plugx | 806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204

Analysis

max time kernel
152s
max time network
194s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc
Size

324KB
MD5

510373e64ab11602490e0e5eb36ef4d1
SHA1

284e402d86e35a510e428bd6dc990e1d6d87a8bc
SHA256

806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204
SHA512

30f536eeccc1200bf69f3adef6214387a17c919f332ca120b56e1d20dfd9e996c4aaa38f4d593ee7d25e05f8add7b17ea02922e3d4ac59403ab1d574c76345ff
SSDEEP

6144:xzAFVteZhTDb2WzbxEvk69q6CC4KEqU/G0VmyhNz+0dfpnXh:CfeqAxEvl9j34KEqcG02sRh

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 29 IoCs

resource	yara_rule
behavioral1/memory/1792-78-0x0000000000350000-0x000000000038C000-memory.dmp	family_plugx
behavioral1/memory/596-79-0x00000000004E0000-0x000000000051C000-memory.dmp	family_plugx
behavioral1/memory/1620-88-0x0000000000310000-0x000000000034C000-memory.dmp	family_plugx
behavioral1/memory/1424-93-0x0000000000250000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/596-94-0x00000000004E0000-0x000000000051C000-memory.dmp	family_plugx
behavioral1/memory/2032-111-0x00000000002A0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/1100-126-0x00000000002C0000-0x00000000002FC000-memory.dmp	family_plugx
behavioral1/memory/1532-127-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/1424-128-0x0000000000250000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2032-130-0x00000000002A0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/1788-145-0x00000000002C0000-0x00000000002FC000-memory.dmp	family_plugx
behavioral1/memory/1224-164-0x00000000001A0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/1492-165-0x0000000000280000-0x00000000002BC000-memory.dmp	family_plugx
behavioral1/memory/940-184-0x0000000000350000-0x000000000038C000-memory.dmp	family_plugx
behavioral1/memory/1532-185-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/1632-188-0x0000000006440000-0x000000000659C000-memory.dmp	family_plugx
behavioral1/memory/1648-195-0x0000000000370000-0x00000000003AC000-memory.dmp	family_plugx
behavioral1/memory/768-212-0x00000000002C0000-0x00000000002FC000-memory.dmp	family_plugx
behavioral1/memory/1940-213-0x0000000000350000-0x000000000038C000-memory.dmp	family_plugx
behavioral1/memory/1492-214-0x0000000000280000-0x00000000002BC000-memory.dmp	family_plugx
behavioral1/memory/940-215-0x0000000000350000-0x000000000038C000-memory.dmp	family_plugx
behavioral1/memory/768-220-0x00000000002C0000-0x00000000002FC000-memory.dmp	family_plugx
behavioral1/memory/1940-221-0x0000000000350000-0x000000000038C000-memory.dmp	family_plugx
behavioral1/memory/892-228-0x0000000000360000-0x000000000039C000-memory.dmp	family_plugx
behavioral1/memory/2256-244-0x0000000000340000-0x000000000037C000-memory.dmp	family_plugx
behavioral1/memory/2460-260-0x0000000000340000-0x000000000037C000-memory.dmp	family_plugx
behavioral1/memory/2652-276-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2848-291-0x00000000003A0000-0x00000000003DC000-memory.dmp	family_plugx
behavioral1/memory/3040-308-0x00000000005B0000-0x00000000005EC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	316	1772	cmd.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	940	2040	cmd.exe	38
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1104	1880	cmd.exe	47
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1584	1932	cmd.exe	52
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1636	1632	cmd.exe	59
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2092	972	cmd.exe	64
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2296	2180	cmd.exe	73
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2500	2392	cmd.exe	78
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2692	2580	cmd.exe	83
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2888	2772	cmd.exe	88
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	780	2960	cmd.exe	93

Executes dropped EXE 15 IoCs

pid	Process
1792	4B93.tmp
596	rc.exe
1620	rc.exe
1100	94E2.tmp
1532	rc.exe
1788	33CF.tmp
1224	rc.exe
940	4137.tmp
1648	49FD.tmp
892	B5E9.tmp
2256	D9CD.tmp
2460	E4F4.tmp
2652	EDBB.tmp
2848	F79A.tmp
3040	60.tmp

Loads dropped DLL 29 IoCs

pid	Process
1772	WINWORD.EXE
1772	WINWORD.EXE
1792	4B93.tmp
1792	4B93.tmp
596	rc.exe
1620	rc.exe
2040	WINWORD.EXE
2040	WINWORD.EXE
1100	94E2.tmp
1532	rc.exe
1880	WINWORD.EXE
1880	WINWORD.EXE
1224	rc.exe
1932	WINWORD.EXE
1932	WINWORD.EXE
1632	WINWORD.EXE
1632	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE
2580	WINWORD.EXE
2580	WINWORD.EXE
2772	WINWORD.EXE
2772	WINWORD.EXE
2960	WINWORD.EXE
2960	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

pid	Process
2928	tasklist.exe
1944	tasklist.exe
844	tasklist.exe
1548	tasklist.exe
2356	tasklist.exe
2728	tasklist.exe
780	tasklist.exe
1224	tasklist.exe
2140	tasklist.exe
2544	tasklist.exe
892	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\3e-80-78-b5-1c-66	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\WpadNetworkName = "Network 2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\WpadDecisionTime = 50c6bbef2407d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\WpadDecisionTime = d0b743d82407d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecisionTime = 50c6bbef2407d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecisionTime = d0b743d82407d901	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecisionTime = 50c6bbef2407d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B20C1852-9BB9-41F7-B262-2BF0D2ACDD65}\3e-80-78-b5-1c-66	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-80-78-b5-1c-66\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\ = "IToolbar"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ = "IProgressBarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ = "INodes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ = "IToolbarEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E9252B6-D14D-4B20-BBFA-01F4E1CEA26B}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ = "ListViewEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ = "IListSubItem"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 12 IoCs

pid	Process
1772	WINWORD.EXE
2040	WINWORD.EXE
1880	WINWORD.EXE
1932	WINWORD.EXE
1632	WINWORD.EXE
972	WINWORD.EXE
2180	WINWORD.EXE
2392	WINWORD.EXE
2580	WINWORD.EXE
2772	WINWORD.EXE
2960	WINWORD.EXE
580	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
1424	svchost.exe
1424	svchost.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe
2032	msiexec.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	4B93.tmp
Token: SeTcbPrivilege	1792	4B93.tmp
Token: SeDebugPrivilege	596	rc.exe
Token: SeTcbPrivilege	596	rc.exe
Token: SeDebugPrivilege	1620	rc.exe
Token: SeTcbPrivilege	1620	rc.exe
Token: SeDebugPrivilege	1424	svchost.exe
Token: SeTcbPrivilege	1424	svchost.exe
Token: SeDebugPrivilege	780	tasklist.exe
Token: SeDebugPrivilege	2032	msiexec.exe
Token: SeTcbPrivilege	2032	msiexec.exe
Token: SeDebugPrivilege	1100	94E2.tmp
Token: SeTcbPrivilege	1100	94E2.tmp
Token: SeDebugPrivilege	1532	rc.exe
Token: SeTcbPrivilege	1532	rc.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	1788	33CF.tmp
Token: SeTcbPrivilege	1788	33CF.tmp
Token: SeDebugPrivilege	1944	tasklist.exe
Token: SeDebugPrivilege	1224	rc.exe
Token: SeTcbPrivilege	1224	rc.exe
Token: SeDebugPrivilege	1492	svchost.exe
Token: SeTcbPrivilege	1492	svchost.exe
Token: SeDebugPrivilege	940	4137.tmp
Token: SeTcbPrivilege	940	4137.tmp
Token: SeDebugPrivilege	844	tasklist.exe
Token: SeDebugPrivilege	1648	49FD.tmp
Token: SeTcbPrivilege	1648	49FD.tmp
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	768	msiexec.exe
Token: SeTcbPrivilege	768	msiexec.exe
Token: SeDebugPrivilege	1940	msiexec.exe
Token: SeTcbPrivilege	1940	msiexec.exe
Token: SeDebugPrivilege	892	B5E9.tmp
Token: SeTcbPrivilege	892	B5E9.tmp
Token: SeDebugPrivilege	2140	tasklist.exe
Token: SeDebugPrivilege	2256	D9CD.tmp
Token: SeTcbPrivilege	2256	D9CD.tmp
Token: SeDebugPrivilege	2356	tasklist.exe
Token: SeDebugPrivilege	2460	E4F4.tmp
Token: SeTcbPrivilege	2460	E4F4.tmp
Token: SeDebugPrivilege	2544	tasklist.exe
Token: SeDebugPrivilege	2652	EDBB.tmp
Token: SeTcbPrivilege	2652	EDBB.tmp
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2848	F79A.tmp
Token: SeTcbPrivilege	2848	F79A.tmp
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	3040	60.tmp
Token: SeTcbPrivilege	3040	60.tmp
Token: SeDebugPrivilege	892	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1772	WINWORD.EXE
2040	WINWORD.EXE
1880	WINWORD.EXE

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1772	WINWORD.EXE
1772	WINWORD.EXE
2040	WINWORD.EXE
2040	WINWORD.EXE
1880	WINWORD.EXE
1880	WINWORD.EXE
1932	WINWORD.EXE
1932	WINWORD.EXE
1632	WINWORD.EXE
1632	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
2180	WINWORD.EXE
2180	WINWORD.EXE
2392	WINWORD.EXE
2392	WINWORD.EXE
2580	WINWORD.EXE
2580	WINWORD.EXE
2772	WINWORD.EXE
2772	WINWORD.EXE
2960	WINWORD.EXE
2960	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1488	1772	WINWORD.EXE	28
PID 1772 wrote to memory of 1488	1772	WINWORD.EXE	28
PID 1772 wrote to memory of 1488	1772	WINWORD.EXE	28
PID 1772 wrote to memory of 1488	1772	WINWORD.EXE	28
PID 1772 wrote to memory of 1792	1772	WINWORD.EXE	29
PID 1772 wrote to memory of 1792	1772	WINWORD.EXE	29
PID 1772 wrote to memory of 1792	1772	WINWORD.EXE	29
PID 1772 wrote to memory of 1792	1772	WINWORD.EXE	29
PID 1792 wrote to memory of 596	1792	4B93.tmp	30
PID 1792 wrote to memory of 596	1792	4B93.tmp	30
PID 1792 wrote to memory of 596	1792	4B93.tmp	30
PID 1792 wrote to memory of 596	1792	4B93.tmp	30
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1620 wrote to memory of 1424	1620	rc.exe	33
PID 1772 wrote to memory of 316	1772	WINWORD.EXE	34
PID 1772 wrote to memory of 316	1772	WINWORD.EXE	34
PID 1772 wrote to memory of 316	1772	WINWORD.EXE	34
PID 1772 wrote to memory of 316	1772	WINWORD.EXE	34
PID 316 wrote to memory of 780	316	cmd.exe	36
PID 316 wrote to memory of 780	316	cmd.exe	36
PID 316 wrote to memory of 780	316	cmd.exe	36
PID 316 wrote to memory of 780	316	cmd.exe	36
PID 316 wrote to memory of 2040	316	cmd.exe	38
PID 316 wrote to memory of 2040	316	cmd.exe	38
PID 316 wrote to memory of 2040	316	cmd.exe	38
PID 316 wrote to memory of 2040	316	cmd.exe	38
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 1424 wrote to memory of 2032	1424	svchost.exe	39
PID 2040 wrote to memory of 1100	2040	WINWORD.EXE	40
PID 2040 wrote to memory of 1100	2040	WINWORD.EXE	40
PID 2040 wrote to memory of 1100	2040	WINWORD.EXE	40
PID 2040 wrote to memory of 1100	2040	WINWORD.EXE	40
PID 1100 wrote to memory of 1532	1100	94E2.tmp	41
PID 1100 wrote to memory of 1532	1100	94E2.tmp	41
PID 1100 wrote to memory of 1532	1100	94E2.tmp	41
PID 1100 wrote to memory of 1532	1100	94E2.tmp	41
PID 2040 wrote to memory of 940	2040	WINWORD.EXE	44
PID 2040 wrote to memory of 940	2040	WINWORD.EXE	44
PID 2040 wrote to memory of 940	2040	WINWORD.EXE	44
PID 2040 wrote to memory of 940	2040	WINWORD.EXE	44
PID 940 wrote to memory of 1224	940	cmd.exe	46
PID 940 wrote to memory of 1224	940	cmd.exe	46
PID 940 wrote to memory of 1224	940	cmd.exe	46
PID 940 wrote to memory of 1224	940	cmd.exe	46
PID 940 wrote to memory of 1880	940	cmd.exe	47
PID 940 wrote to memory of 1880	940	cmd.exe	47
PID 940 wrote to memory of 1880	940	cmd.exe	47

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\4B93.tmp
  C:\Users\Admin\AppData\Local\Temp\4B93.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\ProgramData\SxS\rc.exe
    "C:\ProgramData\SxS\rc.exe" 100 1792
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\94E2.tmp
      C:\Users\Admin\AppData\Local\Temp\94E2.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\ProgramData\SxS\rc.exe
        
        "C:\ProgramData\SxS\rc.exe" 100 1100
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
      4⤵
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        5⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\33CF.tmp
        
        C:\Users\Admin\AppData\Local\Temp\33CF.tmp
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        6⤵
        Process spawned unexpected child process
        
        PID:1104
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        7⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\4137.tmp
        
        C:\Users\Admin\AppData\Local\Temp\4137.tmp
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\SysWOW64\msiexec.exe
        
        C:\Windows\system32\msiexec.exe 209 940
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        8⤵
        Process spawned unexpected child process
        
        PID:1584
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        9⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\49FD.tmp
        
        C:\Users\Admin\AppData\Local\Temp\49FD.tmp
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        10⤵
        Process spawned unexpected child process
        
        PID:1636
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        11⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\B5E9.tmp
        
        C:\Users\Admin\AppData\Local\Temp\B5E9.tmp
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        12⤵
        Process spawned unexpected child process
        
        PID:2092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        13⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        13⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\D9CD.tmp
        
        C:\Users\Admin\AppData\Local\Temp\D9CD.tmp
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        14⤵
        Process spawned unexpected child process
        
        PID:2296
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        15⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        15⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\E4F4.tmp
        
        C:\Users\Admin\AppData\Local\Temp\E4F4.tmp
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        16⤵
        Process spawned unexpected child process
        
        PID:2500
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        17⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        17⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\EDBB.tmp
        
        C:\Users\Admin\AppData\Local\Temp\EDBB.tmp
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        18⤵
        Process spawned unexpected child process
        
        PID:2692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        19⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        19⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\F79A.tmp
        
        C:\Users\Admin\AppData\Local\Temp\F79A.tmp
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        20⤵
        Process spawned unexpected child process
        
        PID:2888
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        21⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        21⤵
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\60.tmp
        
        C:\Users\Admin\AppData\Local\Temp\60.tmp
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c tasklist&"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        22⤵
        Process spawned unexpected child process
        
        PID:780
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        23⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\Admin\AppData\Local\Temp\806b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc"
        23⤵
        Suspicious behavior: AddClipboardFormatListener
        
        PID:580

C:\ProgramData\SxS\rc.exe
"C:\ProgramData\SxS\rc.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1424
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

C:\ProgramData\SxS\rc.exe
"C:\ProgramData\SxS\rc.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1224
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1492
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\RCDLL.dll

Filesize
4KB

MD5
a53220cfef72a3dae4ef290790adccc9

SHA1
d98ec3a0556a758a8bd806743b44840470062af0

SHA256
773a32d2c553b069ec7c49fe5285084de8da72924f4da2a1f789ae4dd8ef6717

SHA512
57ff498b6ef22f9bc14a243c8cf00404ed9ecb5853e5953925f717043165529154635b1f135ea7e926f51a3e35fdbfa408c92f111de31395340661a1d6f953aa

Download Submit
C:\ProgramData\SxS\RCDLL.dll

Filesize
4KB

MD5
a53220cfef72a3dae4ef290790adccc9

SHA1
d98ec3a0556a758a8bd806743b44840470062af0

SHA256
773a32d2c553b069ec7c49fe5285084de8da72924f4da2a1f789ae4dd8ef6717

SHA512
57ff498b6ef22f9bc14a243c8cf00404ed9ecb5853e5953925f717043165529154635b1f135ea7e926f51a3e35fdbfa408c92f111de31395340661a1d6f953aa

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
4d82cf50aaaa7234e24d61fc3dc0b85e

SHA1
7531d0dbaa52e770332ce85d7f9abcb31ec461af

SHA256
29454f426fae8b10b9945be4b33eaf68083bef6fa9a8d4d274a980790fb2f898

SHA512
a6806eae4e378d7e558bb7fcbc59a8e7d142b5107271726a7d291341993a92c19605c82f13c71d6d093cd44e21e2d66e54081b3eea2eb7020d5b444afa9da6ef

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
4d82cf50aaaa7234e24d61fc3dc0b85e

SHA1
7531d0dbaa52e770332ce85d7f9abcb31ec461af

SHA256
29454f426fae8b10b9945be4b33eaf68083bef6fa9a8d4d274a980790fb2f898

SHA512
a6806eae4e378d7e558bb7fcbc59a8e7d142b5107271726a7d291341993a92c19605c82f13c71d6d093cd44e21e2d66e54081b3eea2eb7020d5b444afa9da6ef

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
024b0b0b413d34432d12affa39626c13

SHA1
651526ec0d868ade69ee6f3ef73954ed4a8ba78c

SHA256
2ba7edbecd7af5006678b1f5dcb0e13e18dd44f6478e01c2cf7a08e7ac521eba

SHA512
3c836cedeb748cbafbeec0399a4d44af0ae9c5fb4b85b2cb29084ace27966b0b300915c5cb22ee4ec07d7bc3f80967564abefe7e871cc61811439818b26827a4

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
2KB

MD5
ca71b07f924cd8bde35563088d8ed54c

SHA1
c68acc7f3b8f39cb6904d944d90dd021784dfccb

SHA256
45687c7b4ea1357e76d26367dea523bd2eee15178b7c4376e604042d4976e9c2

SHA512
64470b442dedcbc3df3cebd9b4500693da902fa21a12d187e5d768cad7ff498f44be651f4870808e8a5cc05e5db111d1d8a24744da52dbdbb23e0e06fd658337

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
3KB

MD5
51b64a353018ca81cc67e5f4f2ace79d

SHA1
ee1f3bc5c9fbb4aff44d297e9546299dc7a5fe78

SHA256
886c51418f761edf05633189f9d3385a4453494affb3471ba00100444da45eda

SHA512
56bd59b8047facb3810af558f5180ac6eb424d8864cfbaf137e70860689f250bde02e775a40e6ff72e4065fd06fff8570a9f99c2ae5fdbdea5143dd391742db2

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
3KB

MD5
51b64a353018ca81cc67e5f4f2ace79d

SHA1
ee1f3bc5c9fbb4aff44d297e9546299dc7a5fe78

SHA256
886c51418f761edf05633189f9d3385a4453494affb3471ba00100444da45eda

SHA512
56bd59b8047facb3810af558f5180ac6eb424d8864cfbaf137e70860689f250bde02e775a40e6ff72e4065fd06fff8570a9f99c2ae5fdbdea5143dd391742db2

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
3KB

MD5
d338846a77065cc84fed425171e8fbfb

SHA1
023fb69f0f7828a71df50e24d162efcc386af4fe

SHA256
dfffc4512032f59a0a41c39ee3841b0f36a816bcb5379002d73b3a7a657e8d6c

SHA512
a2c29ac98fe14370d39ce958f5c1ae2cfdcb649e530aa5cec03c6d9452c2924be88dd2bd054f88103a8ea4ab582dc0848cde1cffb281d71deb483506dd7ae1df

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
3KB

MD5
b5a97c9c922d6cfdd40934373ca6dbbe

SHA1
af9a6f4c35195e0bb2f4578ff682e16d07726b3a

SHA256
0bcaee6fafee9f41bee7540597509bb0d674b9db7be4fc8cac58604fe7cc2fa8

SHA512
f444d89f47a24e8e52299c9de9e113b61793f6e4ad3008be971047e0904921b576f795bfe985979143ae6104f579f38a6c3fee9aaceec2e2b05898605a434bd2

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
3KB

MD5
5cc5f855bf5643f425c566f1952eadd3

SHA1
ba5958a74ca0568d8612712bef92f9dd62dee102

SHA256
3b2775d4e852e4cfb73a95283ea1f78c91074fba086448927e63e46aaf6a5ab0

SHA512
3e2ca340a64dd599491c3283080cf2d7d49fe58c369a1117b60932025f5158d04f9e3f737b0546cae8966b8ec1a1f78258edb72d79a52faa1917eb477e6938e0

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
460B

MD5
c26b456f9f2f379595886b9a2e75ea8f

SHA1
ebe5ede6bbb3c988642f031591f0518b64a78243

SHA256
5c9e2b67db2f24b933c70ecd1dca209cbd6b0cda667f7799baccfc16a99641ad

SHA512
f4d4d98b0c6c77e964b6015c33b43e5fcb40431fae6c8153b37736d5a21c6251868d0e1aeb399e23dd387d3e2f852dcabbde20c98724175bc6023fe1c493829f

Download Submit
C:\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
C:\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
C:\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
C:\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
C:\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
C:\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
C:\ProgramData\SxS\rc.hlp

Filesize
167KB

MD5
cdaa56c3b2b1c8a496a84be77feff592

SHA1
d563a74b0b3ffa7221a24318dc791fe87790569a

SHA256
982a0b34f51fc727b4691195de0cfbc774afc65aad559a3ff792a690f9114db5

SHA512
52dad0cf8e35d9b8f856058c9a94982d0d2e8f2f4870d4b443051682a2123aff3152eb97f85725282ce74a9178052d9506895b884db55e262bd3c6f548514251

Download Submit
C:\ProgramData\SxS\rc.hlp

Filesize
167KB

MD5
cdaa56c3b2b1c8a496a84be77feff592

SHA1
d563a74b0b3ffa7221a24318dc791fe87790569a

SHA256
982a0b34f51fc727b4691195de0cfbc774afc65aad559a3ff792a690f9114db5

SHA512
52dad0cf8e35d9b8f856058c9a94982d0d2e8f2f4870d4b443051682a2123aff3152eb97f85725282ce74a9178052d9506895b884db55e262bd3c6f548514251

Download Submit
C:\Users\Admin\AppData\Local\Temp\33CF.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\4137.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\49FD.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B93.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B93.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E2.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\94E2.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5E9.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9CD.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4F4.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDBB.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\F79A.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Word8.0\MSComctlLib.exd

Filesize
143KB

MD5
eb674b058e6121e2e1199e477e14fc6c

SHA1
afc72259bef41f56091d66735066de60a574c1c9

SHA256
be1dc865f2a8f0f66286049a6e99365d4a0814cf8629f40d6c48d67ec673a1b0

SHA512
a32771cce7f42a5e5c449b098abdc26fefe3bc965e2ecc5ab1b044c2ceda85290fa3760e1f919972be0e93a07fd567c3514f07c0c2bfe09cdbeb0789ab55a9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$6b6bdbd08ad3ce6ef80e98af391220a71b4a69169c159e582067df46a26204.doc

Filesize
162B

MD5
e883a27e1eebbc21fae81e5d0950f355

SHA1
f26fdcdf9410a8f6c40a34045778bb2ddb2d6049

SHA256
2991db295de564a5112e2fb4d2741e9361ad3e12eaf246f24092f7f9040ef342

SHA512
e76968148093642d9c8fef67086c83d98dc0ccdc5bd20d9ac0e0618ffe0975506d15f0d406eb3b27c29de73805e1da0177d417b64bda91d1883c6a7d4891542a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

Filesize
36KB

MD5
f6399f6ad95330a1e790a56b96984fb3

SHA1
551e129bb62c741736984cbec444432fa77a65a2

SHA256
37b711569e88ce558bad14116ec77c5910b62dd2152a57d06c268452f15150d6

SHA512
06d3ebf00be0196907eb7d3c972a83f0dbf5a400cde13608f7904003dd2c921ceacbd0713f80dca29547157cfc7f2e821ef825a83f720dcafe28a6a0619515e1

Download Submit
\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
\ProgramData\SxS\rc.exe

Filesize
67KB

MD5
3560bc05de9f7ef2df54495a4c6774f8

SHA1
7f64b41b320913ecc10bbe251fe1f169c5520d20

SHA256
83be17ad26522c9e0e6b28c8638c6548908baeb1e945db77b747ff85e74fea3c

SHA512
1ca4533b00800d0c68560983993dfccc600e1405583cb597fbb5c7248f81b6399d9976857a945453e5cf7e2778ae1e3f28c69c6af1d09bf8b7166c71d4b94740

Download Submit
\ProgramData\SxS\rcdll.dll

Filesize
4KB

MD5
a53220cfef72a3dae4ef290790adccc9

SHA1
d98ec3a0556a758a8bd806743b44840470062af0

SHA256
773a32d2c553b069ec7c49fe5285084de8da72924f4da2a1f789ae4dd8ef6717

SHA512
57ff498b6ef22f9bc14a243c8cf00404ed9ecb5853e5953925f717043165529154635b1f135ea7e926f51a3e35fdbfa408c92f111de31395340661a1d6f953aa

Download Submit
\ProgramData\SxS\rcdll.dll

Filesize
4KB

MD5
a53220cfef72a3dae4ef290790adccc9

SHA1
d98ec3a0556a758a8bd806743b44840470062af0

SHA256
773a32d2c553b069ec7c49fe5285084de8da72924f4da2a1f789ae4dd8ef6717

SHA512
57ff498b6ef22f9bc14a243c8cf00404ed9ecb5853e5953925f717043165529154635b1f135ea7e926f51a3e35fdbfa408c92f111de31395340661a1d6f953aa

Download Submit
\ProgramData\SxS\rcdll.dll

Filesize
4KB

MD5
a53220cfef72a3dae4ef290790adccc9

SHA1
d98ec3a0556a758a8bd806743b44840470062af0

SHA256
773a32d2c553b069ec7c49fe5285084de8da72924f4da2a1f789ae4dd8ef6717

SHA512
57ff498b6ef22f9bc14a243c8cf00404ed9ecb5853e5953925f717043165529154635b1f135ea7e926f51a3e35fdbfa408c92f111de31395340661a1d6f953aa

Download Submit
\ProgramData\SxS\rcdll.dll

Filesize
4KB

MD5
a53220cfef72a3dae4ef290790adccc9

SHA1
d98ec3a0556a758a8bd806743b44840470062af0

SHA256
773a32d2c553b069ec7c49fe5285084de8da72924f4da2a1f789ae4dd8ef6717

SHA512
57ff498b6ef22f9bc14a243c8cf00404ed9ecb5853e5953925f717043165529154635b1f135ea7e926f51a3e35fdbfa408c92f111de31395340661a1d6f953aa

Download Submit
\Users\Admin\AppData\Local\Temp\33CF.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\33CF.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\4137.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\4137.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\49FD.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\49FD.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\4B93.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\4B93.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\60.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\60.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\94E2.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\94E2.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\B5E9.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\B5E9.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\D9CD.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\D9CD.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\E4F4.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\E4F4.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\EDBB.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\EDBB.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\F79A.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
\Users\Admin\AppData\Local\Temp\F79A.tmp

Filesize
244KB

MD5
10af3275e1c5b6adb1503808f0a6457d

SHA1
c6d0cf4613f13a4d745a34abf90443a622c7116b

SHA256
405d09df4d7721e534d5f85a08f65d1991734cc102d598f2769a863852606c81

SHA512
a28c41175d062344a2b869df65b3e7dbd02cb1d7f1491e489226d7f14dfb431e4948b4ca31c9831f8941853388212c44e52f00a16724cabf4a96bee3be340b37

Download Submit
memory/596-75-0x00000000003A0000-0x00000000004A0000-memory.dmp

Filesize
1024KB

Download
memory/596-79-0x00000000004E0000-0x000000000051C000-memory.dmp

Filesize
240KB

Download
memory/596-94-0x00000000004E0000-0x000000000051C000-memory.dmp

Filesize
240KB

Download
memory/768-212-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/768-220-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/892-228-0x0000000000360000-0x000000000039C000-memory.dmp

Filesize
240KB

Download
memory/940-184-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/940-215-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/972-219-0x00000000066E0000-0x00000000066F0000-memory.dmp

Filesize
64KB

Download
memory/972-216-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/972-199-0x0000000070FB1000-0x0000000070FB4000-memory.dmp

Filesize
12KB

Download
memory/972-200-0x00000000722D1000-0x00000000722D3000-memory.dmp

Filesize
8KB

Download
memory/972-203-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/1100-126-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1224-164-0x00000000001A0000-0x00000000001DC000-memory.dmp

Filesize
240KB

Download
memory/1424-93-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1424-128-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1424-84-0x00000000000E0000-0x0000000000109000-memory.dmp

Filesize
164KB

Download
memory/1488-60-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1492-214-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1492-165-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1532-185-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/1532-127-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/1620-88-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/1632-188-0x0000000006440000-0x000000000659C000-memory.dmp

Filesize
1.4MB

Download
memory/1632-181-0x0000000072231000-0x0000000072234000-memory.dmp

Filesize
12KB

Download
memory/1632-182-0x000000006FCB1000-0x000000006FCB3000-memory.dmp

Filesize
8KB

Download
memory/1632-187-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/1648-195-0x0000000000370000-0x00000000003AC000-memory.dmp

Filesize
240KB

Download
memory/1772-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1772-57-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1772-61-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/1772-77-0x00000000065B0000-0x00000000065C0000-memory.dmp

Filesize
64KB

Download
memory/1772-58-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/1772-55-0x000000006FCB1000-0x000000006FCB3000-memory.dmp

Filesize
8KB

Download
memory/1772-54-0x0000000072231000-0x0000000072234000-memory.dmp

Filesize
12KB

Download
memory/1788-145-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/1792-78-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/1792-66-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1880-138-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/1880-134-0x0000000072231000-0x0000000072234000-memory.dmp

Filesize
12KB

Download
memory/1880-148-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/1880-147-0x00000000063D0000-0x00000000063E0000-memory.dmp

Filesize
64KB

Download
memory/1880-135-0x000000006FCB1000-0x000000006FCB3000-memory.dmp

Filesize
8KB

Download
memory/1932-163-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/1932-152-0x00000000722D1000-0x00000000722D3000-memory.dmp

Filesize
8KB

Download
memory/1932-151-0x0000000070FB1000-0x0000000070FB4000-memory.dmp

Filesize
12KB

Download
memory/1940-213-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/1940-221-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download
memory/2032-130-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2032-111-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/2040-97-0x00000000722D1000-0x00000000722D3000-memory.dmp

Filesize
8KB

Download
memory/2040-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-96-0x0000000070FB1000-0x0000000070FB4000-memory.dmp

Filesize
12KB

Download
memory/2040-114-0x0000000006410000-0x0000000006420000-memory.dmp

Filesize
64KB

Download
memory/2040-125-0x000000006A9A1000-0x000000006A9A3000-memory.dmp

Filesize
8KB

Download
memory/2040-129-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/2040-101-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/2180-233-0x000000006FCB1000-0x000000006FCB3000-memory.dmp

Filesize
8KB

Download
memory/2180-232-0x0000000072231000-0x0000000072234000-memory.dmp

Filesize
12KB

Download
memory/2180-237-0x00000000065F0000-0x000000000674C000-memory.dmp

Filesize
1.4MB

Download
memory/2180-236-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/2256-244-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/2392-262-0x0000000006570000-0x0000000006580000-memory.dmp

Filesize
64KB

Download
memory/2392-253-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/2460-260-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/2580-269-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/2652-276-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2772-293-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/2772-283-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/2848-291-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/2960-302-0x0000000070C9D000-0x0000000070CA8000-memory.dmp

Filesize
44KB

Download
memory/3040-308-0x00000000005B0000-0x00000000005EC000-memory.dmp

Filesize
240KB

Download