9fe7f6f70a8d9a9f37c579036d0ebad75ecacedce4ab5d61f2258436ab895b3a

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b653cd1fa400b4dbc03be3b4b5c6e55.exe
Size

116KB
MD5

2b653cd1fa400b4dbc03be3b4b5c6e55
SHA1

ecbb4349c5b10b5853fb5f045255ca73672b6025
SHA256

9fe7f6f70a8d9a9f37c579036d0ebad75ecacedce4ab5d61f2258436ab895b3a
SHA512

c81a9fd7f6d2bb2fcef9805464ec7a35c11fabffc021cab687bcaa77da93fe2e0b07e6e48c8b54f4f01347f97cd6f30e14ffef5b0fdf7d50e105a60d761fff49
SSDEEP

1536:RUOZ4iKEFXvxKqHsqQc+EkV1/C2dfGnS5OJ4Z/B+E3KOgqHsDKEFXvxg+:RUe/XeyC1E+1/Fdf8490BOgyuXH

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe

Executes dropped EXE 64 IoCs

pid	Process
2792	msbootlog.exe
2716	msbootlog.exe
2256	msbootlog.exe
2036	msbootlog.exe
1632	msbootlog.exe
2044	msbootlog.exe
1204	msbootlog.exe
320	msbootlog.exe
696	msbootlog.exe
1172	msbootlog.exe
1076	msbootlog.exe
1808	msbootlog.exe
1424	msbootlog.exe
776	msbootlog.exe
948	msbootlog.exe
2248	msbootlog.exe
1512	msbootlog.exe
3008	msbootlog.exe
2888	msbootlog.exe
2968	msbootlog.exe
2360	msbootlog.exe
2496	msbootlog.exe
1960	msbootlog.exe
1688	msbootlog.exe
1684	msbootlog.exe
1972	msbootlog.exe
2528	msbootlog.exe
1488	msbootlog.exe
2328	msbootlog.exe
1556	msbootlog.exe
1328	msbootlog.exe
1636	msbootlog.exe
2212	msbootlog.exe
1508	msbootlog.exe
1612	msbootlog.exe
2804	msbootlog.exe
2880	msbootlog.exe
2732	msbootlog.exe
2928	msbootlog.exe
1992	msbootlog.exe
2636	msbootlog.exe
340	msbootlog.exe
2496	msbootlog.exe
1960	msbootlog.exe
1820	msbootlog.exe
1380	msbootlog.exe
2136	msbootlog.exe
2344	msbootlog.exe
2556	msbootlog.exe
2276	msbootlog.exe
1904	msbootlog.exe
1328	msbootlog.exe
2108	msbootlog.exe
1756	msbootlog.exe
2436	msbootlog.exe
2748	msbootlog.exe
2768	msbootlog.exe
2880	msbootlog.exe
2272	msbootlog.exe
2440	msbootlog.exe
2636	msbootlog.exe
1660	msbootlog.exe
1692	msbootlog.exe
472	msbootlog.exe

Loads dropped DLL 64 IoCs

pid	Process
2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
2792	msbootlog.exe
2792	msbootlog.exe
2716	msbootlog.exe
2716	msbootlog.exe
2256	msbootlog.exe
2256	msbootlog.exe
2036	msbootlog.exe
2036	msbootlog.exe
1632	msbootlog.exe
1632	msbootlog.exe
2044	msbootlog.exe
2044	msbootlog.exe
1204	msbootlog.exe
1204	msbootlog.exe
320	msbootlog.exe
320	msbootlog.exe
696	msbootlog.exe
696	msbootlog.exe
1172	msbootlog.exe
1172	msbootlog.exe
1076	msbootlog.exe
1076	msbootlog.exe
1808	msbootlog.exe
1808	msbootlog.exe
1424	msbootlog.exe
1424	msbootlog.exe
776	msbootlog.exe
776	msbootlog.exe
948	msbootlog.exe
948	msbootlog.exe
2248	msbootlog.exe
2248	msbootlog.exe
1512	msbootlog.exe
1512	msbootlog.exe
3008	msbootlog.exe
3008	msbootlog.exe
2888	msbootlog.exe
2888	msbootlog.exe
2968	msbootlog.exe
2968	msbootlog.exe
2360	msbootlog.exe
2360	msbootlog.exe
2496	msbootlog.exe
2496	msbootlog.exe
1960	msbootlog.exe
1960	msbootlog.exe
1688	msbootlog.exe
1688	msbootlog.exe
1684	msbootlog.exe
1684	msbootlog.exe
1972	msbootlog.exe
1972	msbootlog.exe
2528	msbootlog.exe
2528	msbootlog.exe
1488	msbootlog.exe
1488	msbootlog.exe
2328	msbootlog.exe
2328	msbootlog.exe
1556	msbootlog.exe
1556	msbootlog.exe
1328	msbootlog.exe
1328	msbootlog.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dfinstall.txt	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
File opened for modification	C:\Windows\SysWOW64\love.doc	WINWORD.EXE
File created	C:\Windows\SysWOW64\~$love.doc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\~$love.doc	WINWORD.EXE
File created	C:\Windows\SysWOW64\msbootlog.exe	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
File opened for modification	C:\Windows\SysWOW64\msbootlog.exe	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
File created	C:\Windows\SysWOW64\love.txt	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
File created	C:\Windows\SysWOW64\setuplog.txt	2b653cd1fa400b4dbc03be3b4b5c6e55.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1368	WINWORD.EXE

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe
2792	msbootlog.exe
2716	msbootlog.exe
2256	msbootlog.exe
2036	msbootlog.exe
1632	msbootlog.exe
2044	msbootlog.exe
1204	msbootlog.exe
320	msbootlog.exe
696	msbootlog.exe
1172	msbootlog.exe
1076	msbootlog.exe
1368	WINWORD.EXE
1808	msbootlog.exe
1368	WINWORD.EXE
1424	msbootlog.exe
776	msbootlog.exe
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE
948	msbootlog.exe
2248	msbootlog.exe
1512	msbootlog.exe
3008	msbootlog.exe
2888	msbootlog.exe
2968	msbootlog.exe
2360	msbootlog.exe
2496	msbootlog.exe
1960	msbootlog.exe
1688	msbootlog.exe
1684	msbootlog.exe
1972	msbootlog.exe
2528	msbootlog.exe
1488	msbootlog.exe
2328	msbootlog.exe
1556	msbootlog.exe
1328	msbootlog.exe
1636	msbootlog.exe
2212	msbootlog.exe
1508	msbootlog.exe
1612	msbootlog.exe
2804	msbootlog.exe
2880	msbootlog.exe
2732	msbootlog.exe
2928	msbootlog.exe
1992	msbootlog.exe
2636	msbootlog.exe
340	msbootlog.exe
2496	msbootlog.exe
1960	msbootlog.exe
1820	msbootlog.exe
1380	msbootlog.exe
2136	msbootlog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2792	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	28
PID 2408 wrote to memory of 2792	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	28
PID 2408 wrote to memory of 2792	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	28
PID 2408 wrote to memory of 2792	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	28
PID 2792 wrote to memory of 2716	2792	msbootlog.exe	29
PID 2792 wrote to memory of 2716	2792	msbootlog.exe	29
PID 2792 wrote to memory of 2716	2792	msbootlog.exe	29
PID 2792 wrote to memory of 2716	2792	msbootlog.exe	29
PID 2716 wrote to memory of 2256	2716	msbootlog.exe	30
PID 2716 wrote to memory of 2256	2716	msbootlog.exe	30
PID 2716 wrote to memory of 2256	2716	msbootlog.exe	30
PID 2716 wrote to memory of 2256	2716	msbootlog.exe	30
PID 2256 wrote to memory of 2036	2256	msbootlog.exe	32
PID 2256 wrote to memory of 2036	2256	msbootlog.exe	32
PID 2256 wrote to memory of 2036	2256	msbootlog.exe	32
PID 2256 wrote to memory of 2036	2256	msbootlog.exe	32
PID 2408 wrote to memory of 1368	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	31
PID 2408 wrote to memory of 1368	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	31
PID 2408 wrote to memory of 1368	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	31
PID 2408 wrote to memory of 1368	2408	2b653cd1fa400b4dbc03be3b4b5c6e55.exe	31
PID 2036 wrote to memory of 1632	2036	msbootlog.exe	33
PID 2036 wrote to memory of 1632	2036	msbootlog.exe	33
PID 2036 wrote to memory of 1632	2036	msbootlog.exe	33
PID 2036 wrote to memory of 1632	2036	msbootlog.exe	33
PID 1632 wrote to memory of 2044	1632	msbootlog.exe	34
PID 1632 wrote to memory of 2044	1632	msbootlog.exe	34
PID 1632 wrote to memory of 2044	1632	msbootlog.exe	34
PID 1632 wrote to memory of 2044	1632	msbootlog.exe	34
PID 2044 wrote to memory of 1204	2044	msbootlog.exe	35
PID 2044 wrote to memory of 1204	2044	msbootlog.exe	35
PID 2044 wrote to memory of 1204	2044	msbootlog.exe	35
PID 2044 wrote to memory of 1204	2044	msbootlog.exe	35
PID 1204 wrote to memory of 320	1204	msbootlog.exe	36
PID 1204 wrote to memory of 320	1204	msbootlog.exe	36
PID 1204 wrote to memory of 320	1204	msbootlog.exe	36
PID 1204 wrote to memory of 320	1204	msbootlog.exe	36
PID 320 wrote to memory of 696	320	msbootlog.exe	37
PID 320 wrote to memory of 696	320	msbootlog.exe	37
PID 320 wrote to memory of 696	320	msbootlog.exe	37
PID 320 wrote to memory of 696	320	msbootlog.exe	37
PID 696 wrote to memory of 1172	696	msbootlog.exe	38
PID 696 wrote to memory of 1172	696	msbootlog.exe	38
PID 696 wrote to memory of 1172	696	msbootlog.exe	38
PID 696 wrote to memory of 1172	696	msbootlog.exe	38
PID 1172 wrote to memory of 1076	1172	msbootlog.exe	39
PID 1172 wrote to memory of 1076	1172	msbootlog.exe	39
PID 1172 wrote to memory of 1076	1172	msbootlog.exe	39
PID 1172 wrote to memory of 1076	1172	msbootlog.exe	39
PID 1076 wrote to memory of 1808	1076	msbootlog.exe	40
PID 1076 wrote to memory of 1808	1076	msbootlog.exe	40
PID 1076 wrote to memory of 1808	1076	msbootlog.exe	40
PID 1076 wrote to memory of 1808	1076	msbootlog.exe	40
PID 1808 wrote to memory of 1424	1808	msbootlog.exe	41
PID 1808 wrote to memory of 1424	1808	msbootlog.exe	41
PID 1808 wrote to memory of 1424	1808	msbootlog.exe	41
PID 1808 wrote to memory of 1424	1808	msbootlog.exe	41
PID 1424 wrote to memory of 776	1424	msbootlog.exe	42
PID 1424 wrote to memory of 776	1424	msbootlog.exe	42
PID 1424 wrote to memory of 776	1424	msbootlog.exe	42
PID 1424 wrote to memory of 776	1424	msbootlog.exe	42
PID 776 wrote to memory of 948	776	msbootlog.exe	43
PID 776 wrote to memory of 948	776	msbootlog.exe	43
PID 776 wrote to memory of 948	776	msbootlog.exe	43
PID 776 wrote to memory of 948	776	msbootlog.exe	43

C:\Users\Admin\AppData\Local\Temp\2b653cd1fa400b4dbc03be3b4b5c6e55.exe
"C:\Users\Admin\AppData\Local\Temp\2b653cd1fa400b4dbc03be3b4b5c6e55.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\msbootlog.exe
  "C:\Windows\System32\msbootlog.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\msbootlog.exe
    "C:\Windows\System32\msbootlog.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\msbootlog.exe
      "C:\Windows\System32\msbootlog.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        26⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        33⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        38⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        44⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        45⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        47⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        48⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        49⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        50⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        51⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        52⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        53⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        54⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        55⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        56⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        57⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        58⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        59⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        60⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        61⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        62⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        63⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        64⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        65⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        66⤵
        Drops file in Drivers directory
        
        PID:880
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        67⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        68⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        69⤵
        Drops file in Drivers directory
        
        PID:1092
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        70⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        71⤵
        
        PID:760
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        72⤵
        Drops file in Drivers directory
        
        PID:1576
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        73⤵
        Drops file in Drivers directory
        
        PID:2464
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        74⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        75⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        76⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        77⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        78⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        79⤵
        Drops file in Drivers directory
        
        PID:2596
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        80⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        81⤵
        Drops file in Drivers directory
        
        PID:2960
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        82⤵
        Drops file in Drivers directory
        
        PID:1796
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        83⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        84⤵
        Drops file in Drivers directory
        
        PID:1740
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        85⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        86⤵
        Drops file in Drivers directory
        
        PID:2856
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        87⤵
        Drops file in Drivers directory
        
        PID:1996
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        88⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        89⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        90⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        91⤵
        Drops file in Drivers directory
        
        PID:1852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        92⤵
        Drops file in Drivers directory
        
        PID:2124
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        93⤵
        
        PID:640
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        94⤵
        Drops file in Drivers directory
        
        PID:1624
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        95⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        96⤵
        Drops file in Drivers directory
        
        PID:1636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        97⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        98⤵
        Drops file in Drivers directory
        
        PID:1680
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        99⤵
        Drops file in Drivers directory
        
        PID:2592
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        100⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        101⤵
        Drops file in Drivers directory
        
        PID:1000
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        102⤵
        
        PID:856
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        103⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        104⤵
        Drops file in Drivers directory
        
        PID:2032
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        105⤵
        
        PID:284
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        106⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        107⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        108⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        109⤵
        Drops file in Drivers directory
        
        PID:1020
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        110⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        111⤵
        Drops file in Drivers directory
        
        PID:1852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        112⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        113⤵
        
        PID:876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        114⤵
        Drops file in Drivers directory
        
        PID:1100
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        115⤵
        Drops file in Drivers directory
        
        PID:2400
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        116⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        117⤵
        Drops file in Drivers directory
        
        PID:2796
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        118⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        119⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        120⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        121⤵
        Drops file in Drivers directory
        
        PID:1580
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        122⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        123⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        124⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        125⤵
        Drops file in Drivers directory
        
        PID:1028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        126⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        127⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        128⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        129⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        130⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        131⤵
        Drops file in Drivers directory
        
        PID:2308
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        132⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        133⤵
        Drops file in Drivers directory
        
        PID:1536
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        134⤵
        Drops file in Drivers directory
        
        PID:2116
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        135⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        136⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        137⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        138⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        139⤵
        
        PID:892
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        140⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        141⤵
        Drops file in Drivers directory
        
        PID:1940
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        142⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        143⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        144⤵
        Drops file in Drivers directory
        
        PID:1388
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        145⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        146⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        147⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        148⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        149⤵
        Drops file in Drivers directory
        
        PID:1980
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        150⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        151⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        152⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        153⤵
        Drops file in Drivers directory
        
        PID:2908
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        154⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        155⤵
        Drops file in Drivers directory
        
        PID:792
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        156⤵
        
        PID:432
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        157⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        158⤵
        Drops file in Drivers directory
        
        PID:1852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        159⤵
        Drops file in Drivers directory
        
        PID:2556
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        160⤵
        
        PID:1624
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\System32\love.doc"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1368
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hideproc.sys

Filesize
3KB

MD5
7b2e157302bf7bd071f54f0960f2f5d8

SHA1
bf4dfc298cddeafbe58eb35ee2c0ece246b41669

SHA256
753ec69ee1a7d9f024576175c94069787024dac13825722e291da0ae4c03304b

SHA512
0f76da9793bfeb594654945c92cc0ac26b45a491dc080fd21f860dc6b1efa271eed85603cad1904e867369c17e05e84271f3a063ab0801a778f421a7e5e83bf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
bb7a55fd586f2051c01d2ce7271fdfc9

SHA1
77bce8cbf3e2e1223de6641cf5b7eb9fcd99ea86

SHA256
3563de02edad91723853a63298e3bcd617ad9e22f58ebd4b4192dac79e34f4fc

SHA512
35e70cd7fdd9ac2cceab4d2396d875298e43abed8d177f1376ee8f48d44cf02b57a4216ebdbf6c0c01428e9f8e9a14f23273340656c9208e5ef75a0bc1b1d0bd

Download Submit
C:\Windows\SysWOW64\love.doc

Filesize
14B

MD5
c265612e0d986497f8a00c0f6b78bce3

SHA1
c3746d85e33504464cd3af39b80868f61244ade5

SHA256
4b24ee8472e13a93ddd4daa09a16b72b30675ac61ecb621b9b12af733c8db997

SHA512
a0f5440204f058620814b561d3ac9eb047cef5aede1639ef14171b20f96f61c02fbc7cda07d87c6cbe8161ad90aa1eb2869c13426a7ab6b3b73dd166307388be

Download Submit
\Windows\SysWOW64\msbootlog.exe

Filesize
116KB

MD5
2b653cd1fa400b4dbc03be3b4b5c6e55

SHA1
ecbb4349c5b10b5853fb5f045255ca73672b6025

SHA256
9fe7f6f70a8d9a9f37c579036d0ebad75ecacedce4ab5d61f2258436ab895b3a

SHA512
c81a9fd7f6d2bb2fcef9805464ec7a35c11fabffc021cab687bcaa77da93fe2e0b07e6e48c8b54f4f01347f97cd6f30e14ffef5b0fdf7d50e105a60d761fff49

Download Submit
memory/320-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/340-584-0x0000000003940000-0x0000000003962000-memory.dmp

Filesize
136KB

Download
memory/696-162-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/696-160-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/776-241-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/776-240-0x0000000002780000-0x00000000027A2000-memory.dmp

Filesize
136KB

Download
memory/948-253-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/1076-267-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1172-179-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1172-176-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/1204-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1368-163-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1368-1199-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1368-239-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/1368-75-0x000000002F881000-0x000000002F882000-memory.dmp

Filesize
4KB

Download
memory/1368-170-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/1424-220-0x0000000002950000-0x0000000002972000-memory.dmp

Filesize
136KB

Download
memory/1424-224-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1424-302-0x0000000002950000-0x0000000002972000-memory.dmp

Filesize
136KB

Download
memory/1488-433-0x0000000003940000-0x0000000003962000-memory.dmp

Filesize
136KB

Download
memory/1488-434-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1508-497-0x0000000003950000-0x0000000003972000-memory.dmp

Filesize
136KB

Download
memory/1512-295-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1512-294-0x0000000003A90000-0x0000000003AB2000-memory.dmp

Filesize
136KB

Download
memory/1612-508-0x0000000003940000-0x0000000003962000-memory.dmp

Filesize
136KB

Download
memory/1612-509-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1632-178-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/1632-102-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/1632-101-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1632-100-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/1684-401-0x00000000025D0000-0x00000000025F2000-memory.dmp

Filesize
136KB

Download
memory/1688-389-0x0000000001E00000-0x0000000001E22000-memory.dmp

Filesize
136KB

Download
memory/1688-390-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1808-208-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1960-607-0x0000000003960000-0x0000000003982000-memory.dmp

Filesize
136KB

Download
memory/1960-378-0x0000000001FF0000-0x0000000002012000-memory.dmp

Filesize
136KB

Download
memory/1972-412-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1992-563-0x0000000002800000-0x0000000002822000-memory.dmp

Filesize
136KB

Download
memory/2044-117-0x0000000003A70000-0x0000000003A92000-memory.dmp

Filesize
136KB

Download
memory/2044-118-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2044-115-0x0000000003A70000-0x0000000003A92000-memory.dmp

Filesize
136KB

Download
memory/2248-269-0x0000000002690000-0x00000000026B2000-memory.dmp

Filesize
136KB

Download
memory/2256-161-0x00000000038F0000-0x0000000003912000-memory.dmp

Filesize
136KB

Download
memory/2256-71-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2328-446-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2328-445-0x0000000003A70000-0x0000000003A92000-memory.dmp

Filesize
136KB

Download
memory/2360-356-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/2360-354-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2408-74-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2408-26-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/2408-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2496-367-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2496-358-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2496-596-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2496-595-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/2716-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2792-27-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2792-44-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2792-42-0x0000000003930000-0x0000000003952000-memory.dmp

Filesize
136KB

Download
memory/2804-521-0x0000000003A70000-0x0000000003A92000-memory.dmp

Filesize
136KB

Download
memory/2880-532-0x0000000002910000-0x0000000002932000-memory.dmp

Filesize
136KB

Download
memory/2888-327-0x00000000037E0000-0x0000000003802000-memory.dmp

Filesize
136KB

Download
memory/2888-329-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2968-342-0x0000000002AD0000-0x0000000002AF2000-memory.dmp

Filesize
136KB

Download
memory/2968-343-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3008-314-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download