesize
19KB

MD5
84a950e3c162d67f98516bb1744139e0

SHA1
05ff2fe60c5748c33ba8605aaf609b3bdfe2772f

SHA256
91f4db05c69c58ecb2493e30acc5297043c41b1ce6db50cee4e2922cd4bcd7f2

SHA512
7328c6a512d450f2538efeabf3f467489a898ed7c1d45c1952b98d118d898083510c9849182bc425411a408c113a351a28b41bedeb5b8de61427144b3fa87c80

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-convert-l1-1-0.dll
Filesize
22KB

MD5
d749afffa2b3be4b2a9edac50c20b28b

SHA1
972253ed12c344b85290f7b3d5f9608a7f7b0670

SHA256
e64fbac3491b4693e79a3f7b0db1d788f93608d3fc82133edf25a868c80d2153

SHA512
4447b6960a6c178f7c37dbd38e9aec24ba5a0c58e19afcfaa2b70dca7d7bbe87ad7aa1ac9d48ab9b56b1f375768d4c4cb28d5afcf714102f9757faa2b3e728d9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-environment-l1-1-0.dll
Filesize
19KB

MD5
7a2874fe036f7dc86ed5f712adaa38e6

SHA1
440f2dc5379ceee35d29571c195dc7a76e8b70e7

SHA256
dd054e4de84144c2130fa8d28d563252a7c4089a58872e49d63bc43c9a1a3cb8

SHA512
d20811025f714b5fd3754d607422f4fb5cd6c456ffceef139edcb0cfaacd9b63a694ce2ea737db78385f0b23ddcfc283282a319b79e7a0e4bd50034e87aacb9a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
20KB

MD5
73e14d927d075ca273b3237116351e8f

SHA1
0c15cea3c83c7f7e692dc6f8bd856b615c727d49

SHA256
966a7f15bfb2e0ff7888d583638ebd675d8f46b264194cf332f78140b7c129e1

SHA512
664f72d7adf48f8499321f8a5df952c6043532aae09bae9ffbd59da77b161cd43211a3aaef1ba85529dfe00498d1ac3a933a7c9cf437095c6a337c9bc0816b3f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-heap-l1-1-0.dll
Filesize
19KB

MD5
01370c79ebabd534e7b58d35072d2866

SHA1
8cd0cd21ff838a2a314246def4bd858bab184a5d

SHA256
742bb9bf4c232f84ad8008af4af8eda7a1ec3eb76f05d9d7ebb95f6a5cabd2d8

SHA512
b07d9634ac804b476d61b6a0fc87894947e88744cc3eecf7d68ede3714acd938fae14452e43f9110919b8f8f9f5d4222e9de2ca97a915dd07b3231d674729761

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-locale-l1-1-0.dll
Filesize
19KB

MD5
bacb72fa56de18d5ac63e4a0a3fe768f

SHA1
7db19efe649d30337781afd62616c0549255046e

SHA256
25905676b543c4f05e9dae135f929c03a57686a6941ce59be2b3450521feb943

SHA512
78d82962c11e5928e77c5bd0377ecb6b00c2eca242d637f76e68fbf907bce7381f3a5294100d055c30f6e2aee164db0b95dcf0c0c77e39edcec4a046cfc63ed4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-math-l1-1-0.dll
Filesize
27KB

MD5
85893a96a568ba9781f50f876ed303cd

SHA1
fb7473bc5b1e88e978b7e5664b45d69770c8f4fa

SHA256
08e34f12de24e89379a0533f21a23ce6fecbea05d4062796d4ffd4adc3012316

SHA512
864fa39423b8ca9c43fa177aca1484ec2ffae4868a434e7a8016efe88f396b67fb8ca3766f611de7218e9983653a8b7b88b07c2591b252dd93a0d9638980e7ff

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-process-l1-1-0.dll
Filesize
19KB

MD5
9ee275466394a2088d7dfbbc0c716671

SHA1
4d2f94674587251c60805889395ab7377e8c5e17

SHA256
c68a61c260454c0aeb051ddb2bed52cbca44b96d50046017cbc351b41f225dc0

SHA512
996212d07b0b6e55f54e17d6a053f017b1fd00f50906db9de25b8ae5632eeac9c197e91db1c293e7abf0e8b823937cb18e26f43e166f76c02a6914c9776a72b3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
23KB

MD5
55b80c522731ecb92914bf9cded028c2

SHA1
424c61bc659caf04281959ede1b1f03b703934ed

SHA256
4c787ff8d40bb803e75fe6218fec36a672cfa6cfc7f6e80e68a7eb0b77a10e5a

SHA512
3779b530c7dba624369cb0f5d15154d89547adc3c4c7cc0571f1e8326588165098b9b5768d0052ecf1ea4f2dc84ae7dcf4712e3bc9ebdadb5fca4b0f4de43812

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
24KB

MD5
4614d03a94d46c0e9d1c5d96a3fe1d78

SHA1
cacb73ca3c7e31a4b8f749854060b7a422497050

SHA256
c7919be431ce2fa1906ff9eeb19e4cb19a30a4680107ef8737ce894654b21a5a

SHA512
4f30e8c5893662d7889a049c206b08559ad1a34eb7927be313086d6dae40dca3571de3852dba2ad9324e028fa86e8a391a58ec48ba5dbd5c4a88660ffe8b30df

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-string-l1-1-0.dll
Filesize
24KB

MD5
7a2799f4bc45505e7104e06dc8e254f8

SHA1
323bc35e0101b351a4abde1fce698520832518a8

SHA256
92f72f495a6897f7d7cf2c2064b2b65f6b4fbd4f30911a534a5cd0de73395ebe

SHA512
2627da183779f17fcc9709a6da2e2916a296f61124adb9bf563c80d723ada9b769806cab8fbc4ed916f54fd4cde18f25e7ad53ed6c75e7e61fdef37c2f1ec9b2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-time-l1-1-0.dll
Filesize
21KB

MD5
38b633f132f8e2b3abc268537fa415ec

SHA1
ccccb8c3e31dce7b6b952022d245c11ff3ae8122

SHA256
46cb7b3a9f8aac5adcdbe23494e458f3195adf4b8ed1c71f2d934ddde651e57e

SHA512
23bd77d61c20b1af7f13b5bcbeb9fa74ee807f809bb3d4dd40c7709ca4870078fa6e8e94eefc83a725c0245c0ce02e3adbd4f370d6b986f0c9442ccbc2c2ab96

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\api-ms-win-crt-utility-l1-1-0.dll
Filesize
19KB

MD5
5cde35104a68606913af6e5bd3b1adea

SHA1
f1f28141585c000753ab4db9ffc61f90929d4a1a

SHA256
111f6dd2e7247071a33d75bf98d521a8d09c4071f90483a82e6ed9af69bb52c4

SHA512
caa5f80ac380a6e0242104f297fbfe6091260d743ef967fb1010720dbcba2a575baf8cb1f666b11fe780428d71a04767e2cc63d1bd9638d5f1af1063e3f43f91

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\libcrypto-1_1-x64.dll
Filesize
2.4MB

MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\libssl-1_1-x64.dll
Filesize
517KB

MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\main.cp37-win_amd64.pyd
Filesize
111KB

MD5
8fcb582b5ddec4bcc706cb73c8bc52b7

SHA1
a248c79657e676d14769cd6b4cf0b0c2c09afba7

SHA256
7f69a0f922f6ff15a25bcd0f2df6b46ea89632e163223c7b5587dd10214ababe

SHA512
600dbfda799fa7b1984201eb6f5ca77db3c0ea72a07fc545360e53d6b63e08b3abec7c32eb2c5cdbea92be623139240e1b4047f5aed85b3c002ab17a441420b6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\python37.dll
Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16722\select.pyd
Filesize
26KB

MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
memory/1044-54-0x0000000000000000-mapping.dmp

Download
memory/1044-146-0x00000000042E0000-0x00000000046E0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-144-0x00000000046E0000-0x0000000004B52000-memory.dmp

Filesize
4.4MB

Download
memory/1044-143-0x00000000042E0000-0x00000000046E0000-memory.dmp

Filesize
4.0MB

Download
memory/1044-142-0x00000000046E0000-0x0000000004B52000-memory.dmp

Filesize
4.4MB

Download
memory/1472-139-0x0000000000000000-mapping.dmp

Download
memory/1968-134-0x00000000702A1000-0x00000000702A3000-memory.dmp

Filesize
8KB

Download
memory/1968-136-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1968-138-0x000000007128D000-0x0000000071298000-memory.dmp

Filesize
44KB

Download
memory/1968-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1968-133-0x0000000072821000-0x0000000072824000-memory.dmp

Filesize
12KB

Download
memory/1968-129-0x0000000000000000-mapping.dmp

Download
memory/1968-145-0x000000007128D000-0x0000000071298000-memory.dmp

Filesize
44KB

Download
memory/2008-88-0x0000000000000000-mapping.dmp

Download
memory/2008-95-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download