5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
Size

34KB
MD5

f6d30157008693afcf676cd01fad3c34
SHA1

2fc9d6e7e74a1037af398fcfc96ad7fc1cd381cd
SHA256

5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7
SHA512

0d0bbe3f8b0b4bb8593f4ac619e907b0270f0ca0fbc1973a80978ed24298dcf8ab9cb1d4391929529ca7e29ff341ad77bc3efd8d6ea936c5e05bb3eaede2825e
SSDEEP

768:ZUE1vUccrqXdj+Sg7ONPCM6kgjUCJS8YzXBbanqv:ZUGUcGydj+Sg7g6LobFr5YU

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe

Executes dropped EXE 2 IoCs

pid	Process
2908	WINWORD.EXE
2196	SPOOL32.EXE

Loads dropped DLL 2 IoCs

pid	Process
2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\exe.ico"	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	SPOOL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Cpl = "C:\\Windows\\SPOOL32.EXE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Word = "C:\\Windows\\system32\\WINWORD.EXE"	WINWORD.EXE

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	WINWORD.EXE
File opened (read-only)	\??\E:	SPOOL32.EXE
File opened (read-only)	\??\F:	SPOOL32.EXE
File opened (read-only)	\??\G:	SPOOL32.EXE
File opened (read-only)	\??\H:	SPOOL32.EXE
File opened (read-only)	\??\D:	WINWORD.EXE
File opened (read-only)	\??\E:	WINWORD.EXE
File opened (read-only)	\??\F:	WINWORD.EXE
File opened (read-only)	\??\G:	WINWORD.EXE
File opened (read-only)	\??\D:	SPOOL32.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WINWORD.EXE	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\WINDOWS\Start Menu\Programs\StartUp\WINWORD.EXE	WINWORD.EXE
File created	C:\Windows\SPOOL32.EXE	WINWORD.EXE
File opened for modification	\??\c:\windows\Buset Deh...jpg .exe	WINWORD.EXE
File created	C:\WINDOWS\Start Menu\Programs\StartUp\WINWORD.EXE	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
File created	C:\WINDOWS\Start Menu\Programs\StartUp\SPOOL32.EXE	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
File opened for modification	C:\Windows\exe.ico	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
File created	C:\WINDOWS\Start Menu\Programs\StartUp\SPOOL32.EXE	WINWORD.EXE
File opened for modification	C:\Windows\SPOOL32.EXE	WINWORD.EXE
File created	C:\Windows\help.htm	WINWORD.EXE
File created	\??\c:\windows\Buset Deh...jpg .exe	WINWORD.EXE
File opened for modification	C:\Windows\help.htm	SPOOL32.EXE
File opened for modification	C:\Windows\help.htm	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOL32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ac6684ff275cce4f82974a4fa55fd96300000000020000000000106600000001000020000000dc97a1597ef5cd67f9b760e7b9cea65e5b3f55b8cccdb7e9298924637ee71712000000000e8000000002000020000000c4c6f6a9ac66c1f84ac2e6752924a71e6067e1f78b32a64411cd039813da824a200000004c5c3458afac97ae82a29962f7eb3d1e4384462dc76013e2378fe467bba96da640000000b790a4ce40e909365cc15bc4fa55a7c51d8566983f6323b022f3cd94a59fdfa6a33ed04756fb11d147658fdb08bc300024694c4dd23648c86639095a0f913a9c	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0982280921adb01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434671309"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC467081-8685-11EF-8B6F-725FF0DF1EEB} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ac6684ff275cce4f82974a4fa55fd96300000000020000000000106600000001000020000000c5de5fd3ad3cfdfdd5b52cce406e99e33eef16130e0d8a26bee29f7c0a4e9860000000000e8000000002000020000000dcd798d10891aeeda54c73b3c3c262edd68a80e90c43576b171928cd12b04945900000003cc92dc6759f835421a83e59e988ab13fca44953eefea1ec686a686f8429b935eff64784009f6583d89c89203f1900e48eeb5d5271f54ee610cb5169aa43500ebcc058793ac11bf497aa3ec951c6e51110d90e4078210c92d0deafd7659385b4c32728ccc8a8ab7c0d2ab0a18b0287b38d2668d621e5eada454fb44a1ebd83d6592eba15bb6406080d20245a71a4cdb740000000896e504601d71f7b1b45c8a9e0137080bdbc4f135f6d8fa463589e990be27e33a1e9c73e08634f5c3a885e286b4501338a87e0402f0aee1797da252592a98cbe	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "cmd.exe /c del \"%1\""	SPOOL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	SPOOL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "cmd.exe /c del \"%1\""	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\exe.ico"	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "cmd.exe /c del \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2896	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
2908	WINWORD.EXE
2908	WINWORD.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE
2196	SPOOL32.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
376	IEXPLORE.EXE
376	IEXPLORE.EXE
2908	WINWORD.EXE
2196	SPOOL32.EXE
376	IEXPLORE.EXE
376	IEXPLORE.EXE
2908	WINWORD.EXE
2196	SPOOL32.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
2896	WINWORD.EXE
2896	WINWORD.EXE
2908	WINWORD.EXE
2196	SPOOL32.EXE
376	IEXPLORE.EXE
376	IEXPLORE.EXE
1412	IEXPLORE.EXE
1412	IEXPLORE.EXE
376	IEXPLORE.EXE
376	IEXPLORE.EXE
788	IEXPLORE.EXE
788	IEXPLORE.EXE
788	IEXPLORE.EXE
788	IEXPLORE.EXE
376	IEXPLORE.EXE
376	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
376	IEXPLORE.EXE
376	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2908	2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe	32
PID 2712 wrote to memory of 2908	2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe	32
PID 2712 wrote to memory of 2908	2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe	32
PID 2712 wrote to memory of 2908	2712	5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe	32
PID 2908 wrote to memory of 2196	2908	WINWORD.EXE	33
PID 2908 wrote to memory of 2196	2908	WINWORD.EXE	33
PID 2908 wrote to memory of 2196	2908	WINWORD.EXE	33
PID 2908 wrote to memory of 2196	2908	WINWORD.EXE	33
PID 2896 wrote to memory of 2184	2896	WINWORD.EXE	34
PID 2896 wrote to memory of 2184	2896	WINWORD.EXE	34
PID 2896 wrote to memory of 2184	2896	WINWORD.EXE	34
PID 2896 wrote to memory of 2184	2896	WINWORD.EXE	34
PID 2908 wrote to memory of 376	2908	WINWORD.EXE	35
PID 2908 wrote to memory of 376	2908	WINWORD.EXE	35
PID 2908 wrote to memory of 376	2908	WINWORD.EXE	35
PID 2908 wrote to memory of 376	2908	WINWORD.EXE	35
PID 376 wrote to memory of 1412	376	IEXPLORE.EXE	36
PID 376 wrote to memory of 1412	376	IEXPLORE.EXE	36
PID 376 wrote to memory of 1412	376	IEXPLORE.EXE	36
PID 376 wrote to memory of 1412	376	IEXPLORE.EXE	36
PID 2196 wrote to memory of 1980	2196	SPOOL32.EXE	37
PID 2196 wrote to memory of 1980	2196	SPOOL32.EXE	37
PID 2196 wrote to memory of 1980	2196	SPOOL32.EXE	37
PID 2196 wrote to memory of 1980	2196	SPOOL32.EXE	37
PID 376 wrote to memory of 788	376	IEXPLORE.EXE	38
PID 376 wrote to memory of 788	376	IEXPLORE.EXE	38
PID 376 wrote to memory of 788	376	IEXPLORE.EXE	38
PID 376 wrote to memory of 788	376	IEXPLORE.EXE	38
PID 2908 wrote to memory of 2844	2908	WINWORD.EXE	40
PID 2908 wrote to memory of 2844	2908	WINWORD.EXE	40
PID 2908 wrote to memory of 2844	2908	WINWORD.EXE	40
PID 2908 wrote to memory of 2844	2908	WINWORD.EXE	40
PID 376 wrote to memory of 2712	376	IEXPLORE.EXE	41
PID 376 wrote to memory of 2712	376	IEXPLORE.EXE	41
PID 376 wrote to memory of 2712	376	IEXPLORE.EXE	41
PID 376 wrote to memory of 2712	376	IEXPLORE.EXE	41
PID 2196 wrote to memory of 2780	2196	SPOOL32.EXE	42
PID 2196 wrote to memory of 2780	2196	SPOOL32.EXE	42
PID 2196 wrote to memory of 2780	2196	SPOOL32.EXE	42
PID 2196 wrote to memory of 2780	2196	SPOOL32.EXE	42
PID 376 wrote to memory of 2988	376	IEXPLORE.EXE	43
PID 376 wrote to memory of 2988	376	IEXPLORE.EXE	43
PID 376 wrote to memory of 2988	376	IEXPLORE.EXE	43
PID 376 wrote to memory of 2988	376	IEXPLORE.EXE	43

C:\Users\Admin\AppData\Local\Temp\5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe
"C:\Users\Admin\AppData\Local\Temp\5debff980a97f2e43249b349e49097e9d93328d89e531bbb088330b5d9cd33e7.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\WINWORD.EXE
  C:\Windows\system32\WINWORD.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SPOOL32.EXE
    C:\Windows\SPOOL32.EXE
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows/help.htm
      4⤵
      PID:1980
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows/help.htm
      4⤵
      PID:2780
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows/help.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:376 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1412
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:376 CREDAT:275464 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:788
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:376 CREDAT:406554 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:376 CREDAT:406561 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2988
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows/help.htm
    3⤵
    PID:2844

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
852dbdd8d5cd4b5425c8d276c3ce3971

SHA1
22ae0636d37d37f4c5a7e2b6124666203a7cd400

SHA256
0fbc5ded36500d0796f0d1557b7087d8f7674283bba1798931db5758516c5dfd

SHA512
17629c3e35cfb55b1f48eb6aceb9250f05342bb392b498e923f90c6cd165ff4889d3698c846defe107e09f63f44b49a42cf98f0529ea7c46b716af91334a807e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f9431aa75eae2e9bfdca114c77d1e09

SHA1
d4a1a93789634b6a258562f83508b570b408e0d0

SHA256
2a2ee69084cc7f77d5fa728ec610962e81db204afda789895e5382982a5f2acd

SHA512
29966f24ef4b2a31bfad82e4048de3ac6ef405e94b9b9f51cc3bc749fde621c0640aeb3ee2b1cddedacfe027373625242fa464117941203301834a138310f8dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6de93fd4a877c25b1bbcbc862fa49001

SHA1
f395a10e9a7a4f03734e6f74e4a4c5f1b8957ad9

SHA256
b33200f7268036ecff680ce3dfc752185b31de64ac433c3274e042dbeec14c98

SHA512
fe5fedb0040aa8c6f1d9d09b5022cf44a8d13f0ac488cfff2c633ffe03471d9a301c352cd18c10988e41510cade69ee141d3cc509a4459859912998423e12ddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a38bd40c7525690aa102157b76459947

SHA1
ea1236faa8f6b838c5dff8669f3a3073b03b0f96

SHA256
b7790ed28573bbc09b6f54c0fb36fc3a95954748d53784b32bc9eb95f588dfac

SHA512
0c5fe732755d931083f715f6ada9d389fdd5d85b96fed7459cc05da292ea73971ed026736a9edb335d85ca730bbee22de80dd97c68377ce922cd15cca7be3647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa2f787a13fcb4e8b4558693925dc6f6

SHA1
59cf454c2e47d1d508622ad0e8d98e814919075f

SHA256
1d9988760769c9d88bee3a6123d26d2e1d9c0d24ee6fc595584626c42ae758ac

SHA512
883ecfd4983d360fb824435c314220decbf4b4092df67366f9f3dde7d232f07ae77f9aea78f48335b59311727c2b24ff99b8c24113778cbfaf2f63b4ede2c8b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8523915a8d4ada95cbe55e1a22a81f37

SHA1
82a5fae895072b2c96dfeb4ebe2c47274af8830a

SHA256
0fa8910ef340d61e8596a7a601eb5134e87460c0dd78dcb0cda1888e0f4fbcc6

SHA512
6235c8549a0c6f9e007af228f3be3088e8c1eb082ff92bb3058e7bfdd0f68d0f3cf393425c680351c28701c4e362aeb6897639e2f1d46b056c3e30f1c7538ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7560abb1a7f9c291d046dc553d723f20

SHA1
ea14036b5e0aea0c655c839c8f0d0c4c44db5021

SHA256
2b6de9768ddb4bd1a0eb3c2a0ef9fbac4834487608a342c6c8e10fa4e707a745

SHA512
e07ba54bbf605b295ebd036f212ef08dce98eaa9ed1bcaca7136d377e5a502536bb86dcc2901aa7c877d9ba6bfc8487f5046a09cc6f8f22f40fa84ffefa2ff01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a0eb408737617ca465f642533854039

SHA1
fbe716b41906ab640ea72a8ffd3ec7aa9ee339d5

SHA256
e5f0521dbd2d6e7dadc51d2810f06d2ef7d6d48bb6cc4fa362b033d160e9f00a

SHA512
3b415260c8110b5def263510d702ab2444b4ffdce793cfd911d77f98068536388f70d4d1c4c82084c0feac773525d3e097d7a4d44a8ea88db100e03c4bc8f62d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c614e80e186403c44948668c6bfa920

SHA1
080f6646a4ac85a887b535fa72c5a8a1c5bad32e

SHA256
cd2b2b16be1c9ee3f60582181b58372b2d586029c91e003c6b16b9e2feaab677

SHA512
a6240054bc8b7e965d86d397c97be16f260d0415dbd70d48099876a0be147d3c7dec39c4df5e0592eea6a79ca2872e79407abdc15f321738724c56dc814e173a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ee058439d5b22f0f2a30ff6de7a4b56

SHA1
517ef601466b3cb0b2c0978668a3329f5e043cdd

SHA256
5ce0c1f664bba27dd4edd527e7a631760ac59dae11b8a301553b8ad9e11e576c

SHA512
f9587216b723c694568e410c6fb086182e8be5d00f1c30514335ca2f4fa2b1aa3636c594bc612c42d866cd93fed25020b90c2a4b464784d65de1daec6c198a10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbfc1a28c9327de939b76524dcf5313a

SHA1
ab0c233cb1f6f6ebe4e9a6b1603aa2343fa2aa6f

SHA256
e38812326fafe863a1eb007cb96a0f586852e055290c0a1cc654309914b66927

SHA512
b1f4cf97d2e67acc078bbed1269ac22945830d781b6290cd65a2366012d5b78b01c4b2cf796223219da9e12c8174769f3e7a4b5d347dc4ae797559e8be8519ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9fa531d63c0a41d8fade7486a943dbb

SHA1
fb83eb9da11668bbfd1aaedff09d7d951e0f5135

SHA256
01891d9f525919725de6da8642fc098dbc2764d139dea355e1d017c448ce3625

SHA512
879262d1e819ee2e55189c455a177ef6a4c19f7efc61b5a5fd8d1f6f0cc3ac669aca2eab88de4e9734acd938bd25b0510fe05c475aaae3554e1f4923233cf5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de1450879e93668be4f770fdaf8b7b52

SHA1
2ec60ad71d55abfa421b55a599ea90cd363e2d3b

SHA256
70906d8c2bd7c4c493822cc9d50b8ea3b310f1c3a8a2b70cb427e9b998a6c7d0

SHA512
4f7daeb9ac42ba451b728353648f2dcdf1b705db903eeea7ca1de85fb1e02a559d4e5963cdda60c8072ad708626e0f3ce1630d10eac87c41769dbfb4826e923d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7713dcc88fad4bf0ff8897ef8ce288bb

SHA1
aea08a98e95b06785299e4d6868a32fdd894c773

SHA256
fdb2725a1667cdd0e0d659baf22127a138f89865fe1751ee68988da1875102e6

SHA512
2c534036336eaf323551ddb86d1a1afa3b07b88eb1e51f8e5ff1b64bd431bf4fe256da28cd7611e2753db3908bf0b7da1a3b400f3e9cdf295ec2aaf28f5329ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15cc51d66c127e740e09ee6d404f4ec7

SHA1
b0ddda29e75046d33d1fa1ceae607ebfdceeea5a

SHA256
b6df0dac9c5dbaab2f25db18d526987274ed0eaa44151746250842e4c164292e

SHA512
d170d4594564fdff5b07582585c5aca956bd14462f5d007884e2e04cf027210ab31f2916272a5cd2ba5741b606ebf3e736a2c5d94e3462083c1cc0d97acd9073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
958404fcfa5b1cbce0fbbb0c439bd8c3

SHA1
ae75c70716d045bfe99b3c84fe7c33b72aaa2bc6

SHA256
2aa4ea96a8da14c1dbd7fd061ba97eeab3f99ede6b89543a3e60f696ea4191df

SHA512
6e8140e28d2c6a12523f986ab7434f51a9ff64cdc4ea9c7f9189531b699fd4af0ae369403e5ffe929d984beb41a35d83c21ab6e160bc1180d64346ffe912797c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c41005198957b54c2688fc1621cf20f3

SHA1
bc1acd83460b64c178084e4290c5e2d9f8de49ea

SHA256
9156bc1fb5d4a91faa6a652bf4f397552c274c5f529e110883ba99598d31a918

SHA512
d929eddfc6d888329f1ee5cba3c2f112c49a4696f33f2c431b9635470b1cad39fdf96f038a88626b566bdefb6873bc2684b2774e421291e3a27225296ddcee14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b411a3569c1fd8d72ad61aa4cce876

SHA1
5c467597d84071798e44f9f0afb21af019692e7f

SHA256
6d241ec6388aee6a8658d299084f87abf9a6f4b82c6d73cfdd0a900a2f438a62

SHA512
c91d04472ea5efc6c8350fb258d14a56832e5fe0ff7cf9d2cbf6ab1949676edea1a33a9732c39ebdd0fd2c1c08d4ad8863443bdf515d52e8ecca69b221546c66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ddffce208c2592744b53276d7aa9fdf

SHA1
27502f37b1d2670e2a988c2dbe041114c6469054

SHA256
e31a7d46fe760c65fd0a1a084d27b1e24bb75d2e387b5526dcf8017e22c0578b

SHA512
f62bf9ff85f813391712a28a61d025da9266d2413c3fcd9857535039642ddbde170416d71841103d991c6d2ee5b02bebe317c4147fa9698b466c765b95f14b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3181ab18fc581564f56fd7ef197a7c23

SHA1
1c6a203a676157d4638c34a607151a782986f418

SHA256
7ba949f74ecc61561cede201145bd8b5fdc9129b020bbd11172c2f6ff040ec7a

SHA512
2831372e855f44526cb5ffa711f51eaa6b7b2dfa05e57c95c5e5c71849b13ca5bca2ba01b540df9222bc5d9f866dbd573e34f776c50c81858a1aaee16412b52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC48D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\SPOOL32.EXE

Filesize
34KB

MD5
9d1889ddfce27bc64ec479f5593d22e2

SHA1
7b5d927a56ad0ee5908e6610631a1dc0873816e7

SHA256
1f1b6330db0cdaf350c35acdc5f66a32481fbb35c2b10246ad35d52713c8605b

SHA512
0a644c6bb4c94a448e8611bbfc3f0e67c4ce5a512bef8661a50e62c4468eec9226e12bb83a200a3fe77dbcb1fd1f2cf7c40b7cc58b1e7f4dbfa9801ccc9a6a19

Download Submit
C:\Windows\help.htm

Filesize
209B

MD5
c17f423619cdf9bc2e3f3bf8a4318cf8

SHA1
6b0bbec2145b0a0aa6423eb0519319a528349349

SHA256
b64182d08825d678a2e9427a852d9fec27a6e9cab18c04e6c5633b4ecb126e27

SHA512
ab5fe80a13c2263b64eac8cccf2dab6b0f8bc5dc866a19e80493332073ee72a6777e3c90e9ca93b36519e0ea7cdbfce5c26e52f8c9ff25ff7e113557f890a40c

Download Submit
\Windows\SysWOW64\WINWORD.EXE

Filesize
34KB

MD5
85e70828dbe0c6d9b0c204c4bd772dcd

SHA1
ba7bcac5512295543ade58bf47b1874f3194eb4b

SHA256
4a2be2944d06bfa5c631cc5c61820f89f1bb7d5b98c54722c7b93d5fbbf9217a

SHA512
eb834faffd976cbdf2ce6ea53b93b062bdc01f56f7ba29f3596f11b38f7f7483ebe2c6d324b59fd0b05cf0e707b126760cec7960a85cf211501876479de4e24c

Download Submit
memory/2196-524-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-510-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-960-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-958-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-80-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-522-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-516-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2196-514-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-17-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/2712-23-0x00000000032F0000-0x0000000003307000-memory.dmp

Filesize
92KB

Download
memory/2896-6-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/2896-58-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/2896-4-0x000000002FF21000-0x000000002FF22000-memory.dmp

Filesize
4KB

Download
memory/2896-5-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2908-523-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-511-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-62-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2908-513-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-519-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-45-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2908-41-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2908-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-509-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-63-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/2908-515-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-957-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-959-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2908-961-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download