redline | 55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
Size

568KB
MD5

963f526636c53e9ecf5af8025e0daca0
SHA1

bf41a267e768fca782e6861ba274aac58f79a959
SHA256

55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3
SHA512

85d347f552ee0f73af7e5f198430c452b4194f73f9313007f4e800e3fc2a9cc07c6c20de7cf81ac6530ff45b35b09b8ae137f01319ed86ceb084329ebff67fa8
SSDEEP

12288:UfLYRxA4Y5lyA/BxSPCPU0/iRsFpPQPht0XJ1vzUZdJFk7UQlbd9JU:XR6KRDPht0HgHUvbdX

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

185.222.57.84:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4824-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/4824-31-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 4824	4860	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe	87

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: AddClipboardFormatListener 12 IoCs

pid	Process
2488	WINWORD.EXE
2488	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
3480	EXCEL.EXE
3352	POWERPNT.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4860	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
4860	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
4860	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
Token: SeDebugPrivilege	4824	55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
4532	AcroRd32.exe
4532	AcroRd32.exe
4532	AcroRd32.exe
4532	AcroRd32.exe
2488	WINWORD.EXE
2488	WINWORD.EXE
2488	WINWORD.EXE
2488	WINWORD.EXE
2488	WINWORD.EXE
2488	WINWORD.EXE
2488	WINWORD.EXE
2488	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
4184	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE
3352	POWERPNT.EXE
3352	POWERPNT.EXE
3352	POWERPNT.EXE
3352	POWERPNT.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE
1752	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4192	4532	AcroRd32.exe	81
PID 4532 wrote to memory of 4192	4532	AcroRd32.exe	81
PID 4532 wrote to memory of 4192	4532	AcroRd32.exe	81
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4896	4192	RdrCEF.exe	82
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83
PID 4192 wrote to memory of 4656	4192	RdrCEF.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
"C:\Users\Admin\AppData\Local\Temp\55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
- C:\Users\Admin\AppData\Local\Temp\55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe
  "C:\Users\Admin\AppData\Local\Temp\55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5ADE1400CB267633BB2A53640EFE2BAA --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=575B672DFC9B7177619DF687549A84A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=575B672DFC9B7177619DF687549A84A9 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F095514967D4B31FD405E38B3B91CBA8 --mojo-platform-channel-handle=2372 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72C08CEAE0963652B4D672521B0C994F --mojo-platform-channel-handle=1916 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14E144677EB9A7987296A7DD1D6A406B --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\BackupFind.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\LockCompress.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompleteConfirm.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\JoinCheckpoint.js"
1⤵
PID:4920

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\PublishSearch.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StopJoin.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\PublishLimit.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GrantConvert.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
25dd141ee65b40fe32ddd2d971d5dddb

SHA1
2e47eb91710473f707c92cd02edfae9d2b09d545

SHA256
249a95a9c6014a9337055f6d7d45c70c417d0cbd8e084e2ca8cb7a3229d54c61

SHA512
0f33c4a09460276a2bbce542519fa79fd56de3b28acb2031f91944336ac33f475233aec467af75e47e49ba75f55834b4aadd9e508231148e5df796bb697bd157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
32d923f45384bbf7fdf422e890b4b138

SHA1
977c64ca964e4e41f1785cd9c0956e96994d90b3

SHA256
cc02ae602e4a3526b14528bfb27ef4912248cc286fe7f916f1d88b2cc2acce10

SHA512
33c1c7efce137ec8a8e612b408705514b72a5fc76c0423c8cc6d09001c934d013a5351848a264a37dd7bf2008686b4cc2885c84c902b6ceadfc3ae1329455829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
61de035ebeb63488a6adc379768a0898

SHA1
428977b1bb68891bb97eafc9c92389bdb3692b7a

SHA256
c82973f6bdbc1b3790c20d893779a13b811d25758f0714adda84aa7169a5373e

SHA512
1ce09fe124cc99c494fb19d9f5d9f7d18a3a02b1c4c08c4d21350a5014411ec25270fb6ee8778b337bc899df0d987ca16665b82bceac172fcf1fe350a481e1c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
14760b310fc5cbecea5cc55db27fe2ff

SHA1
ae43bf6ebf22b17cc5b71b7820666b28c30ec566

SHA256
09bad9a6f83f248e9bfd9d491a2d64252f2f07a9ed6ebe651c777e3eb2e24d4b

SHA512
f50bfff1c5dc115317f40ad65453dc51e2d9e1763714dfa47318d21efdfdf257157c810739de0bf1da3b4bc71e72cd55386e3688c8e80828d55c5005d3ae79fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\55d48276b91ae07b4a4b26ab074d2fae49ffdee7f227fc62587a46696ecbf2b3.exe.log

Filesize
1KB

MD5
7e1ed0055c3eaa0bbc4a29ec1ef15a6a

SHA1
765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

SHA256
4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

SHA512
de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\A6F8E61C-3197-4291-BF30-E46E223A3E2C

Filesize
1KB

MD5
85ad173999ed440af6120f3b4fd436fa

SHA1
eebe3bae40b0c82db581b905e2a4c4a90055c9b3

SHA256
2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165

SHA512
3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\F0BEF092-1DA6-42F6-8277-13F9A456DD5C

Filesize
397B

MD5
2f82426450332b558a61ae9ca551abd9

SHA1
abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d

SHA256
57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52

SHA512
dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8D6F66A2-51F1-4652-916A-6C9A69452F63

Filesize
177KB

MD5
9cd0a0b8235c8250bd88354249729fbe

SHA1
d507af26dfc7378a712c3833bc3467295d655fc9

SHA256
001d1fa41fcaf3d1e6d260e7738d37a993f6660c6254f06fdbbf034ef690fd6c

SHA512
9d345d86d1f39aa40d0312ba73939c90b4d25e67edd2e817632139868453c6dd6bbf0196a09625ee39db22f3e35a7d3340c6daae1d3d0938bbbcf2810d71b772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
946367219f3b12c77d1cd7f6e4d5a8bd

SHA1
878b78ae55149f5a61fe801d081eaf287498bd97

SHA256
882bb0225ec96e5feda5b6a540ab9a9a63cfdbbc057a364e0f891dedcc7781ac

SHA512
be5e82f90ddb5327efe516cde3ad2e9458778333b41719317be3f9d016088d75d661ef7849422d981d70003b121caf63c99b9bdd0e79fd0f7f169c19b86397e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
a7a607f7edbe8032b31d81f793855e87

SHA1
4fdc371fdd8b86c8049b367b7d37d5140e97bce6

SHA256
003ec27ff0477474076f25c8565c408dcf823d2e88652a5772185e34afec0f6a

SHA512
f171d06f565c23c9ae07b84ff6cd87543b596c2cee750a4e4a356f03fbc80756c61cc35869f7d50820e1b45fd8315752265254d2ad72d18bf9bd9bf20d8d2abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
18KB

MD5
c104993e725878c87918022a7b2223b6

SHA1
28adcb2ba534ac3026384d59111953f488131810

SHA256
6a868ff68b205197014d2a852c392bdea5110f4d48193357f46cf190eb9c2810

SHA512
61ee1ed0edaa7268dbaa8f63f3f0506b9ea652962dc6f2f8c3725a59e08b3661da7ab0321092014d699d059ffe998bb43f7ee94e166db7102040abf02f3201a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
f962b545b71a296617ad40c471601a55

SHA1
208d5c05d7581ce11a94041ef2186e5300b7faa4

SHA256
9b929d6c3f2db8f4023574eaaaf0fa07d04669d24b401419df61bd4786a26534

SHA512
b6bc0c81a5301b62cf19bd01e7cc537ee14b53c255001d9f76db87907e18712a08e60ce1c5ec8afa596ea5c6845cf739560437fd9bbcd4aae3b80dfb38fb4a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
35c7b9b4b2dbfa55f467d90b9e779eee

SHA1
4f38b1c7083f4aa9e2acf160e95dd52b47dbfbb1

SHA256
739d66f1d8121f49669b255a17513334663449d36ede9646f6829d5af3f5b674

SHA512
707bedecf2ec0eff7ed0ca938d067df976b740ce8ef088c8b2efeddc4053df4d26936943d249ece80cac5466948cb9624558b1b885d258ccb2f71319fba4a069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
81f7ddbfffbcb29fe5a543b3a1e438b8

SHA1
d16b194470fe1404be5d9037fe9bccce3677e58f

SHA256
df476fccec8b974e8f602f490220c3674c6c4babf5d8050db2f75e80ce09d076

SHA512
9a3b6dab440240cc4ce8c5ab7669cc4d14bdb3013da26760411f099c2a59f6daa42a860eec6c6033378a49355e54a50177b68825d8c912286be49976b22fa101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5712EB4E-475F-40B9-BE64-29B01FF61C4D}.tmp

Filesize
1024B

MD5
5d4d94ee7e06bbb0af9584119797b23a

SHA1
dbb111419c704f116efa8e72471dd83e86e49677

SHA256
4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

SHA512
95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\BackupFind.docx.LNK

Filesize
527B

MD5
bc2cd59c360854e30dc089b8d5048616

SHA1
b237bf5ae932425c68d69ed219e3892f69620775

SHA256
878c8652197e4e54c8bce8c995477bd3fffd4e3fa112ad6aa04cfecb683ecf77

SHA512
1ce4d7de3b87b6ae8c157550435d763b6ec1de897cc845bb5b6c75a62bdc49299c98f665acdedf5b3db24e0fa6c35718c2abaccfa35a5cbb9679856f4599f3b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
312B

MD5
7033387798c61c48e9ef65b83fa6ddfb

SHA1
da5f3e90c1cbc3d6ef83197f4603cf695e5ad6e0

SHA256
9ca85711225c1979ceaecaa91f26324abb3f3aa58e9a90e5ba204636d9256716

SHA512
61575d9146f76571803aebe14683a570765b2926a35adf98e77ac56c275a902a579d02ea5fb687464aabb1c810a4b64d8dbad0c2b6c3beb860b11ea1245e5a11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
312B

MD5
00dfe92eef2654c5ad3923bff8bf40f2

SHA1
9f53e1d6df8416a84f66a09abf2ab217a784d27a

SHA256
b2991877e10a7d30dfd8e4ddc9e7aeee1777e7385b215a3405e0b6a3a8830744

SHA512
84a8c6f0de642e279d78d74591d150592905a7160b0e300f289a8804bc7a003c2905c0c4eda2aa07b88daa1af710541a6f956ab3ccb39f750317b15fbcaf876d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
312B

MD5
e1e84584690536de7a353ea535ad1dec

SHA1
6f2e0f8d61503c9b40eb21d0b0ec57a41878f8db

SHA256
d122b1cb69433b6090aa39ad3cb8ec7ac6d1d71738b8f6f82d1848e3bd7ee16e

SHA512
521da92546a3d16ade1ac9bb90d356f18695a68336fb4267b25f7e2b27bf448a1f7d69cb330f3b39b528e30536716935298d4d87b06b9a16f0ef8d7e93eac23a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
314B

MD5
a5b6741f625d63fb0ad86c8f0921bf9f

SHA1
a50f45c7a0f5d55850693045cb9aa03f353ccd66

SHA256
19f99bc5085542f550265a0b59c2beccc6d944255aded7b0805877a6fed662b9

SHA512
44272a62153c617e2f85eb4c8295c0d349d5100385ea1b63c6e7ab63511991a0ff18746caf704c2f54393304fd5877ad7270f4a9c655d224f094f136c8023f53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
311B

MD5
fc565d7d50db51c1b1d7f82e718cd192

SHA1
19a4188d348bbd84444b071f2bbc8e016304a381

SHA256
1c926fa8fb1480b0cd02cf6b60f76a8083bde11c4adbeb7c1bdea762cac4508e

SHA512
51a435ddbb43bf1994b2afae408638c560945fa811e74484dd422132e4cb9b6cb696844cd60bf583eda02cd54510f4705038431763cea41491513083e2307b35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
fe4c499fac4299e91971157adf6999d9

SHA1
8e3cdbb9e57730ac75a8dd0563b42a16de66b989

SHA256
fefda340dc24dfb41169dcba83c3256a5d42b6be2aa7fe3e71fbb9be7048585c

SHA512
f76b2dd2e8358c0262146087599155000e556fd834a6ab57821549f4a7eef51fb74cef77d5360378721749cf0f3904be6b8caa4ce093647be441d6aa60cc103e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
fea035c713da3f359a517f0adc12546c

SHA1
62ddc4ed262bbb45fb19082fd0497e7ab2d7cc26

SHA256
685fe7cf7c4522877f416e6a1d126451ee7e10224d09b80d368be3146fdf58e4

SHA512
52dfb69fdacbd0227cfa4a11ccf5e2cd913fabc70a29ed8f93c677140340f724dd3ee8fbe3ab3d4fc7d02dec14bf27a0a776a4db0096f5b6902a588024b7aa87

Download Submit
memory/2488-118-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-119-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-120-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-117-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-63-0x00007FF9D5A40000-0x00007FF9D5A50000-memory.dmp

Filesize
64KB

Download
memory/2488-62-0x00007FF9D5A40000-0x00007FF9D5A50000-memory.dmp

Filesize
64KB

Download
memory/2488-61-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-60-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-59-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-58-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/2488-57-0x00007FF9D8310000-0x00007FF9D8320000-memory.dmp

Filesize
64KB

Download
memory/3480-265-0x00007FF9D5A40000-0x00007FF9D5A50000-memory.dmp

Filesize
64KB

Download
memory/3480-264-0x00007FF9D5A40000-0x00007FF9D5A50000-memory.dmp

Filesize
64KB

Download
memory/4824-36-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/4824-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4824-38-0x0000000004F30000-0x0000000004F7C000-memory.dmp

Filesize
304KB

Download
memory/4824-35-0x0000000005510000-0x0000000005B28000-memory.dmp

Filesize
6.1MB

Download
memory/4824-39-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/4824-37-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/4860-9-0x0000000006190000-0x00000000061F2000-memory.dmp

Filesize
392KB

Download
memory/4860-34-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/4860-16-0x000000000A090000-0x000000000A12C000-memory.dmp

Filesize
624KB

Download
memory/4860-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4860-8-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/4860-7-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4860-6-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/4860-4-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/4860-5-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/4860-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/4860-2-0x00000000051E0000-0x0000000005786000-memory.dmp

Filesize
5.6MB

Download
memory/4860-1-0x00000000002C0000-0x0000000000354000-memory.dmp

Filesize
592KB

Download