Analysis Overview
SHA256
32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2
Threat Level: Known bad
The file 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N was found to be: Known bad.
Malicious Activity Summary
Xtremerat family
Detect XtremeRAT payload
XtremeRAT
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 14:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 14:48
Reported
2024-10-27 14:50
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Xtremerat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk | C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2608 set thread context of 1400 | N/A | C:\temp\Micrsoft Word.exe | C:\temp\Micrsoft Word.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\temp\Micrsoft Word.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\temp\Micrsoft Word.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
"C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\temp\Word.doc"
C:\temp\Micrsoft Word.exe
"C:\temp\Micrsoft Word.exe"
C:\temp\Micrsoft Word.exe
"C:\temp\Micrsoft Word.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
Files
\temp\Micrsoft Word.exe
| MD5 | 4dc0bcdcfb3f3d794175b21872a76079 |
| SHA1 | 148aa40c7a14c87fc9c326396b2041223a27308a |
| SHA256 | 533ef10438f29b8f38bbe15f14e7377edfd530b15d41e2f001859ed00fdc9054 |
| SHA512 | c1953b4198bf046a83d8c0fab0faf0539be8615524b6842b2ce8d51f3e6757e69b71e374c763bae4f610d1e60cce12dfb1fc1118e9095a90b8d519a6a1bcab8f |
memory/1928-10-0x00000000003E0000-0x00000000003F0000-memory.dmp
memory/2408-11-0x000000002F051000-0x000000002F052000-memory.dmp
memory/2408-12-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2408-13-0x000000007163D000-0x0000000071648000-memory.dmp
C:\temp\Word.doc
| MD5 | 2884d2ac372fd9dce678e539f247b18d |
| SHA1 | f391f40f04f44326450a274867c1987ab7da2765 |
| SHA256 | 230c808c8e60d25423da6a814430f40af90eaca995cd4f985191ad0356e6e00a |
| SHA512 | d9328beb0e708f18e029b4f6dcd6ff6f5b2994efe5c31a01c185c55597542943230871a636d491c87c2b801fe4597796cf29dc8c50c0ed1b1b78c2610cfd3b5e |
memory/1928-41-0x00000000038C0000-0x0000000003C24000-memory.dmp
memory/2608-43-0x00000000002B0000-0x0000000000614000-memory.dmp
memory/1400-58-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-68-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2608-67-0x00000000002B0000-0x0000000000614000-memory.dmp
memory/2608-66-0x0000000003050000-0x00000000033B4000-memory.dmp
memory/1400-65-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-64-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-61-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1400-56-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-54-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-52-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-50-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-48-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1400-46-0x0000000010000000-0x000000001004A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2408-82-0x000000002F051000-0x000000002F052000-memory.dmp
memory/2408-83-0x000000007163D000-0x0000000071648000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 14:48
Reported
2024-10-27 14:50
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
Xtremerat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk | C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2560 set thread context of 2956 | N/A | C:\temp\Micrsoft Word.exe | C:\temp\Micrsoft Word.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\temp\Micrsoft Word.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\temp\Micrsoft Word.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\temp\Micrsoft Word.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
"C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\temp\Word.doc" /o ""
C:\temp\Micrsoft Word.exe
"C:\temp\Micrsoft Word.exe"
C:\temp\Micrsoft Word.exe
"C:\temp\Micrsoft Word.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.18.27.153:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.133:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 153.27.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
| US | 8.8.8.8:53 | good.zapto.org | udp |
| US | 8.8.8.8:53 | lokia.mine.nu | udp |
Files
C:\temp\Word.doc
| MD5 | 2884d2ac372fd9dce678e539f247b18d |
| SHA1 | f391f40f04f44326450a274867c1987ab7da2765 |
| SHA256 | 230c808c8e60d25423da6a814430f40af90eaca995cd4f985191ad0356e6e00a |
| SHA512 | d9328beb0e708f18e029b4f6dcd6ff6f5b2994efe5c31a01c185c55597542943230871a636d491c87c2b801fe4597796cf29dc8c50c0ed1b1b78c2610cfd3b5e |
memory/1952-18-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp
memory/1952-17-0x00007FFCE830D000-0x00007FFCE830E000-memory.dmp
memory/1952-16-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp
memory/1952-19-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp
memory/1952-21-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-22-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-28-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-27-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-30-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-32-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp
memory/1952-31-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-29-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-33-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp
memory/1952-26-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-25-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-24-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-23-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp
memory/1952-20-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp
C:\temp\Micrsoft Word.exe
| MD5 | 4dc0bcdcfb3f3d794175b21872a76079 |
| SHA1 | 148aa40c7a14c87fc9c326396b2041223a27308a |
| SHA256 | 533ef10438f29b8f38bbe15f14e7377edfd530b15d41e2f001859ed00fdc9054 |
| SHA512 | c1953b4198bf046a83d8c0fab0faf0539be8615524b6842b2ce8d51f3e6757e69b71e374c763bae4f610d1e60cce12dfb1fc1118e9095a90b8d519a6a1bcab8f |
memory/2560-45-0x0000000000C80000-0x0000000000FE4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 8ba5bc9de3fa0db40c10d31687f07ecd |
| SHA1 | 1d985741732e4bbe47c19aa8c04b4412946b6b6b |
| SHA256 | f0e78a1bb6b50841277ba58aca57d72fe25f16defed6b046a030ca6658d7c69f |
| SHA512 | 61f00683ecd633e4b2a250e733b9fcbb4e4b802dd6f7ff13030636e58f490101a9878de164ca800a435f48186949778d76ede02545e57701217ef77e046a1a14 |
memory/2956-63-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-71-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-75-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-76-0x0000000000C80000-0x0000000000FE4000-memory.dmp
memory/2560-78-0x0000000000C80000-0x0000000000FE4000-memory.dmp
memory/2956-73-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-69-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-65-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-67-0x0000000010000000-0x000000001004A000-memory.dmp
memory/2956-79-0x0000000010000000-0x000000001004A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1952-98-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-99-0x00007FFCE830D000-0x00007FFCE830E000-memory.dmp
memory/1952-100-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
memory/1952-101-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 5a2f77aa2dd20ddc7eaf2337a3bd8b92 |
| SHA1 | 6fbd7889e27ccbc0bcb6b168d907a6f6d8269d82 |
| SHA256 | db117393063264e5949dbc61c118c0cc16444a6601dd1c940eedaa5c5435e817 |
| SHA512 | c1b955ee5b39e986197f157463f119d323042f97c7cc7f8095f0b6ef35c2d4ee43d9a7dd0e58a7aa194909150b1218d29041831afafaffa189cea6730fb4ddcf |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | c7825cff34a2d8917c5c087bc3b72750 |
| SHA1 | 8e64f83100aeb1a634b6484f8b78751da89d5e09 |
| SHA256 | 7e3129657b40a7dd58454ec748eb855d5d0deb2edab7cc57319723a533ac73d5 |
| SHA512 | 445db51f80321ed0066b3ceec8b56f982aa6cc1e709924df73fd3418f9e2e8da993d79bbd2aff5037450025fa9c8536282532fc395a226abee8058a2c14183a4 |
C:\Users\Admin\AppData\Local\Temp\TCD59.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |