Resubmissions
29-03-2022 19:24
220329-x4g9baabh9 10Analysis
-
max time kernel
387s -
max time network
396s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
29-03-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
document-06.docm
Resource
win10-20220223-en
General
-
Target
document-06.docm
-
Size
524KB
-
MD5
8d52c10db63ebd47702ae28ab680d7f9
-
SHA1
49c596cc855661054d37e20d621a215f8e4bad00
-
SHA256
f390f97d9fd4e245f51114504c4fdcb4ea80959c93b6ebc8d85b593b72fbd114
-
SHA512
8d28d61095c7fd7b85f44af319725b207af5cc0a3013b05a9592e4fcfc855e29265be8a89fc6befbeace573dd83e06b1349299bce1227f3bec837de54ce39e0c
Malware Config
Extracted
icedid
1798566902
rivertimad.com
Signatures
-
IcedID First Stage Loader 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4032-278-0x0000000140000000-0x000000014000B000-memory.dmp IcedidFirstLoader -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
yF4F.tmp.exeyB0A0.tmp.exepid process 4032 yF4F.tmp.exe 756 yB0A0.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2924 4032 WerFault.exe yF4F.tmp.exe 1808 756 WerFault.exe yB0A0.tmp.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEfirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 2 IoCs
Processes:
cmd.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3428 WINWORD.EXE 3428 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1820 powershell.exe 1820 powershell.exe 1820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 2232 firefox.exe Token: SeDebugPrivilege 2232 firefox.exe Token: SeDebugPrivilege 2232 firefox.exe Token: SeDebugPrivilege 2232 firefox.exe Token: SeDebugPrivilege 2232 firefox.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
WINWORD.EXEWINWORD.EXEfirefox.exepid process 3428 WINWORD.EXE 3428 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2232 firefox.exe 2232 firefox.exe 2232 firefox.exe 2232 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 2232 firefox.exe 2232 firefox.exe 2232 firefox.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
WINWORD.EXEWINWORD.EXEfirefox.exepid process 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 3428 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2160 WINWORD.EXE 2232 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEpowershell.execmd.exeWINWORD.EXEfirefox.exefirefox.exedescription pid process target process PID 3428 wrote to memory of 4032 3428 WINWORD.EXE yF4F.tmp.exe PID 3428 wrote to memory of 4032 3428 WINWORD.EXE yF4F.tmp.exe PID 1820 wrote to memory of 2264 1820 powershell.exe cmd.exe PID 1820 wrote to memory of 2264 1820 powershell.exe cmd.exe PID 2264 wrote to memory of 2160 2264 cmd.exe WINWORD.EXE PID 2264 wrote to memory of 2160 2264 cmd.exe WINWORD.EXE PID 2160 wrote to memory of 756 2160 WINWORD.EXE yB0A0.tmp.exe PID 2160 wrote to memory of 756 2160 WINWORD.EXE yB0A0.tmp.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 400 wrote to memory of 2232 400 firefox.exe firefox.exe PID 2232 wrote to memory of 4028 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 4028 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 3088 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 648 2232 firefox.exe firefox.exe PID 2232 wrote to memory of 648 2232 firefox.exe firefox.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-06.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yF4F.tmp.exeC:\Users\Admin\AppData\Local\Temp\yF4F.tmp.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4032 -s 1723⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-06.docm" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yB0A0.tmp.exeC:\Users\Admin\AppData\Local\Temp\yB0A0.tmp.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 756 -s 1725⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2232.0.1158038913\858096855" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2232 "\\.\pipe\gecko-crash-server-pipe.2232" 1612 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2232.3.1840442354\705310085" -childID 1 -isForBrowser -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 156 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2232 "\\.\pipe\gecko-crash-server-pipe.2232" 2304 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2232.13.489641884\1132830256" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 3360 -prefsLen 1022 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2232 "\\.\pipe\gecko-crash-server-pipe.2232" 3376 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2232.20.725205482\1205395617" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 7013 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2232 "\\.\pipe\gecko-crash-server-pipe.2232" 3636 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5f1f68c8b8f4507b627f680096c95fce7
SHA1df85bf837dd4e7251c49e1d7d56ebcbbc3930a1f
SHA2560fb188cc09c9fe20fe6f24b2e536eab9a060bc711bd4ca77728deadadb69a624
SHA512862bc5f3d612fa9874d39ee961bf7cbb7c68a8a23f4dbd1db8e061c8632f9ee763193468c76a10d087a4dccd646a4c5cab88e1cf6bfd56704aafd90745bc5e44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD59fbac3f411564d6f88055d1650432da0
SHA1a95dcbdfbc5e0af137d5d9403af5a09e44de9718
SHA2569e394f4343fe5efc2d793b8d324d4f51bd842b9005e7970c6566d7deffc4c541
SHA5128a8d47dd12772312f81772119350296232a7023838b1a8cd8d3a11d96a036975dc84a42b1b472734f3620c273bf0871559b9fd71a0e91fc23f5146262d1ccd5a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonFilesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonFilesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonFilesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\45A7BB73-8793-4315-B3F5-F8A875E80483Filesize
142KB
MD5c41db53b097022e68208c9fe42e7d5c1
SHA12693a2f2dbf0316ac1e81836fcc034b9a69a467b
SHA256fe36556509a60e4030927c19e9214a70d48c3ff111a280bcf6efbccf6fbb56dd
SHA512f48f1f2be12c46e699b86c48f5faa6e5baeb657587795f519f2ad818abfc270869cf142838480db623cda006935eda3163c6435621acac92dbd1031f665a2d90
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlFilesize
76B
MD50f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbFilesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSJA3W85\loader1[1].exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\yB0A0.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\yB0A0.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\yF4F.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\yF4F.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD57cd4664841f2e4dc9740d4e84f4eafb6
SHA1d998f030444a8bb9f46f786606d3362294cdc6a5
SHA25638222f324a9702a10c77e8fa7f018653097234067566ce39e3fa338f2170113c
SHA5121aa7e1d4aa827df2dfea0579328aa412d8a25ca7ffaf56afe688b8659b82feecd89f76794944369d249d08240564053053ac8f77da05273c25ab93096e1bb8d0
-
memory/756-669-0x0000000000000000-mapping.dmp
-
memory/1820-468-0x0000020ACD9F0000-0x0000020ACDA66000-memory.dmpFilesize
472KB
-
memory/1820-467-0x0000020AB4583000-0x0000020AB4585000-memory.dmpFilesize
8KB
-
memory/1820-466-0x0000020AB4580000-0x0000020AB4582000-memory.dmpFilesize
8KB
-
memory/1820-455-0x0000020ACC990000-0x0000020ACC9CC000-memory.dmpFilesize
240KB
-
memory/1820-434-0x0000020ACC8C0000-0x0000020ACC8E2000-memory.dmpFilesize
136KB
-
memory/2160-664-0x0000026ABBFE0000-0x0000026ABC01F000-memory.dmpFilesize
252KB
-
memory/2160-663-0x0000026AB76A3000-0x0000026AB771D000-memory.dmpFilesize
488KB
-
memory/2160-487-0x0000000000000000-mapping.dmp
-
memory/2160-623-0x0000026AB751F000-0x0000026AB7521000-memory.dmpFilesize
8KB
-
memory/2264-484-0x0000000000000000-mapping.dmp
-
memory/3428-426-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-428-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-114-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-427-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-429-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-270-0x000001C09C7E0000-0x000001C09C81F000-memory.dmpFilesize
252KB
-
memory/3428-269-0x000001C09837A000-0x000001C0983F3000-memory.dmpFilesize
484KB
-
memory/3428-117-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-116-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/3428-115-0x00007FF9AB950000-0x00007FF9AB960000-memory.dmpFilesize
64KB
-
memory/4032-278-0x0000000140000000-0x000000014000B000-memory.dmpFilesize
44KB
-
memory/4032-275-0x0000000000000000-mapping.dmp