Analysis Overview
SHA256
e62a8640510e8a72b5f5b9115b94439df31cfe186970ce831fc2ac200605dcaf
Threat Level: Known bad
The file Pago pendientes.doc was found to be: Known bad.
Malicious Activity Summary
XenorRat
Office macro that triggers on suspicious action
Suspicious Office macro
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Checks processor information in registry
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-26 15:36
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-26 15:36
Reported
2024-08-26 15:38
Platform
win7-20240729-en
Max time kernel
107s
Max time network
108s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3044 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pago pendientes.doc"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sodiumlaurethsulfatedesyroyer.com | udp |
| US | 172.67.202.26:443 | sodiumlaurethsulfatedesyroyer.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 216.58.214.163:80 | c.pki.goog | tcp |
Files
memory/2544-0-0x000000002F6D1000-0x000000002F6D2000-memory.dmp
memory/2544-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2544-2-0x000000007323D000-0x0000000073248000-memory.dmp
memory/2544-36-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
memory/2544-53-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
memory/2544-54-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
| MD5 | 3badedb0adc943d55394c06b6e43e2c8 |
| SHA1 | 7f6d929b560edf98f3256970ec09358510ef4441 |
| SHA256 | 276874edc2fa8fab8faad76b95f323b6e01bea7a058053c4ea674adfc51c59ed |
| SHA512 | 9daed3c7ab544e90f82ea9c303c94f7967d80450d23d7582060d46996ef00b688db407f09a7d1c582801439e7f0f65a4149019b9c46959861e519761cde2634c |
memory/3044-87-0x0000000000E90000-0x0000000000EF2000-memory.dmp
memory/3044-88-0x0000000000280000-0x0000000000286000-memory.dmp
memory/3044-89-0x00000000002B0000-0x0000000000306000-memory.dmp
memory/3044-90-0x0000000000470000-0x0000000000476000-memory.dmp
memory/2544-93-0x000000007323D000-0x0000000073248000-memory.dmp
memory/2544-94-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
memory/2544-95-0x0000000005CF0000-0x0000000005DF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | dcdb204622788f3cddb1c695f56736ca |
| SHA1 | d446ebc6fd71bea6d7b67844ca15ae91fa5b652f |
| SHA256 | 5cd62f97b93f983de7f42d63e26d77799e9467c5fde331b9dab5b7f82b423115 |
| SHA512 | 3624144a6b51c0594729956d8ffd961f817064618be8dab01d646d1756ecaba0f14a743dd62718b3ab0affc4c72d84ac76b16f66388caf25e2e34f699eafe517 |
memory/2544-110-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2544-111-0x000000007323D000-0x0000000073248000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-26 15:36
Reported
2024-08-26 15:38
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
128s
Command Line
Signatures
XenorRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4060 set thread context of 3100 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe |
| PID 4080 set thread context of 1072 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Pago pendientes.doc" /o ""
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ITFRNLR.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1072 -ip 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 12
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | sodiumlaurethsulfatedesyroyer.com | udp |
| US | 104.21.58.76:443 | sodiumlaurethsulfatedesyroyer.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.58.21.104.in-addr.arpa | udp |
| FR | 216.58.214.163:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.17.209.123:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 123.209.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4524-0-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-5-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-4-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-1-0x00007FFC61D6D000-0x00007FFC61D6E000-memory.dmp
memory/4524-3-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-2-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-9-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-8-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-11-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-12-0x00007FFC1F7C0000-0x00007FFC1F7D0000-memory.dmp
memory/4524-10-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-14-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-15-0x00007FFC1F7C0000-0x00007FFC1F7D0000-memory.dmp
memory/4524-16-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-19-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-23-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-22-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-21-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-20-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-18-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-17-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-13-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-7-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-6-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-66-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ITFRNLR.exe
| MD5 | 3badedb0adc943d55394c06b6e43e2c8 |
| SHA1 | 7f6d929b560edf98f3256970ec09358510ef4441 |
| SHA256 | 276874edc2fa8fab8faad76b95f323b6e01bea7a058053c4ea674adfc51c59ed |
| SHA512 | 9daed3c7ab544e90f82ea9c303c94f7967d80450d23d7582060d46996ef00b688db407f09a7d1c582801439e7f0f65a4149019b9c46959861e519761cde2634c |
memory/4060-111-0x00000000004A0000-0x0000000000502000-memory.dmp
memory/4060-112-0x00000000027B0000-0x00000000027B6000-memory.dmp
memory/4060-113-0x000000000DA70000-0x000000000DAC6000-memory.dmp
memory/4060-114-0x000000000DB60000-0x000000000DBFC000-memory.dmp
memory/4060-115-0x000000000E1B0000-0x000000000E754000-memory.dmp
memory/4060-116-0x000000000DC00000-0x000000000DC92000-memory.dmp
memory/4060-117-0x00000000049C0000-0x00000000049C6000-memory.dmp
memory/3100-118-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ITFRNLR.exe.log
| MD5 | d95c58e609838928f0f49837cab7dfd2 |
| SHA1 | 55e7139a1e3899195b92ed8771d1ca2c7d53c916 |
| SHA256 | 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339 |
| SHA512 | 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/4524-141-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-142-0x00007FFC61D6D000-0x00007FFC61D6E000-memory.dmp
memory/4524-143-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-144-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
memory/4524-150-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD5B3.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
memory/4524-648-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-647-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-650-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-649-0x00007FFC21D50000-0x00007FFC21D60000-memory.dmp
memory/4524-651-0x00007FFC61CD0000-0x00007FFC61EC5000-memory.dmp