Malware Analysis Report

2024-08-06 07:53

Sample ID 231123-j2dapahd9v
Target 7597f8fe471d3b2efd251431e424c219d2eab873fde26113f29ad2bca94e041e
SHA256 7597f8fe471d3b2efd251431e424c219d2eab873fde26113f29ad2bca94e041e
Tags
cobaltstrike 1359593325 backdoor trojan 0 pdf link pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7597f8fe471d3b2efd251431e424c219d2eab873fde26113f29ad2bca94e041e

Threat Level: Known bad

The file 7597f8fe471d3b2efd251431e424c219d2eab873fde26113f29ad2bca94e041e was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 1359593325 backdoor trojan 0 pdf link pyinstaller

Cobaltstrike

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

One or more HTTP URLs in PDF identified

Enumerates physical storage devices

Detects Pyinstaller

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-11-23 08:09

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in PDF identified

pdf link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win7-20231023-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\RfSbieDll.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\RfSbieDll.dll,#1

Network

N/A

Files

memory/2224-0-0x000007FEF6640000-0x000007FEF6744000-memory.dmp

memory/2224-4-0x0000000000160000-0x0000000000182000-memory.dmp

memory/2224-5-0x000007FEF6640000-0x000007FEF6744000-memory.dmp

memory/2224-7-0x000007FEF6640000-0x000007FEF6744000-memory.dmp

memory/2224-16-0x000007FEF6640000-0x000007FEF6744000-memory.dmp

memory/2224-15-0x0000000000160000-0x0000000000182000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win7-20231020-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\教育部学籍在线验证报告.pdf"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\教育部学籍在线验证报告.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e757ac7a19921f573c947ad697eca9d5
SHA1 262b9757469d2d9c44298f555d94baaff534a329
SHA256 ef4a674304d07f5dfa72c917663c40605c62aba7cb16c35e8639fd83698b8388
SHA512 f3aee342d9a0352c283bb281f418547b02c31be47238b8707b2b855594e6053909bf21c97675e3cf128ff879ba12e9c5a36fbe36fed9683588f1cccc20654ebf

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\教育部学籍在线验证报告.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\教育部学籍在线验证报告.pdf"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 147.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win7-20231023-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 2420 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 2420 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 2420 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe
PID 2704 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe
PID 2704 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe
PID 2704 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe
PID 2688 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2688 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2688 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2688 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 484 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 484 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 484 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 484 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe

"C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe"

C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe

"C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.docx"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe"

C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe

C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.docx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.api.chinabm.cn udp
CN 182.106.158.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI24202\1qaz2wsx.exe.manifest

MD5 75b7dde9cbd5c60097c350a8debe1ce0
SHA1 3ddca45df0a03b4d289ad93e3c944d9d458eaf68
SHA256 1ffba23039e14ac62b97a3bb345a647febd950dff06f6d3d6975bca8f1f364d5
SHA512 30d50670477193ce1b03b2f0e9a25a2f2e7bb8e9ff4fefd617e070372f405656fd10130803305a746d1f7f103301ee61aed828efc5ed42e8d15b1b1f784d46fb

C:\Users\Admin\AppData\Local\Temp\_MEI24202\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

\Users\Admin\AppData\Local\Temp\_MEI24202\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

C:\Users\Admin\AppData\Local\Temp\_MEI24202\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

\Users\Admin\AppData\Local\Temp\_MEI24202\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI24202\base_library.zip

MD5 180486848fd59106ac4590bbc1ff463e
SHA1 1cc66e46c916ce5da9b71e532444dd1c2560cb70
SHA256 384fda35f8f7f96f51c87456ae953a49fc9feb8d92be815e3d3fd69b96fdbf7d
SHA512 03ff5f5e17bef3705e8c03e051324363d2f2fb793854dcedde824222ad0c066f5802f7e4a5bf4de8584a82251e9dae1e9668cad6ded8510ca85a1b5da1f48d8f

memory/1632-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2420-34-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-38-0x000007FEF6EA0000-0x000007FEF6FA4000-memory.dmp

memory/2604-46-0x0000000001B40000-0x0000000001B62000-memory.dmp

memory/2604-48-0x000007FEF6EA0000-0x000007FEF6FA4000-memory.dmp

memory/2604-63-0x0000000001B40000-0x0000000001B62000-memory.dmp

memory/2604-66-0x0000000001B20000-0x0000000001B21000-memory.dmp

memory/2604-65-0x000007FEF6EA0000-0x000007FEF6FA4000-memory.dmp

memory/484-75-0x000000002FDB1000-0x000000002FDB2000-memory.dmp

memory/484-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/484-77-0x00000000714CD000-0x00000000714D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.docx

MD5 856f1b71fca87647a111c2501cdfa514
SHA1 0dc734f42d94e6aee221a9a29eb107397079b815
SHA256 c1bba0687169fe12871dc6408ae84d94d819d6d26226c6a758ae5ee013de1aba
SHA512 5f6a0ef7a1db3aacf4b9d81f7015a0d060b470f0395ac54f1169315e533f91274b7c0edb99ba1cf19fc7313b4b26f98e6204ffbf35f2f77346234d5c86955e54

C:\Users\Admin\AppData\Local\Temp\Cab50D0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5150.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2604-164-0x0000000003BA0000-0x0000000003FA0000-memory.dmp

memory/2604-163-0x000007FEF64D0000-0x000007FEF657C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2604-179-0x000007FEF64D0000-0x000007FEF657C000-memory.dmp

memory/2604-180-0x000007FEF6EA0000-0x000007FEF6FA4000-memory.dmp

memory/484-182-0x00000000714CD000-0x00000000714D8000-memory.dmp

memory/2604-184-0x0000000003BA0000-0x0000000003FA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ee431b060608820bb03beb0b058a8eb9
SHA1 394410c521b2fb7360fc0df7244d9e07c3374a42
SHA256 c92ace07a5249aaadb268eb3326a7feef0b6d96931370871794b6c20d6279dfe
SHA512 787cd070765d49a6e9739c5dca6d333f8191e109fe4024f87509f23db88a17e5729ac541bf65d6bb2f6ac0f32faa9db850d311e3c79f05f86ff9fcf5d9c89bc3

memory/484-209-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/484-210-0x00000000714CD000-0x00000000714D8000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win10v2004-20231020-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 1444 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 1444 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe
PID 1980 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe
PID 3476 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe
PID 3192 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3192 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe

"C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe"

C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe

"C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.docx"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe"

C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe

C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 time.api.chinabm.cn udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.27.170.111.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 209.197.3.8:80 tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 34.175.53.84.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI14442\1qaz2wsx.exe.manifest

MD5 75b7dde9cbd5c60097c350a8debe1ce0
SHA1 3ddca45df0a03b4d289ad93e3c944d9d458eaf68
SHA256 1ffba23039e14ac62b97a3bb345a647febd950dff06f6d3d6975bca8f1f364d5
SHA512 30d50670477193ce1b03b2f0e9a25a2f2e7bb8e9ff4fefd617e070372f405656fd10130803305a746d1f7f103301ee61aed828efc5ed42e8d15b1b1f784d46fb

C:\Users\Admin\AppData\Local\Temp\_MEI14442\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

C:\Users\Admin\AppData\Local\Temp\_MEI14442\python34.dll

MD5 2a78649eb1fe4354060623785f7f98aa
SHA1 85dcadf0b43db27f47713c433f8e31a8642cf8d5
SHA256 fdb01967868edc948d9e0ee128a26a3c76df2600262ca9d38034d45dbe39017d
SHA512 678b122bf318b78a7699f4417d6b74e65f3dc740d287c9a193a59c670d38579fa20180dd363f1e620fbce7e388d993e59321b19127fff3e6d6502a8e24a33d6a

C:\Users\Admin\AppData\Local\Temp\_MEI14442\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI14442\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI14442\base_library.zip

MD5 180486848fd59106ac4590bbc1ff463e
SHA1 1cc66e46c916ce5da9b71e532444dd1c2560cb70
SHA256 384fda35f8f7f96f51c87456ae953a49fc9feb8d92be815e3d3fd69b96fdbf7d
SHA512 03ff5f5e17bef3705e8c03e051324363d2f2fb793854dcedde824222ad0c066f5802f7e4a5bf4de8584a82251e9dae1e9668cad6ded8510ca85a1b5da1f48d8f

memory/1980-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1444-34-0x0000000000400000-0x0000000000431000-memory.dmp

memory/388-36-0x00007FFFEC090000-0x00007FFFEC194000-memory.dmp

memory/388-40-0x0000019CCCF10000-0x0000019CCCF32000-memory.dmp

memory/388-41-0x00007FFFEC090000-0x00007FFFEC194000-memory.dmp

memory/388-50-0x0000019CCCF10000-0x0000019CCCF32000-memory.dmp

memory/388-51-0x00007FFFEC090000-0x00007FFFEC194000-memory.dmp

memory/388-52-0x0000019CCB600000-0x0000019CCB601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\求职材料\陈婷婷-中山大学-公共卫生学院流行病与卫生统计学硕士.docx

MD5 856f1b71fca87647a111c2501cdfa514
SHA1 0dc734f42d94e6aee221a9a29eb107397079b815
SHA256 c1bba0687169fe12871dc6408ae84d94d819d6d26226c6a758ae5ee013de1aba
SHA512 5f6a0ef7a1db3aacf4b9d81f7015a0d060b470f0395ac54f1169315e533f91274b7c0edb99ba1cf19fc7313b4b26f98e6204ffbf35f2f77346234d5c86955e54

memory/4852-54-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-55-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-56-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-58-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-57-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-59-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-60-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-62-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-61-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-63-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-64-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-65-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-66-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-68-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-69-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-67-0x00007FF7C7250000-0x00007FF7C7260000-memory.dmp

memory/4852-70-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-71-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-72-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-73-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-74-0x00007FF7C7250000-0x00007FF7C7260000-memory.dmp

memory/388-83-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-84-0x0000019CCD4D0000-0x0000019CCD8D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/388-91-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-95-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-96-0x00007FFFEC090000-0x00007FFFEC194000-memory.dmp

memory/4852-97-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-98-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-99-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/388-101-0x0000019CCD4D0000-0x0000019CCD8D0000-memory.dmp

memory/388-102-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-105-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-106-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-111-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-112-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-113-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/4852-131-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-132-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-133-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-135-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-134-0x00007FF7C9BB0000-0x00007FF7C9BC0000-memory.dmp

memory/4852-136-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/4852-137-0x00007FF809B30000-0x00007FF809D25000-memory.dmp

memory/388-138-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-139-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-140-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-141-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

memory/388-142-0x00007FFFE40E0000-0x00007FFFE416D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\RfSbieDll.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\RfSbieDll.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/4176-0-0x00007FF8ADF50000-0x00007FF8AE054000-memory.dmp

memory/4176-4-0x00007FF8ADF50000-0x00007FF8AE054000-memory.dmp

memory/4176-5-0x000001AA4F6C0000-0x000001AA4F6E2000-memory.dmp

memory/4176-14-0x000001AA4F6C0000-0x000001AA4F6E2000-memory.dmp

memory/4176-15-0x00007FF8ADF50000-0x00007FF8AE054000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win7-20231020-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe

"C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.api.chinabm.cn udp
CN 125.74.42.35:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp

Files

memory/2872-0-0x000007FEF6FD0000-0x000007FEF70D4000-memory.dmp

memory/2872-4-0x0000000000430000-0x0000000000452000-memory.dmp

memory/2872-7-0x000007FEF6FD0000-0x000007FEF70D4000-memory.dmp

memory/2872-15-0x000007FEF6FD0000-0x000007FEF70D4000-memory.dmp

memory/2872-14-0x0000000000430000-0x0000000000452000-memory.dmp

memory/2872-16-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5756.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5823.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ff646174f2f4176df504fd67a6bb8aa
SHA1 19e02f20aaf09d67f862726d906739d1a6bf2bec
SHA256 7690fe5f136fdf1669cabbc78dcda048533ff47fb025f6374a83c0a6675fa06f
SHA512 96e300ea07428b62e51a240dab0cf812395533811771837703ea31e57c8e8877d2d26f35acf16f3ea88252349d261e0bc3f95440a50166024e8f7491d5363a4f

memory/2872-79-0x0000000003940000-0x0000000003D40000-memory.dmp

memory/2872-78-0x000007FEF7AF0000-0x000007FEF7B9C000-memory.dmp

memory/2872-80-0x000007FEF7AF0000-0x000007FEF7B9C000-memory.dmp

memory/2872-81-0x000007FEF6FD0000-0x000007FEF70D4000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-23 08:09

Reported

2023-11-23 08:12

Platform

win10v2004-20231025-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe

"C:\Users\Admin\AppData\Local\Temp\求职材料\附件材料\Start.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 time.api.chinabm.cn udp
US 8.8.8.8:53 67.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 1.27.170.111.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 147.175.53.84.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 time.api.chinabm.cn tcp
CN 111.170.27.1:443 tcp

Files

memory/2564-0-0x00007FFC9E900000-0x00007FFC9EA04000-memory.dmp

memory/2564-5-0x000002BC80060000-0x000002BC80082000-memory.dmp

memory/2564-4-0x00007FFC9E900000-0x00007FFC9EA04000-memory.dmp

memory/2564-7-0x00007FFC9E900000-0x00007FFC9EA04000-memory.dmp

memory/2564-15-0x000002BC80060000-0x000002BC80082000-memory.dmp

memory/2564-16-0x00007FFC9E900000-0x00007FFC9EA04000-memory.dmp

memory/2564-17-0x000002BC80040000-0x000002BC80041000-memory.dmp

memory/2564-20-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-21-0x000002BC807D0000-0x000002BC8092E000-memory.dmp

memory/2564-22-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-23-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-24-0x00007FFC9E900000-0x00007FFC9EA04000-memory.dmp

memory/2564-25-0x000002BC807D0000-0x000002BC8092E000-memory.dmp

memory/2564-26-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-27-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-28-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-29-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-30-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-31-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-32-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-34-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-35-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-36-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp

memory/2564-37-0x00007FFC8E5E0000-0x00007FFC8E66D000-memory.dmp