Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
ATTACHED COPY..docx
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
ATTACHED COPY..docx
Resource
win10v2004-20240611-en
General
-
Target
ATTACHED COPY..docx
-
Size
16KB
-
MD5
10c774db881a877ea4c25b62d754b77a
-
SHA1
fea962e22d25df7d72b3121c60c7820e7ac84a92
-
SHA256
d1c19d7d9e7c1d0d192b7cef272688627f19dd965627a342a450fc15c18ac477
-
SHA512
c9b530730243a869e25f77219cc62789cb4ce1b9efb9ebc1834f2738502a5fd0652825860d3b39ffe16c2b1f2b2448d4a6b1d0277eb591e34acedf42d3fb89e0
-
SSDEEP
384:gyXc0x2WXYs8PL8wi4OEwH8TIbE91r2fRcJYLvi/ma/nvnx:gccd/5P3DOqnYJaKvama/p
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.artefes.com - Port:
587 - Username:
[email protected] - Password:
ArtEfes4765*+
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2560-262-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2560-261-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2560-259-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2560-256-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2560-254-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 2064 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1720 powershell.exe 2796 powershell.exe -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obi29386.scrobi29386.scrpid process 2584 obi29386.scr 2560 obi29386.scr -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2064 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
obi29386.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi29386.scr Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi29386.scr Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi29386.scr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obi29386.scrdescription pid process target process PID 2584 set thread context of 2560 2584 obi29386.scr obi29386.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE -
Processes:
obi29386.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 obi29386.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 obi29386.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 obi29386.scr -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2436 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
obi29386.scrobi29386.scrpowershell.exepowershell.exepid process 2584 obi29386.scr 2584 obi29386.scr 2560 obi29386.scr 1720 powershell.exe 2796 powershell.exe 2560 obi29386.scr -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
obi29386.scrobi29386.scrpowershell.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2584 obi29386.scr Token: SeDebugPrivilege 2560 obi29386.scr Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeShutdownPrivilege 2436 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2436 WINWORD.EXE 2436 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEobi29386.scrdescription pid process target process PID 2064 wrote to memory of 2584 2064 EQNEDT32.EXE obi29386.scr PID 2064 wrote to memory of 2584 2064 EQNEDT32.EXE obi29386.scr PID 2064 wrote to memory of 2584 2064 EQNEDT32.EXE obi29386.scr PID 2064 wrote to memory of 2584 2064 EQNEDT32.EXE obi29386.scr PID 2436 wrote to memory of 2464 2436 WINWORD.EXE splwow64.exe PID 2436 wrote to memory of 2464 2436 WINWORD.EXE splwow64.exe PID 2436 wrote to memory of 2464 2436 WINWORD.EXE splwow64.exe PID 2436 wrote to memory of 2464 2436 WINWORD.EXE splwow64.exe PID 2584 wrote to memory of 1720 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 1720 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 1720 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 1720 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 2796 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 2796 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 2796 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 2796 2584 obi29386.scr powershell.exe PID 2584 wrote to memory of 2896 2584 obi29386.scr schtasks.exe PID 2584 wrote to memory of 2896 2584 obi29386.scr schtasks.exe PID 2584 wrote to memory of 2896 2584 obi29386.scr schtasks.exe PID 2584 wrote to memory of 2896 2584 obi29386.scr schtasks.exe PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr PID 2584 wrote to memory of 2560 2584 obi29386.scr obi29386.scr -
outlook_office_path 1 IoCs
Processes:
obi29386.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi29386.scr -
outlook_win_path 1 IoCs
Processes:
obi29386.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obi29386.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ATTACHED COPY..docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\obi29386.scr"C:\Users\Admin\AppData\Roaming\obi29386.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obi29386.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NwwiCWz.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NwwiCWz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B10.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\obi29386.scr"C:\Users\Admin\AppData\Roaming\obi29386.scr"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD57a472466c53443d1863cc13409680ef0
SHA12db0b0bb4edf5190a504d87a7f91d4556767b0eb
SHA2567dd7707cac518be281aa7a6cc2ddbfeae6c35197c4a6bf2664466c0d19bf3b32
SHA512699a087d612a729f71a09042e94ca4ce68703cca12e86a2cda3a2f71950d1f14978fd49cf0a9d7e8b268b3ae4757be4cf8a76c936951ca132a910f02249b2046
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5b289dd785c9425bb4ac269aeb37cf06a
SHA1a7b7275b100cba6f9d119c7c5e0497624340e5df
SHA25655167343afc3e2832be6e9f3858b871285844fafd2938c51796d2cd18eacb15a
SHA512e2f394674e5de215cfb80a41c2a96176322f10fca07c1a42dbf4b215a7746d687b0c7f94e4d544910b998bd0bab9fe3591ac485d8fc6299fa84c0b8fa1a41cfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD568bf703eae2a8bc65e7cc67083269429
SHA1b38695dde228560976d457d1ddac3e00bc432970
SHA2569632744d0c3852780b94aef6659fbb4bf41316f1df0937ebe8b107b4c8d1bb6e
SHA5127a6d2889f8c177e61dc80612ee8093d8561c76ceb5837c1324c528553c71302cc5f048d0d665e993e286dd87122e840ef48d24698ed5bcd4d6944457b1b50dca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD53b9d5707bf425c67bc45aabbbc9fdcd4
SHA1063f7c29379096fad044f4d356f04aca205be0cd
SHA256c5285572e56dd30265bb57968de50f3a37bef893ab67f1f57ac3ecba9be955e6
SHA512934efd0cc7f885fd5e808dc56b23b60847ef3db798555695ff778db63fde456294f8ccdb149c6896758fda82ab6574048bf99a25f734c5cc489c59147fc6f3b2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9E42E22A-4C24-4E1C-A80B-C745E56257B4}.FSDFilesize
128KB
MD56a8e7a5dc367ea8340f79d4be43c9607
SHA1036d3f4d5329775d800461563629e590d90314cf
SHA256379056313bea0eed131982d9301c692b8c01e3823b445728cce6cc3ecff30148
SHA512d223d155e0d0720e7b7bc884a06644ad6184ce930f5d84045cc57e49c052ffedbf5f53e7b1a80e0bf0afc5146de19e05c9aaa626af443cb0357691187ede94ed
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5006ae13e1e4acccf873eaf81ae537ff4
SHA1391efad63af12c62f59630a4500852c0cee7d61d
SHA256f50215f4c9f47182332fe3be520bdb80e1c00fc876a2717e92d6f535509c078c
SHA512e78c6e56eb63a8a5b9980cec325fc6bf0533164cb985889048fe709c0225def57f1f4d6310db20e599f581333a4ec53279d8ce8b74e28e4de7a3d832bfa828d4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A361CCA1-97EC-483C-A9F7-DCE939C3F5F0}.FSDFilesize
128KB
MD58c4a789985663dee7d9e8f72908681f1
SHA1f83e2a5290c7630be1859c277c712e5172fb8cd4
SHA25625ab939ee48d80a34b178943cac5966fb2389271247a02e088e8ea8f84c44df7
SHA51269f3cd8b482547c1956070f58e4eae4779b3b324448a597e5bbfde1b408877e0a81001bc1603c3746f167f75fae2ca59408ed8f6090e1a2194c91e8a2ed35566
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\obii[1].docFilesize
512KB
MD5868f7a288d5983e777dbc21f99630f94
SHA11a8566852e9e5794a2497afdc457e3700d44c16f
SHA256bfbacb1dd06af7af969aed0b22d3b1015001025c56cb578f07a9f98149703a73
SHA512b56821bb5d07997265d82b1747bf6e6fc5a763bb92dcd4e9156f0b710ef1447382350a8a0128670e53085b91ea2ed5eb91dff10f0d6363bb36a3f132379d60b1
-
C:\Users\Admin\AppData\Local\Temp\Cab2839.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar2C11.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\Tar30B8.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\tmp5B10.tmpFilesize
1KB
MD5adaa9bfc27cc43a906fa5299cd3adb9f
SHA147e6310e446dfcdd6f50019bf6008ac9d8eab50d
SHA256fad0d532d47b86087fff02fdef16dd796acbdb5dbf1b598241127a3381f77dfd
SHA512ee7c9acfdb6f3a6cc1c0df3a63e9004ed1957f6d6f8b2423ee2a92a86b12c9e92dddf8be2b36b82b8b3e2858c67e7ac85efdcaad60a7d34a568b894f752c6c05
-
C:\Users\Admin\AppData\Local\Temp\{AD4430AF-F4DB-47CB-891D-D37079DEFE06}Filesize
128KB
MD57211fb7be8b29adcededdf22eae1bba3
SHA11ba595b75417ce27158ac63541ed1e56181924a6
SHA2562fc97e580457301663c1073aed9851cf9646d1da4f81f5804c021a5d4bd39010
SHA512ae8ff4d02678ed804c4bbbb35c7858d8fd99b942ccd3202b5bad5e3d0abe3a3a22a4d28156db82eff72bde7b009baaa627f036742995a8f19eb8a63447d264b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD529e0ffee18ec426baea7addef5917326
SHA1022ceae027adb2b8009faea2bf6604b8b279992b
SHA2563e339576db9b8c2e28e74da7154195dee8240a559dd1618217cfada9aabb1820
SHA512028287b0d37270092ad6c8f2f67afaf1d1746df4c1308b70d26f88175759fba3d5e413da0bcaddb7f9e042720e19258bdad84763f6f8fe5eba641b684ff4405a
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6LC0TYDECSPZIAZ5AHYD.tempFilesize
7KB
MD5a0a39e5af88fb3c97d7864eb7fc65e05
SHA1bb8740db3078cc2aaab61905a5080fd11975c43a
SHA256cf68809416f1daa05dbe1c9258d4c15a5d13ac683bc2a144abd1e3cbcaa7683f
SHA512b916320fb1f16ef59547f223871951b3d7499fe5138a6c0bcbf9c824d49e2208592f610f6af7d25ce70be9a5489cb301418990df64c522d66f4bbcc2184f4a94
-
\Users\Admin\AppData\Roaming\obi29386.scrFilesize
588KB
MD5c1eedf3ba4f503e6649bca9ab5b4780f
SHA1a0f9723e89487fd5ef2e305178814ad54b8bb319
SHA2562ae74498a4bc05fa360233342c3652e7df4dc830e240e500ede97931a11e856e
SHA512fe9add3112d842ea1992e0ef9a9f42cb393c2eee7bc274c53a27a3518856701eee0d194900d2f289a369b43a5237d38aaca2403e3de3619bcb13961b20237a65
-
memory/2436-288-0x0000000071A1D000-0x0000000071A28000-memory.dmpFilesize
44KB
-
memory/2436-2-0x0000000071A1D000-0x0000000071A28000-memory.dmpFilesize
44KB
-
memory/2436-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2436-0-0x000000002F0D1000-0x000000002F0D2000-memory.dmpFilesize
4KB
-
memory/2436-287-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2436-263-0x0000000071A1D000-0x0000000071A28000-memory.dmpFilesize
44KB
-
memory/2560-250-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2560-252-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2560-262-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2560-261-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2560-259-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2560-258-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2560-256-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2560-254-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2584-237-0x0000000005CD0000-0x0000000005D38000-memory.dmpFilesize
416KB
-
memory/2584-236-0x0000000001180000-0x000000000118C000-memory.dmpFilesize
48KB
-
memory/2584-234-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/2584-122-0x0000000001190000-0x0000000001226000-memory.dmpFilesize
600KB