hxxps://nexus-games[.]net/game/counter-strike-2-free-download/

Analysis

max time kernel
91s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nexus-games.net/game/counter-strike-2-free-download/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133397403245908893"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2132	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	4120	chrome.exe
Token: SeCreatePagefilePrivilege	4120	chrome.exe
Token: SeShutdownPrivilege	2564	unregmp2.exe
Token: SeCreatePagefilePrivilege	2564	unregmp2.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4368	4120	chrome.exe	49
PID 4120 wrote to memory of 4368	4120	chrome.exe	49
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 4764	4120	chrome.exe	86
PID 4120 wrote to memory of 3652	4120	chrome.exe	87
PID 4120 wrote to memory of 3652	4120	chrome.exe	87
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88
PID 4120 wrote to memory of 3584	4120	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://nexus-games.net/game/counter-strike-2-free-download/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff02ec9758,0x7fff02ec9768,0x7fff02ec9778
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2828 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4508 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5248 --field-trial-handle=1900,i,8227779855301433644,6946291250385700851,131072 /prefetch:1
  2⤵
  PID:3756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3396

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnlockConnect.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:1376
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:1264
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  PID:3776
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
395143d6a90a5b81d996064b85abccfe

SHA1
24145f95b1693af3dad616663182bb35a9359777

SHA256
888556ae8a16bab5875aeb0619070086945da3b8fd84a26469301c14fe4fc90b

SHA512
502ab917c9470535427e19b3a06ec72da1bb5122e0cb102b665924e40169e56bedb6beb43e8f621942934bc6d65b427a7ad1601af145e90122f12185634f91cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
978bf83078392c7d2ddd336893966e2d

SHA1
137865e18cc900bde60c15225ad5f8eb15e83eba

SHA256
0049329ad6c5d43930008da6e5d961b86abbdaad885dbd617e54b5a606eb8e13

SHA512
a4e682a4149443713dc45cc056639974e833609960d49de246619d8132c09f64d8175c13cfd43fe1a2fb57c829dff5d08f8d99fe39b65109d31513e1a1adc692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
c3db2f86929dc782cfba3326611347c8

SHA1
bddd594d6b1bef2a002fe43dcc497cdbaa179b72

SHA256
8e6b3414f2c89668d13014080249a7b0c35a0f38528d269ad9b43d15b32f2668

SHA512
4178782edb808edb4665fc113aac0dd8970c64bbaed54afdcdc0a231a73d29b27607ace55aa5065e3fd4943aa0f4caa3a8020bfcb9dbbfb598744ca27295fd02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
41e020ee798eceb4ac90cba2142a7a1b

SHA1
714ffdf4ddc441ae72c3fb2e4548a8219ad06fb8

SHA256
60968b6f285adc7f7347c43815c17a27a383807366f91212b81b17cac20131a8

SHA512
29d22703589df058c7f3509ce58f8e2f8fdf1fc2077e0622a796e4f9c17e563994e3cce83d74b5d58d79ae5b335a1e114c86ca7fe149bab10c3656c0acb0ae76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
520c8b99c4d7ae90b62f543f1cfba1f3

SHA1
fb2d4420d1be476cce301dd2629eb7cd510c1671

SHA256
567ddc64ce1eb90dc6ddced1c03b86e915142ce8b48bf5a9d6df694421ba7431

SHA512
4bbab79527cc8559717eb7e670769e234efb63f2b2e76f24aa28adbc170a46d046e0fa69a05e3c2057c833cf1a6fc7eb690e601ba1681c3860a34a9bf63f9e7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
259B

MD5
95a8d03152302e6deee0b2dd1dbb4e35

SHA1
85494faa0f222e41b88330fb66ae7cce198efaf6

SHA256
0cd0be4a453467626d8af21b1d9ed3ce9ebde77ca53334c5edf2eb023442086f

SHA512
8f775d06882efe3eb2df9a9cc601c44b21904a3390e5a19f7896050554a690a6c28abb8eaf900290b807db82eba3f859eb58c2fb18554f6836b962387a017db1

Download Submit
memory/2132-116-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-115-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-105-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-106-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-107-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-108-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-109-0x00007FFECF2D0000-0x00007FFECF2E0000-memory.dmp

Filesize
64KB

Download
memory/2132-110-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-111-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-112-0x00007FFECF2D0000-0x00007FFECF2E0000-memory.dmp

Filesize
64KB

Download
memory/2132-114-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-113-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-102-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-117-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-118-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-119-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-120-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-104-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-121-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-122-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-103-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-133-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-134-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-140-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-148-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-149-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-150-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-151-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-152-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-153-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-154-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-155-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-101-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-99-0x00007FFED1330000-0x00007FFED1340000-memory.dmp

Filesize
64KB

Download
memory/2132-100-0x00007FFF112B0000-0x00007FFF114A5000-memory.dmp

Filesize
2.0MB

Download