crimsonrat | c59b2d6a70bc5b84998aebb2d21241a8adef33724838e92db4dee36a1ce46f43

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recommendation for the award of President's.docm
Size

15.9MB
MD5

a21c2b37effe3195665ec5597afa329f
SHA1

d764529d82a015204d9ab3fe414c0da5b9829d9a
SHA256

c59b2d6a70bc5b84998aebb2d21241a8adef33724838e92db4dee36a1ce46f43
SHA512

ed6be97c243c677649c395a0a4016bae40719493425265b0541a9d0fdae395e8c0325104003b582925c5a4fabf6b1050d8dc72d7cabfe1d6e00c0f9e03c96978
SSDEEP

393216:Xrh68BRtZSZlpwMkbt6xFczuZQ5x2hYUiF9:Xrw+aKMkMozuOD209

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

164.68.122.64

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

pid	Process
2924	itmvroidovss.scr

Loads dropped DLL 1 IoCs

pid	Process
2184	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\191646\msdocks.zip\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2184	WINWORD.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2184	WINWORD.EXE
2184	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2924	2184	WINWORD.EXE	28
PID 2184 wrote to memory of 2924	2184	WINWORD.EXE	28
PID 2184 wrote to memory of 2924	2184	WINWORD.EXE	28
PID 2184 wrote to memory of 2924	2184	WINWORD.EXE	28
PID 2184 wrote to memory of 2948	2184	WINWORD.EXE	31
PID 2184 wrote to memory of 2948	2184	WINWORD.EXE	31
PID 2184 wrote to memory of 2948	2184	WINWORD.EXE	31
PID 2184 wrote to memory of 2948	2184	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Recommendation for the award of President's.docm"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\Downloads\itmvroidovss.scr
  "C:\Users\Admin\Downloads\itmvroidovss.scr" "
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DOWNLO~1\191646\image1.zip

Filesize
71KB

MD5
7fe99ca8c92501d9362223a407c56d1f

SHA1
554b7f501a5cac618a1dfe2839be86a393671e3c

SHA256
b2de0575f6081dd9341aef2c0c5a7bade8dfce8451655f8c304c57b1114df660

SHA512
a7ddb3226ab7feb74883d8d15b88c59f405b339125ce630566e8f5809e5e410ed8088830b8ad4095de3bf7ca646e7701bb1c17d76b08ac4cd2c99e116933291c

Download Submit
C:\Users\Admin\DOWNLO~1\191646\msdocks.zip

Filesize
314KB

MD5
5e947355589602684bcb17d0c402717c

SHA1
0e326fb308a9c618477fa44df2006ee0991ce0b3

SHA256
b25a03997086c4207cfffdaa73af72f6e2d8b28760bb94d01454ab02763bac25

SHA512
da18d633af8e4c6b2414631620abad47eaa428a4235bc6d23343dada3be61df0f453294c316029eb245dfb3f86c5d2e631c0cf42110f6d6a10565794e3784900

Download Submit
C:\Users\Admin\DOWNLO~1\191646\word\image1.zip

Filesize
117KB

MD5
cec8c4f4d679508b034b879ab1ec00f9

SHA1
b822ccf9208b83acdae4a7948a241d9ef61fe7a2

SHA256
e402f481cf2a645c94f2a652958eb8389682b7324bc7aedf2afc975dc1f24f8f

SHA512
6dcb5cd0318eb6c596a1790a1fc9cf33ef8ab9464b42363f2f0fd8d50eb1594e61ac36e6ed3cfe26d9d7b61073ef84131f512c6b86411fd7cfb7abdf797d1d9d

Download Submit
C:\Users\Admin\Downloads\191646\msdocks.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\191646\word\media\WorkBook.docx

Filesize
45KB

MD5
39aec7eeacf4ce7e8b353142794a7a86

SHA1
a2360e8fa3cede4f209c0c101ea4f878a7b082cc

SHA256
102936f0631f77c880f3d5660bc7904eb8aae5947253f9dd17d5c9654b26165b

SHA512
4df419705680d6c0b7d2ff098393ca999e32b95a2f7139e8095f732450eb093da42a1e5e19a44aca90bee165428d95099801074738936b57ff3fc5d3b1297d76

Download Submit
C:\Users\Admin\Downloads\191646\word\media\image1.zip

Filesize
45KB

MD5
38e3e7b5007c5ba08832aac8b31a1277

SHA1
651c830d59f44220de77c1619465ff39e14745f3

SHA256
cdf10d8232027761c7400daf72c675c4772732dc09c1c63f4c0947459d8c1b12

SHA512
927bbcb99d8151aa2bdf3eef6c03f8d6c12766445e15329c423ff25616c8819890ac8b1d784ce72ceee620b2f45dbf1e4feaa551fbc3d1a77e286cc23fb35ca7

Download Submit
C:\Users\Admin\Downloads\itmvroidovss.scr

Filesize
201KB

MD5
4366fee2fee23286abdf9b178be000e6

SHA1
5628583c768ff008bced796a1337a749b8ec5f86

SHA256
08ab9ef1c1c36551256d487795a54f02bbfc9fc513dc2acc30921f0f9dcb4857

SHA512
740a3980aca11f1f56dbb9682f5a2a0ddf41f11dab3099b6dc08bee477cd9927cb987450849d40164518c7b07570aef24cf446a5eaed4c7a5026f41c384feefe

Download Submit
C:\Users\Admin\Downloads\itmvroidovss.scr

Filesize
176KB

MD5
10264f850f1ae8e939249290d490f485

SHA1
31a17bc9b27a6d94ce58022ca89435851e453c9a

SHA256
18ed39f092c47d76b866f744a02458750fac58fda4da1f6dee4447cfa2e9b16c

SHA512
ba3ab3b711044059c5fb9ea8f6260352cdab41cd56f8e40bbd805467ce12286a1198f33ef19741215a937a3d273f65e90baf80545921ebcdf4db346de28cb6a6

Download Submit
C:\Users\Admin\Downloads\itmvroidovss.scr

Filesize
192KB

MD5
220556b00af02b955d5337aae262ffce

SHA1
db5f69b6a3372ec59a89294bda66c0921c78cc2f

SHA256
fcad42785366dcda62ea6947b8852b1dda99705ef125a48ddfba7ac4b83f06c0

SHA512
5653c701bd0dcd7b92fd99a4624257d582a109ccca5da579a0f196f00597be0459eaaaa6ef534b95118004d68d0bc4deda2658d809b6ed72629f5bb4d9bd340c

Download Submit
\Users\Admin\Downloads\itmvroidovss.scr

Filesize
405KB

MD5
8e4067741cffaa70fd988f1201367da8

SHA1
ffff1dfc56dc90b5a0d5854c861dee3c5271a65c

SHA256
0fce866428aa509f79c3f1e73625117576b999fca839cada142598ab76deff95

SHA512
1bd5577edfa2c31b66e89a9f811742951dc4fa17088b0b03effbf1ef5b6b0215f117bf9249ecb8455dd4ae297241e62796dd2c8f16a03a5bb9d869cdae46a2bb

Download Submit
memory/2184-21-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-14-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-20-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-29-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-28-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-27-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-26-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-25-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-24-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-16-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-23-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-22-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-19-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-18-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-17-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-68-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2184-7-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-0-0x000000002F131000-0x000000002F132000-memory.dmp

Filesize
4KB

Download
memory/2184-8-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-9-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-13-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-11-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-12-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-10-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-2-0x00000000717CD000-0x00000000717D8000-memory.dmp

Filesize
44KB

Download
memory/2184-429-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2184-428-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2184-427-0x00000000717CD000-0x00000000717D8000-memory.dmp

Filesize
44KB

Download
memory/2184-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2924-398-0x000000001C400000-0x000000001C480000-memory.dmp

Filesize
512KB

Download
memory/2924-397-0x0000000000FF0000-0x00000000022A0000-memory.dmp

Filesize
18.7MB

Download
memory/2924-396-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-430-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-431-0x000000001C400000-0x000000001C480000-memory.dmp

Filesize
512KB

Download