General Info

File name

Quotation Order.doc

Full analysis
https://app.any.run/tasks/754fc5e4-7cae-407e-85de-487bfd294883
Verdict
Malicious activity
Threats:

Lokibot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date
2/18/2019, 06:04:12
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

exploit

CVE-2017-11882

loader

opendir

trojan

lokibot

Indicators:

MIME:
text/rtf
File info:
Rich Text Format data, version 1, unknown character set
MD5

d9d90a514547b9f9e1fb7019caaf6641

SHA1

d81c2fc6b99bcf446abb86ad0d56394c02fae23c

SHA256

a94b14e16cac619550a71e6a6c89c81380e71df3de695eecad7d0ed09f75a109

SSDEEP

96:mcB6vkrOYEi//cLpkaDm8r1NCeBkLVfEarB/IElkNePT416:X6kr5IlDhrXqxfEadQQPk16

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Who has a link
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 3196)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 3196)
Downloads executable files from the Internet
  • EQNEDT32.EXE (PID: 3196)
Application was dropped or rewritten from another process
  • Quotation Order.exe (PID: 2900)
  • Quotation Order.exe (PID: 2172)
Detected artifacts of LokiBot
  • Quotation Order.exe (PID: 2172)
Actions looks like stealing of personal data
  • Quotation Order.exe (PID: 2172)
Creates files in the user directory
  • EQNEDT32.EXE (PID: 3196)
  • Quotation Order.exe (PID: 2172)
Executable content was dropped or overwritten
  • EQNEDT32.EXE (PID: 3196)
  • Quotation Order.exe (PID: 2172)
Application launched itself
  • Quotation Order.exe (PID: 2900)
Loads DLL from Mozilla Firefox
  • Quotation Order.exe (PID: 2172)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2972)
Creates files in the user directory
  • WINWORD.EXE (PID: 2972)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rtf
|   Rich Text Format (100%)

Video and screenshots

Processes

Total processes
34
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start drop and start winword.exe no specs eqnedt32.exe quotation order.exe #LOKIBOT quotation order.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2972
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\Quotation Order.doc.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\winspool.drv
c:\windows\system32\setupapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\msi.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shell32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cfgmgr32.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\advapi32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\version.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\slc.dll
c:\windows\system32\srvcli.dll

PID
3196
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ntmarta.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rasman.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\sxs.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\quotation order.exe
c:\windows\system32\wship6.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dnsapi.dll

PID
2900
CMD
"C:\Users\admin\AppData\Roaming\Quotation Order.exe"
Path
C:\Users\admin\AppData\Roaming\Quotation Order.exe
Indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
syphilophobic
Description
blennorrhoea
Version
8.7.7.1
Modules
Image
c:\users\admin\appdata\roaming\quotation order.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll

PID
2172
CMD
"C:\Users\admin\AppData\Roaming\Quotation Order.exe"
Path
C:\Users\admin\AppData\Roaming\Quotation Order.exe
Indicators
Parent process
Quotation Order.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
syphilophobic
Description
blennorrhoea
Version
8.7.7.1
Modules
Image
c:\users\admin\appdata\roaming\quotation order.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rsaenh.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
967
Read events
0
Write events
67
Delete events
4

Modification events

PID
Process
Operation
Key
Name
Value
2972
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2972
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2972
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\20F4A6
2972
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
d',
64272C009C0B0000010000000000000000000000
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313996944
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313996945
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
n(,
6E282C009C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{441D0A6F-9E53-4F70-9EC8-BC146A645B65}
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4C74FD1111B10][O00000000]*C:\Users\admin\AppData\Roaming\Quotation Order.doc.rtf
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\20F4A6
20F4A6
040000009C0B00003600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00510075006F0074006100740069006F006E0020004F0072006400650072002E0064006F0063002E0072007400660017000000510075006F0074006100740069006F006E0020004F0072006400650072002E0064006F0063002E007200740066000000000001000000000000005CDEAECE4FC7D401A6F42000A6F4200000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996858
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996859
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313996843
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313996843
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313996844
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996862
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996863
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996864
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996865
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25024A1100A00633090060007000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101020101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
101
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1313996823
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
9C0B0000D28EBFCE4FC7D40100000000
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
8),
38292C009C0B000006000000010000007E000000020000006E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C0072006F0061006D0069006E0067005C00710075006F0074006100740069006F006E0020006F0072006400650072002E0064006F0063002E00720074006600000000000000
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4C74FD1111B10][O00000000]*C:\Users\admin\AppData\Roaming\
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313996841
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313996842
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313996842
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1313996810
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313996946
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313996844
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996860
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313996861
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313996841
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
101
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1313996811
2972
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
BackgroundOpen
0
2972
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313996947
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileTracingMask
4294901760
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableFileTracing
0
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
MaxFileSize
1048576
3196
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1313996803
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
ConsoleTracingMask
4294901760
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableFileTracing
0
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
MaxFileSize
1048576
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileTracingMask
4294901760
3196
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableConsoleTracing
0
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileDirectory
%windir%\tracing
3196
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableConsoleTracing
0
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileDirectory
%windir%\tracing
3196
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
ConsoleTracingMask
4294901760
3196
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2172
Quotation Order.exe
write
HKEY_CURRENT_USER\http://alfacollege.website/fre.php
F63AAA
%APPDATA%\F63AAA\A71D80.exe

Files activity

Executable files
3
Suspicious files
1
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
3196
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\Quotation%20Order[1].exe
executable
MD5: 192119d6a2c5d209d48edacf25289cbe
SHA256: 149481bdede500f019000d6c36a7c80888f72c199a1046b14eca3d3cdd8d7109
3196
EQNEDT32.EXE
C:\Users\admin\AppData\Roaming\Quotation Order.exe
executable
MD5: 192119d6a2c5d209d48edacf25289cbe
SHA256: 149481bdede500f019000d6c36a7c80888f72c199a1046b14eca3d3cdd8d7109
2172
Quotation Order.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe
executable
MD5: 192119d6a2c5d209d48edacf25289cbe
SHA256: 149481bdede500f019000d6c36a7c80888f72c199a1046b14eca3d3cdd8d7109
2972
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRE7C4.tmp.cvr
––
MD5:  ––
SHA256:  ––
2972
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0392520D-58D2-48D6-A7A2-53DA8C6EE22B}.tmp
––
MD5:  ––
SHA256:  ––
2972
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{70377F18-CA88-4BAF-B919-CA528A3B3822}.tmp
binary
MD5: d6e646f7f97db09378a184511a6c6917
SHA256: 2fd5b3c8fa6b18fe37730448f73b5a5d88deac0f2de336b0d7731596c5c2a49e
2172
Quotation Order.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: 18b8cfc0185c50383aac0a4f30a9dac8
SHA256: 913e8ced6a447fe791954d382aba52d490513c5d2f689b391866c7e561f89a03
2972
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Quotation Order.doc.rtf.LNK
lnk
MD5: 1c65853e45782d7f85ef01df4769882f
SHA256: 69c032026b639fb2e42d20e14b29bbd09f22c26393509a7b73282ee2d26e32b0
2972
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: e4ea98af8cbeae7002145bd56e1176ac
SHA256: 02b5927d6ec8f7396e0cd5d9142b7a37e46d986749a26c34d2f7602a4d842c5e
2972
WINWORD.EXE
C:\Users\admin\AppData\Roaming\~$otation Order.doc.rtf
pgc
MD5: 542d63c8533f7de3daa5046832800d2d
SHA256: 318f084e176d39854de962dba773048efb08821e730bb923af83ddf1f4d1fa4f
2972
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: 2f778ccccefc881595e02404ed7e04fb
SHA256: 2dc8f82d637df1c2eb793718ffedaaa61d9dd48f1aa2e8e25c5f5d6d2c812042
2172
Quotation Order.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
––
MD5:  ––
SHA256:  ––
2972
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C0B1440-D46D-47B6-877C-7F40D0ADDC95}.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
7
Threats
2

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3196 EQNEDT32.EXE GET 200 103.112.244.113:80 http://deluvis.net/key/Quotation%20Order.exe unknown
executable
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3196 EQNEDT32.EXE 103.112.244.113:80 –– malicious

DNS requests

Domain IP Reputation
deluvis.net 103.112.244.113
malicious
alfacollege.website No response malicious

Threats

PID Process Class Message
3196 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
3196 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP

Debug output strings

Process Message
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll
–– User32.dll