Analysis
-
max time kernel
300s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2023 18:41
Static task
static1
Behavioral task
behavioral1
Sample
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
Resource
win10v2004-20230220-en
General
-
Target
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
-
Size
679KB
-
MD5
7f075616272cca52e731c11080d0f3ef
-
SHA1
b5142fe556fc114eb221c4b14ad9d19c9e83fe83
-
SHA256
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
-
SHA512
f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
-
SSDEEP
12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++
Malware Config
Signatures
-
NirSoft MailPassView 12 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/752-105-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/752-106-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/752-108-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/752-111-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/752-113-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1440-149-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1440-151-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1440-152-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1440-155-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1520-198-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1520-202-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView behavioral1/memory/1520-205-0x0000000000080000-0x0000000000104000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/752-105-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/752-106-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/752-108-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/752-111-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/752-113-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/544-156-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/544-158-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/544-162-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1520-198-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1520-202-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1520-205-0x0000000000080000-0x0000000000104000-memory.dmp WebBrowserPassView behavioral1/memory/1520-207-0x0000000002140000-0x0000000002180000-memory.dmp WebBrowserPassView -
Nirsoft 16 IoCs
Processes:
resource yara_rule behavioral1/memory/752-105-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/752-106-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/752-108-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/752-111-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/752-113-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1440-149-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1440-151-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1440-152-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1440-155-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/544-156-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/544-158-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/544-162-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1520-198-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1520-202-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1520-205-0x0000000000080000-0x0000000000104000-memory.dmp Nirsoft behavioral1/memory/1520-207-0x0000000002140000-0x0000000002180000-memory.dmp Nirsoft -
Executes dropped EXE 6 IoCs
Processes:
microsoft10converters.exemicrosoft10converters.exeWindows Update.exeWindows Update.exemicrosoft10converters.exemicrosoft10converters.exepid process 1232 microsoft10converters.exe 752 microsoft10converters.exe 1528 Windows Update.exe 1480 Windows Update.exe 1508 microsoft10converters.exe 1520 microsoft10converters.exe -
Loads dropped DLL 10 IoCs
Processes:
WINWORD.EXEmicrosoft10converters.exemicrosoft10converters.exeWindows Update.exemicrosoft10converters.exepid process 1172 WINWORD.EXE 1172 WINWORD.EXE 1172 WINWORD.EXE 1232 microsoft10converters.exe 752 microsoft10converters.exe 1528 Windows Update.exe 1172 WINWORD.EXE 1172 WINWORD.EXE 1172 WINWORD.EXE 1508 microsoft10converters.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 5 IoCs
Processes:
microsoft10converters.exeWindows Update.exeWindows Update.exemicrosoft10converters.exedescription pid process target process PID 1232 set thread context of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1528 set thread context of 1480 1528 Windows Update.exe Windows Update.exe PID 1480 set thread context of 1440 1480 Windows Update.exe vbc.exe PID 1480 set thread context of 544 1480 Windows Update.exe vbc.exe PID 1508 set thread context of 1520 1508 microsoft10converters.exe microsoft10converters.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1172 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
microsoft10converters.exeWindows Update.exeWindows Update.exepid process 1232 microsoft10converters.exe 1232 microsoft10converters.exe 1232 microsoft10converters.exe 1528 Windows Update.exe 1528 Windows Update.exe 1528 Windows Update.exe 1232 microsoft10converters.exe 1232 microsoft10converters.exe 1528 Windows Update.exe 1528 Windows Update.exe 1528 Windows Update.exe 1528 Windows Update.exe 1528 Windows Update.exe 1528 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1528 Windows Update.exe 1528 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe 1480 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
microsoft10converters.exeWindows Update.exeWindows Update.exemicrosoft10converters.exedescription pid process Token: SeDebugPrivilege 1232 microsoft10converters.exe Token: SeDebugPrivilege 1528 Windows Update.exe Token: SeDebugPrivilege 1480 Windows Update.exe Token: SeDebugPrivilege 1508 microsoft10converters.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEWindows Update.exepid process 1172 WINWORD.EXE 1172 WINWORD.EXE 1480 Windows Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEmicrosoft10converters.exemicrosoft10converters.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1172 wrote to memory of 2040 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 2040 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 2040 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 2040 1172 WINWORD.EXE splwow64.exe PID 1172 wrote to memory of 1232 1172 WINWORD.EXE microsoft10converters.exe PID 1172 wrote to memory of 1232 1172 WINWORD.EXE microsoft10converters.exe PID 1172 wrote to memory of 1232 1172 WINWORD.EXE microsoft10converters.exe PID 1172 wrote to memory of 1232 1172 WINWORD.EXE microsoft10converters.exe PID 1232 wrote to memory of 980 1232 microsoft10converters.exe cmd.exe PID 1232 wrote to memory of 980 1232 microsoft10converters.exe cmd.exe PID 1232 wrote to memory of 980 1232 microsoft10converters.exe cmd.exe PID 1232 wrote to memory of 980 1232 microsoft10converters.exe cmd.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 1232 wrote to memory of 752 1232 microsoft10converters.exe microsoft10converters.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 752 wrote to memory of 1528 752 microsoft10converters.exe Windows Update.exe PID 1528 wrote to memory of 1688 1528 Windows Update.exe cmd.exe PID 1528 wrote to memory of 1688 1528 Windows Update.exe cmd.exe PID 1528 wrote to memory of 1688 1528 Windows Update.exe cmd.exe PID 1528 wrote to memory of 1688 1528 Windows Update.exe cmd.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1528 wrote to memory of 1480 1528 Windows Update.exe Windows Update.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 1440 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe PID 1480 wrote to memory of 544 1480 Windows Update.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"6⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"6⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39974BA3.emfFilesize
5KB
MD5d5c5e16f5d1a574b4643ca75feeff934
SHA13a4498112d3c8196b87120923c449db83477129c
SHA256b32ef8a281ffc811ed9fb7ac4a27cea7cee2d95e5f98e5aab7e6c3c549522c52
SHA5121c08179c39b678d8aaf15024db1d83d50170c82b8986c180a9c2318eeb60358424b96c4b5443d9c983e1e8df3d31512bb6bff4e95ec35d45224b57593d4adab0
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
59B
MD59b294a29cba9a63552604ad89c4d9444
SHA18e5bb542f31fccad06e69502c7dba5a62e9b9cb9
SHA256a3f87150ecc0223f9099533d33c8839a435a2276bf243c7fbf0f063a182d31e1
SHA512c45e8ae93eb82aefa86f7e46cbf47dfed4738b88b94e37925bc716a9b304ac6827f55d007f676783df6fed3a84d552f00ddf2dd00cbffdc1348f215878030a51
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Local\Temp\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
memory/544-162-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/544-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/544-158-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/752-103-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-111-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-108-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/752-106-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-104-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-105-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/752-113-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1172-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1172-96-0x0000000005C40000-0x0000000005C42000-memory.dmpFilesize
8KB
-
memory/1232-100-0x0000000000260000-0x00000000002A0000-memory.dmpFilesize
256KB
-
memory/1440-151-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-155-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-154-0x0000000000420000-0x0000000000487000-memory.dmpFilesize
412KB
-
memory/1440-152-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1440-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1480-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1480-165-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1480-136-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1480-153-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1480-148-0x0000000000280000-0x00000000002C0000-memory.dmpFilesize
256KB
-
memory/1508-206-0x0000000000180000-0x00000000001C0000-memory.dmpFilesize
256KB
-
memory/1520-205-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1520-207-0x0000000002140000-0x0000000002180000-memory.dmpFilesize
256KB
-
memory/1520-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1520-198-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1520-202-0x0000000000080000-0x0000000000104000-memory.dmpFilesize
528KB
-
memory/1528-122-0x0000000000240000-0x0000000000280000-memory.dmpFilesize
256KB