e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

d43643e01d59c289b551c240242ea5cd
SHA1

aa17e80aac2ca4e14297b0a7cf29c85b116882c6
SHA256

e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
SHA512

4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd
SSDEEP

768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3852	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ac168fa7329a1bbe164c59a113cb4d71Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ac168fa7329a1bbe164c59a113cb4d71Windows Update.exe	server.exe

Executes dropped EXE 3 IoCs

pid	Process
2804	server.exe
4208	tmp1AA2.tmp.exe
1568	tmpC163.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1AA2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	server.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
376	POWERPNT.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2804	server.exe
376	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2140	AUDIODG.EXE
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe
Token: 33	2804	server.exe
Token: SeIncBasePriorityPrivilege	2804	server.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
2804	server.exe
4040	WINWORD.EXE
4040	WINWORD.EXE

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
376	POWERPNT.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2804	4264	Server.exe	82
PID 4264 wrote to memory of 2804	4264	Server.exe	82
PID 4264 wrote to memory of 2804	4264	Server.exe	82
PID 2804 wrote to memory of 3852	2804	server.exe	83
PID 2804 wrote to memory of 3852	2804	server.exe	83
PID 2804 wrote to memory of 3852	2804	server.exe	83
PID 2804 wrote to memory of 4976	2804	server.exe	96
PID 2804 wrote to memory of 4976	2804	server.exe	96
PID 2804 wrote to memory of 4976	2804	server.exe	96
PID 2804 wrote to memory of 4484	2804	server.exe	97
PID 2804 wrote to memory of 4484	2804	server.exe	97
PID 2804 wrote to memory of 4484	2804	server.exe	97
PID 2804 wrote to memory of 1876	2804	server.exe	98
PID 2804 wrote to memory of 1876	2804	server.exe	98
PID 2804 wrote to memory of 1876	2804	server.exe	98
PID 2804 wrote to memory of 2676	2804	server.exe	99
PID 2804 wrote to memory of 2676	2804	server.exe	99
PID 2804 wrote to memory of 2676	2804	server.exe	99
PID 2804 wrote to memory of 376	2804	server.exe	100
PID 2804 wrote to memory of 376	2804	server.exe	100
PID 2804 wrote to memory of 376	2804	server.exe	100
PID 2804 wrote to memory of 2732	2804	server.exe	101
PID 2804 wrote to memory of 2732	2804	server.exe	101
PID 2804 wrote to memory of 2732	2804	server.exe	101
PID 2804 wrote to memory of 1472	2804	server.exe	102
PID 2804 wrote to memory of 1472	2804	server.exe	102
PID 2804 wrote to memory of 1472	2804	server.exe	102
PID 2804 wrote to memory of 1568	2804	server.exe	103
PID 2804 wrote to memory of 1568	2804	server.exe	103
PID 2804 wrote to memory of 1568	2804	server.exe	103
PID 2804 wrote to memory of 4892	2804	server.exe	104
PID 2804 wrote to memory of 4892	2804	server.exe	104
PID 2804 wrote to memory of 4892	2804	server.exe	104
PID 2804 wrote to memory of 3996	2804	server.exe	105
PID 2804 wrote to memory of 3996	2804	server.exe	105
PID 2804 wrote to memory of 3996	2804	server.exe	105
PID 2804 wrote to memory of 4208	2804	server.exe	109
PID 2804 wrote to memory of 4208	2804	server.exe	109
PID 2804 wrote to memory of 4208	2804	server.exe	109
PID 2804 wrote to memory of 1568	2804	server.exe	113
PID 2804 wrote to memory of 1568	2804	server.exe	113

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt" /ou ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:376
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt" /ou ""
    3⤵
    PID:2732
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt" /ou ""
    3⤵
    PID:1472
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt" /ou ""
    3⤵
    PID:1568
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt" /ou ""
    3⤵
    PID:4892
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.ppt" /ou ""
    3⤵
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\tmp1AA2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1AA2.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\tmpC163.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC163.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnlockCopy.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9FA9D058-1012-4413-9D53-F5A1E3BEC6A3

Filesize
176KB

MD5
cf8fda0d42e76ab1dbb8fb621e2a7756

SHA1
5edccc6236b0a420a011bfc7aaa470d6e53335b6

SHA256
59500147806de5c2b5432730aac74c0cfe05b65fbcb7a0684ddab52ec3d2635c

SHA512
40072db6381b6a285d683c3234cdf2a575526333d6c4ded77ec9a9aee508c75f4255a8e0433fe8d093537636cdba3c985b84bca945514a642f608df945c051ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
03dc748bd12f32eac8e683472b9cc1fd

SHA1
122636841bdefe73d796b40f2ab96f7c8ba29462

SHA256
731f72fdc845902603e4d944c454d594568e14e16bd01afd3dff75d5eeba8d9c

SHA512
6008a1df287b8091d350cdc4c666e2734bc05e87eba6c5838deab090603630c72e22dc2af4415d6dffd714c09f680d52e01a1e4e913ca581173996caa9d1cb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
82b4018ab8d541075e9dbabdf32b8ac8

SHA1
ac0d9957d2531d031a000beab43d8ba49fd34dfc

SHA256
ad58efcf22a1d6b4db5f3036000725f838c59ffa3d56533be7682d3a8be13628

SHA512
5a7fb5ca4ab28b0eb7a1e89c81b4c0421c2edb28c13626c26a58720d7239c569381d83a01e15971fd3d28ed3d18910266a89ef49495e304819993b3294c92547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
07ef12ebdce7779b6898b2b876bde923

SHA1
8359eab5b094ecb4ed2f05a0c5c5c289ab798189

SHA256
274fd1d6897c7d4cbe8228f2ae4a05bb4d7cfb5723e14af4dd1d9341682d520a

SHA512
f4845f8445aa41dd2a3f75d0a9a1c2e0a97a141b70f14188cbd1c8fed843aa5c3798e9d288d9692dac33baa2f68188338f5a4077bd9506dad750d48ecc172d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9CFCCA.tmp

Filesize
120B

MD5
045174d69af15d660a88aee1f5828705

SHA1
1b5bc839f5c6955bbb5a1ee31055313ecdd64417

SHA256
69faf2d9cef6b8a669a5733cebc6722389d15a81140fec604c8c243081909005

SHA512
f12ed4456040840225da2b15dba5eb905f471d91477ea88e9b6ee60b38166da9af9a86b5fb742e7194655b27cfad21d35c8cc5b862a425cd0d7608f27395ee1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AA2.tmp.exe

Filesize
28KB

MD5
6c2210ba180f0e1b9d831c3c6c14c8b4

SHA1
00bebdf704f4cabf254583c6ad87c6e72872b61a

SHA256
501c36ac282029ccf7950a4957d4c10ea72fe18f0ad8d6daeabfe628fa4070a7

SHA512
26a63ad05199cf45acd7519fbc63945097b4c4a89bb2cdfa4f87ba004e1ce106220b0b99419e656de26d164265b3868a9ce541c71b05d4e4db1a9a1343130e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC163.tmp.exe

Filesize
61KB

MD5
f4407493019fe05f34b074539519ebc4

SHA1
b3f5ff69ff4fee493440c133f033a0d05a6edd43

SHA256
a5c1bdc7b8c0e456edac031568c8acca0524eeec7e91977d63c41c0a82c608c5

SHA512
24668bd17617e038544ed5cc92385cba01ec1b70725930457a5deb6f4ef1a079e3af8d7f592dad851fb1685387daaf47cc02a6c406042dc7ec1f406d2ab3bfc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
210B

MD5
79dc9f28b3a668212363a535c7d65672

SHA1
c29a0de5fbe5c1baf4f8a2727efca1e837928e04

SHA256
79689947b84b900ecf0e90495d21034605f71620362a14d3b726266561727e4a

SHA512
20c82c3c91a6756fccb7e0f93954ac07fb07dc503dedd4d14af2ec6c6ea638a9d3c24c1f23d3561992c8d8275a5fea43c72e4e20a0be9dac0c19f66ca33c8dbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_83E68EABC26749AD9774015EF4542F6B.dat

Filesize
940B

MD5
0da5648adbd9a4c0e7999172ffcaef28

SHA1
ef03ae01b38a5679b5a842f8e15266decbdc72a7

SHA256
e66b4c15091dba729feaacda6c950d99bf1b29476d07a1a590ce7871ccd5831b

SHA512
3043122222765c077805b631fec134711a6f32687c30b6b43561214ca1bbb75d999e8b078c666f9fd28cdcd34ff05ed4ff84b5b82faf09a2e9771eda313026cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.vbs

Filesize
19B

MD5
53b9f8d6b89885849f2082ed155df5b0

SHA1
9698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e

SHA256
c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488

SHA512
dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~$tempxxSD.ppt

Filesize
165B

MD5
5ddc860d871aca9286f2a680e63af7e6

SHA1
dfa0bc3318667d8da509398a3138888d0ea50446

SHA256
1176a0c9b71c5a4992774717d673027786db7e377e3d40a8a0606853e63afeb5

SHA512
13b343323e1429e8f87ef14b8162f357c2c82be5927c6eb74caf367e8bba732fbce8f02da3391bafac51e9ec7b382d27ea6ce0959ea08f02079f7ca2705b51e3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
d43643e01d59c289b551c240242ea5cd

SHA1
aa17e80aac2ca4e14297b0a7cf29c85b116882c6

SHA256
e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460

SHA512
4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd

Download Submit
memory/376-56-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/376-55-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/376-58-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/376-54-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/376-59-0x00007FF950B50000-0x00007FF950B60000-memory.dmp

Filesize
64KB

Download
memory/376-68-0x00007FF950B50000-0x00007FF950B60000-memory.dmp

Filesize
64KB

Download
memory/376-57-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/1568-422-0x000000001BD80000-0x000000001BE26000-memory.dmp

Filesize
664KB

Download
memory/1568-423-0x000000001C360000-0x000000001C82E000-memory.dmp

Filesize
4.8MB

Download
memory/1568-424-0x000000001C950000-0x000000001C9EC000-memory.dmp

Filesize
624KB

Download
memory/1568-425-0x00000000019A0000-0x00000000019A8000-memory.dmp

Filesize
32KB

Download
memory/1568-426-0x000000001CAB0000-0x000000001CAFC000-memory.dmp

Filesize
304KB

Download
memory/2732-101-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/2732-100-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/2732-99-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/2732-102-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/2804-24-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2804-16-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2804-15-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2804-17-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2804-23-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2804-25-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4040-349-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/4040-348-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

Filesize
64KB

Download
memory/4208-197-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/4208-196-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/4208-195-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/4208-198-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/4208-199-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/4208-200-0x0000000005790000-0x00000000057E6000-memory.dmp

Filesize
344KB

Download
memory/4264-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

Filesize
4KB

Download
memory/4264-14-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4264-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4264-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download