734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
595s
max time network
599s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2012	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2300	MEMZ.exe
2828	MEMZ.exe
2832	MEMZ.exe
1624	MEMZ.exe

Loads dropped DLL 27 IoCs

pid	Process
2012	MEMZ.exe
2012	MEMZ.exe
2012	MEMZ.exe
2012	MEMZ.exe
2012	MEMZ.exe
2012	MEMZ.exe
2012	MEMZ.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
3456	taskmgr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207f11f45673da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000efb6019f6a245eaf091124b629e4c6a9096b4192544c2aa1a5f62d0377239fcb000000000e80000000020000200000003d3209f072e86c2df53d38b24e696a913a34cc1eb0272f798cca4570cfd4c08420000000ab6781620452ef16785dc408e4f8f8a92a08ef63ccfc7fffa95d4024d815c36340000000f46760d1ff78251973f7488f152136643af6d63ebcdba0633155d2da2733737a2fb780e9f7b2126395ab9f9f41b35b72cf28862920717e9d0a8c37e722c3ee29	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416283864"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a960690000000002000000000010660000000100002000000000e64d188cc3a121991e62c616a95d792bb2ba30d79ec9021b7fcff625f5be5c000000000e8000000002000020000000d259a6f50cca3f83b7645dd96c0d8d101e99134f54a218bc7979b5e533c905e970010000e9e048e2ac4114eae5d95df593f6ef19cca07658a4c6373222a98965446ebb4c0cabf5c754ec52187dca31740e6f4205c06a90b6ed1ec139ef3a877f74803565f1b7083c1f23a9d39065316498506fab289ed5ade8a94368e98d9b5e33ffd79b23d267ee0e9f4e9ccc33a3d416dcf4ac24a47a7dd03256a6964fa281eab5d1034a705f32e7d9a8171a5dbdb55dfdd0151e9e07310e08eecb7469448acea416fc185b4b0e30ca8f1f71110472520670d4e0352862ce9e8520d94b691d0d682ebb2881247fffe25a0f4c2db5b3d8aec882fde2051ae01ec3e5e93907ed3ccf51866aa9c54bc4cbf190d4d3c3293e59ad7485ea69b77b7ac7f5fb7eee5bd563e4e43f62e1467953a032bf23a497d9777bbe392e108808e0acdf83e5f4d6969e511ca88cb2039858cc8d569e97711aba4c89054b1b9c8e90b4dddb1f161f977398bf9ce871c83c4a7bb68588b555821c883b62627f4f044c2473f0a7a022865507ad3fae2a2ba72f32e7392f52390054d41b4000000060dee240685c44a4ae0f92b2ed2ca5dd1eb981295b8841c992762c8c3b78a397d9549c936bdc976b25d1ea1848d53ad899c2933ad5db8899a3a6a84b24552c07	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DB1AF31-DF4A-11EE-8FBA-CEEE273A2359} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000e92c37e819ab3d1068a16a326d08f7e3eca8f17ab8713adfe2d66fceabaf05ed000000000e8000000002000020000000ab4a8ec25ab72455572ff4e5bc6a694cfd191bde33e5cdc405b6307e9e39a87e700100002fffb01d886f13232bd0bcc47068c3bb8369b2e9e458f512599969dee8fea622ea6d36a6070702691155cc481585c985707ce2a17f52809aec0709fc46716d7fd26abc20d453c3c846572e45ba445fca5a4315245e7250a03f4da3abc29343d4ced2b5c57b59a1d85cbef6adf33bee7022caffac6e94bb4bf0ead2cf45bc8b438942e53ce9053a155a275da0383ac49d6fc8dec84880324950001007eae01a950eed08de2ff5cfe64caf75cfdb04b66a7adad8a170e1e7fe33a5d4e8cc7bd24295f32b6bfa62f1e4a69a5502dfbbb05aff843dbb62fe6eab76bf9b6165bb1e040f85966ea637529eea3261150b49b798739cb3b41b9d4281d5a3dc150f7c7c897cdf4c9aadd9b860798de3f9411718367be419c4154f423469b846ba2cc6f0fbc8d5bf82052c2eb8fc092244c3888318d118d13baf343f949fcb2897be54ef562bc59f661cabfd7fd7479c7135f6022e532fdc52500069b5ded1b78d523e3ab0fb591c0e2f2fefea796ca392d3266e3740000000bac1b5bb2af9570df78ead46bcf344689df94f14c8269a7864110e81ea3a1002087f3f5401a0437c58cb2ae55b457cee95daf830d6ba3bc91fe240a6ec0a4459	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000d2beb23f9989dbfd3f889a4444f35f0d27f3a7277d2bc71e58e6fe044f886c5f000000000e8000000002000020000000ceb41e673fdb563cbd589979030d090bbb84cb417483611cbe3b14ec2b7d60b5900000007b72e54a7906484e2a9948be8845fb39f805b3a55090fbadd542fba168e8fae9fcb43ec506497a7bfc393ae9131f56568a65a03b95b25b2a39d4d4fc0e22afe74a9adfaba0b28de4cc9e717e1cb747bf60dc4133858ff53d7bac9dd35429c744b0894836210154ca29986765e44719b20527de89cc81637ebe7653c437cbab2cd37009dfce877b8377677942feeb3e3f40000000a2a422bf048388dd5ca9cc7baac3efd13fba57e0db4391e81a9e2175fb8632aad53d77bb7b5d0536a927b0dcad3b119595e6da80ba6b6a922fb7a8a1d304b43e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Runs regedit.exe 2 IoCs

pid	Process
3396	regedit.exe
4544	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2012	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	MEMZ.exe
2008	MEMZ.exe
2300	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2300	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2300	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2300	MEMZ.exe
2832	MEMZ.exe
2828	MEMZ.exe
2300	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2828	MEMZ.exe
2832	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2828	MEMZ.exe
2832	MEMZ.exe
2300	MEMZ.exe
2828	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2300	MEMZ.exe
2832	MEMZ.exe
2008	MEMZ.exe
2300	MEMZ.exe
2828	MEMZ.exe
3040	MEMZ.exe
2832	MEMZ.exe
2300	MEMZ.exe
2828	MEMZ.exe
3040	MEMZ.exe
2008	MEMZ.exe
2832	MEMZ.exe
2832	MEMZ.exe
2300	MEMZ.exe
3040	MEMZ.exe
2008	MEMZ.exe
2828	MEMZ.exe
2300	MEMZ.exe
2008	MEMZ.exe
2828	MEMZ.exe
2832	MEMZ.exe
3040	MEMZ.exe
3040	MEMZ.exe
2828	MEMZ.exe
2832	MEMZ.exe
2300	MEMZ.exe
2008	MEMZ.exe
2828	MEMZ.exe
3040	MEMZ.exe
2300	MEMZ.exe
2832	MEMZ.exe
2008	MEMZ.exe
3040	MEMZ.exe
2828	MEMZ.exe
2832	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
2648	mmc.exe
572	mmc.exe
1624	MEMZ.exe
956	mmc.exe
3456	taskmgr.exe
3256	mmc.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

pid	Process
572	mmc.exe
956	mmc.exe
3256	mmc.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	2668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2668	AUDIODG.EXE
Token: 33	2668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2668	AUDIODG.EXE
Token: 33	2648	mmc.exe
Token: SeIncBasePriorityPrivilege	2648	mmc.exe
Token: 33	2648	mmc.exe
Token: SeIncBasePriorityPrivilege	2648	mmc.exe
Token: 33	2648	mmc.exe
Token: SeIncBasePriorityPrivilege	2648	mmc.exe
Token: 33	572	mmc.exe
Token: SeIncBasePriorityPrivilege	572	mmc.exe
Token: 33	572	mmc.exe
Token: SeIncBasePriorityPrivilege	572	mmc.exe
Token: SeDebugPrivilege	3456	taskmgr.exe
Token: 33	956	mmc.exe
Token: SeIncBasePriorityPrivilege	956	mmc.exe
Token: 33	956	mmc.exe
Token: SeIncBasePriorityPrivilege	956	mmc.exe
Token: 33	3256	mmc.exe
Token: SeIncBasePriorityPrivilege	3256	mmc.exe
Token: 33	3256	mmc.exe
Token: SeIncBasePriorityPrivilege	3256	mmc.exe
Token: 33	3256	mmc.exe
Token: SeIncBasePriorityPrivilege	3256	mmc.exe
Token: SeDebugPrivilege	4964	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
280	cscript.exe
2324	iexplore.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe
3456	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2324	iexplore.exe
2324	iexplore.exe
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
624	wordpad.exe
624	wordpad.exe
624	wordpad.exe
624	wordpad.exe
624	wordpad.exe
2624	wordpad.exe
2624	wordpad.exe
2624	wordpad.exe
2624	wordpad.exe
2624	wordpad.exe
304	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
1624	MEMZ.exe
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
1624	MEMZ.exe
304	IEXPLORE.EXE
304	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1624	MEMZ.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
1624	MEMZ.exe
1280	mspaint.exe
1280	mspaint.exe
1280	mspaint.exe
1280	mspaint.exe
2308	mmc.exe
2648	mmc.exe
2648	mmc.exe
1624	MEMZ.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1624	MEMZ.exe
536	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 280	2440	cmd.exe	29
PID 2440 wrote to memory of 280	2440	cmd.exe	29
PID 2440 wrote to memory of 280	2440	cmd.exe	29
PID 2440 wrote to memory of 2012	2440	cmd.exe	30
PID 2440 wrote to memory of 2012	2440	cmd.exe	30
PID 2440 wrote to memory of 2012	2440	cmd.exe	30
PID 2440 wrote to memory of 2012	2440	cmd.exe	30
PID 2012 wrote to memory of 2008	2012	MEMZ.exe	31
PID 2012 wrote to memory of 2008	2012	MEMZ.exe	31
PID 2012 wrote to memory of 2008	2012	MEMZ.exe	31
PID 2012 wrote to memory of 2008	2012	MEMZ.exe	31
PID 2012 wrote to memory of 3040	2012	MEMZ.exe	32
PID 2012 wrote to memory of 3040	2012	MEMZ.exe	32
PID 2012 wrote to memory of 3040	2012	MEMZ.exe	32
PID 2012 wrote to memory of 3040	2012	MEMZ.exe	32
PID 2012 wrote to memory of 2300	2012	MEMZ.exe	33
PID 2012 wrote to memory of 2300	2012	MEMZ.exe	33
PID 2012 wrote to memory of 2300	2012	MEMZ.exe	33
PID 2012 wrote to memory of 2300	2012	MEMZ.exe	33
PID 2012 wrote to memory of 2832	2012	MEMZ.exe	34
PID 2012 wrote to memory of 2832	2012	MEMZ.exe	34
PID 2012 wrote to memory of 2832	2012	MEMZ.exe	34
PID 2012 wrote to memory of 2832	2012	MEMZ.exe	34
PID 2012 wrote to memory of 2828	2012	MEMZ.exe	35
PID 2012 wrote to memory of 2828	2012	MEMZ.exe	35
PID 2012 wrote to memory of 2828	2012	MEMZ.exe	35
PID 2012 wrote to memory of 2828	2012	MEMZ.exe	35
PID 2012 wrote to memory of 1624	2012	MEMZ.exe	36
PID 2012 wrote to memory of 1624	2012	MEMZ.exe	36
PID 2012 wrote to memory of 1624	2012	MEMZ.exe	36
PID 2012 wrote to memory of 1624	2012	MEMZ.exe	36
PID 1624 wrote to memory of 1560	1624	MEMZ.exe	37
PID 1624 wrote to memory of 1560	1624	MEMZ.exe	37
PID 1624 wrote to memory of 1560	1624	MEMZ.exe	37
PID 1624 wrote to memory of 1560	1624	MEMZ.exe	37
PID 1624 wrote to memory of 2324	1624	MEMZ.exe	38
PID 1624 wrote to memory of 2324	1624	MEMZ.exe	38
PID 1624 wrote to memory of 2324	1624	MEMZ.exe	38
PID 1624 wrote to memory of 2324	1624	MEMZ.exe	38
PID 2324 wrote to memory of 2932	2324	iexplore.exe	40
PID 2324 wrote to memory of 2932	2324	iexplore.exe	40
PID 2324 wrote to memory of 2932	2324	iexplore.exe	40
PID 2324 wrote to memory of 2932	2324	iexplore.exe	40
PID 1624 wrote to memory of 624	1624	MEMZ.exe	44
PID 1624 wrote to memory of 624	1624	MEMZ.exe	44
PID 1624 wrote to memory of 624	1624	MEMZ.exe	44
PID 1624 wrote to memory of 624	1624	MEMZ.exe	44
PID 624 wrote to memory of 600	624	wordpad.exe	45
PID 624 wrote to memory of 600	624	wordpad.exe	45
PID 624 wrote to memory of 600	624	wordpad.exe	45
PID 624 wrote to memory of 600	624	wordpad.exe	45
PID 1624 wrote to memory of 2624	1624	MEMZ.exe	46
PID 1624 wrote to memory of 2624	1624	MEMZ.exe	46
PID 1624 wrote to memory of 2624	1624	MEMZ.exe	46
PID 1624 wrote to memory of 2624	1624	MEMZ.exe	46
PID 2324 wrote to memory of 304	2324	iexplore.exe	47
PID 2324 wrote to memory of 304	2324	iexplore.exe	47
PID 2324 wrote to memory of 304	2324	iexplore.exe	47
PID 2324 wrote to memory of 304	2324	iexplore.exe	47
PID 2324 wrote to memory of 3028	2324	iexplore.exe	48
PID 2324 wrote to memory of 3028	2324	iexplore.exe	48
PID 2324 wrote to memory of 3028	2324	iexplore.exe	48
PID 2324 wrote to memory of 3028	2324	iexplore.exe	48
PID 2324 wrote to memory of 536	2324	iexplore.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:280
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2008
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3040
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2300
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2832
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1560
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=what+happens+if+you+delete+system32
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2932
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275479 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:304
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:209963 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3028
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:865299 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:536
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:930851 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2052
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:210033 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1260
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:996424 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1136
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:1651774 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:2580
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:537707 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:2764
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:603262 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3888
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:2372673 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3720
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:1324128 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:2100
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:2700383 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3680
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:2700406 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:5068
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:1324187 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:1020
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:3028082 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3864
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:600
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1280
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2308
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2648
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:2260
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3456
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3548
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:3684
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:3396
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:284
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:4544
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4964
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4508
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:3176
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_A3BDBA792161F0ADEE935E6E6327D8F9

Filesize
2KB

MD5
06a67c4486a0441f01699b3297fb3f4f

SHA1
f8384e7d2a73dd9bdaa96d83a30bc5d6eec379c2

SHA256
3228ff4cd4d9dba2ae9b60b22beed26fa84296f1185583b0a5a395a75ed78cdc

SHA512
37b705c1a8c6847623b8bd61f78d527bb9f53534735a25aba86d63b524a32563531363cb9609481b4eb1dcd16eeac7443f286292126e6c6325995e5340421181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
25815685f4efc87d1162095a54295fad

SHA1
78c369eebfa4cbd40ceda7a9fb935b1ff9568b04

SHA256
7f8831f8c3b72f6e05ba336c028530a99e7846970778d639def50eedb9d35cf4

SHA512
435c1da6733c8c59a10d1f0b51b157d0cc8647f784a1753abf89edd845d2b1535765b448da3f14b44e925c0531cf9595cd9a06939a7a749a1356ebdae3f721dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329C03A4966B136B54FB137DCA798EB7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48946DEA5580C3F43660391B918DD323_6B6142C197A95FBFE3791BA39C0CAFB4

Filesize
471B

MD5
368962cd2a3d2e49f1c93e9c6334138c

SHA1
73c2802e3ec6370dffb99771329bf14199a40d78

SHA256
20f0a2189bd3b06bc2d9ce6c87b270c2d54a7b78a84efc8f423f6b0c2d210712

SHA512
7b397c86b53fbd125f39d1f3f043743a1d13554fdd57571f95f04bdab5cc571d70fe6800ae4f0e2902f0c970a622802266bc25734715f207a203b42a51aff9a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
02be4b01991a79ad90dfa5c48fd9f3d1

SHA1
5d21477930dd665bca274029c5a07012a83c9f0c

SHA256
59ed00a9a0711c349ac7e35380e60196223d7045d996ab8e1719da0ba438f913

SHA512
bc43f6099d769adc9e69e8bd12d42bbd3ccba4ecb11b220abd2625cdc6e8e6a8ecf17585c14f82631a4c8d21efda6fae7cb4305d1fdf5be7a226c7b96904947a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_A3BDBA792161F0ADEE935E6E6327D8F9

Filesize
488B

MD5
f610c496ea0f5e577e207e5c9e168367

SHA1
80c09787d5fbfc041aa5284dba60036e8ab8c03b

SHA256
b6beec403358e3e672bdb060370fb89e8d390f903cdf4a5676641f07387bbc5e

SHA512
b1b96b0a396d00b14a37a1e23b7be2166226b8df08749fe47c64047e40cdd35f5cc5f947b7b42576e383186663cc9c4f20b8bc6007f31be6631fd6477caaa829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
53dc74cf376b560a6133e29163be0b9c

SHA1
887a5f81cff209404cf4953f99ec40975f06d193

SHA256
6a3caf8c3bf478ef3a7d75d4f72feb583f53a43fb8da208c62f01d243e3eb9f3

SHA512
823ae94fe45e3a7b1a35c65e715a96ac36d0d81cdf325d00cb5472bf29d814aa5c63684c97e2ee14907d39fe680efc75b5c5cee4a27f497121cea3b3d8935ec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48946DEA5580C3F43660391B918DD323_6B6142C197A95FBFE3791BA39C0CAFB4

Filesize
496B

MD5
6f7800a954ad9d8c3b980f44ef6e44a1

SHA1
b38a2d3a6213dbd7fd8958aee4fcee910853170c

SHA256
bbd1ea57bd45cb750666753260301261c59ee3d575032911e7bff9fccbf0084b

SHA512
835e1c790919ce747346ae4fe0b53e5f81b78206b93e32a59507b7d67c463f6263cad9d8b8fddd77daf76ef44de1b82f9fbaffdcb553186b2fc8c8c0683b5881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f6b9df3e4bd132d25f22a7d49009b08

SHA1
4eeb0c7e13ac90605409598841ff726d6e07acf0

SHA256
e4480f7af62657af6858ce32b1193ddd131cd366501522d085e201ab384a6922

SHA512
7f174a4eabc2d88826e73d367c66336ff6579abf92c48c5009c24a17c8443452b93954fe984ad359de66873b266dbcf8e956ce44f07efe300737c0ec09cb18a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7c5451723db19bfd6f8c2b5baddd643

SHA1
9719f5e10215bdfdd088750943547f9d60054ed0

SHA256
d806e7dfa37074545527ef5640294414915b8234f181657fe44aafa55a70d5e1

SHA512
7bd5fd9b4bc17d333c5242013c90b2f0f588c08787a83c1bcd1a77591fe4362010b2349d1abf333f964e2a7d2ca29369032ad162991dbe55332621cb13af6c51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9ab3c956a9892d1a51431fa88087af7

SHA1
eb1de2f4a8390595802393057166568b530a5bf1

SHA256
f3ddb9c238503e9006cc59e18df2013a633a8d806b0cb48c4ab426655edf2f62

SHA512
7245d8764ee39d139ea2c2c8873bbd57d63d1806cb7c77d7c7523a989fdb37a08c11d3e08f68940a536a4ae18c8720f56fcb6069600c18f780638e3b3a5ecc56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff0bebf11eaa9e14ff1e8a61db1628b7

SHA1
24202b703cf75950fb33553abed253ac2c070dff

SHA256
81cdc420da1b653cf9641c4d09bc88447a9c7678215ffe94a18645cf5a6f330f

SHA512
8ebd893c62480b44cae45045288db5409f69a362e067418dec85421c9b7862a30c271c9eb8dad7dfb5aa1fc7add1379aaa406ceaf3104e16694f4551897cac27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd627ea99fc6ae3f1f77dac60c38a345

SHA1
efa628c6d46ef332c9025301260bc94820f145c1

SHA256
92612dcc3d650cef56e3b266c4c335320d330c208866712254a0e9b22285dfe7

SHA512
8438dfb29524188cae67fd88d6516cb7b0e588996f47ae582dcf2c44d2c5df4dc6aa5f9ba0d4052a0dfa85251f292a79246508ad58cbe311a3a34887f233c485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12409a6a2d2c7029ce332a05088fc598

SHA1
f577666716115366e77206040fdda4a8d98570ba

SHA256
a264f9ac8ec7088a269d7c1c037f528f3a85986e49b7b45d3cc1a51cdd9e1ea7

SHA512
aa5041fab631844b36b2862c13077f50c577c4b402113cf27a4e615310cce3bb2dc4199213b2313453c1e99a636aaf07037d79e4d38544e9bf8f3adf1681f147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8628c800b924428e8d2d7a090fe4364c

SHA1
cb7d372abda7e9ce128942b46450261bb6925e6b

SHA256
8d80a265380310a480d004d1e44ca8f9c4e94f1f616f7bed0bf0beb2b4e1cee2

SHA512
702e91e4c86f6ba13f805020878d6e6d31966fa994459291dd2e5330d02f04c7c9deb03c67645fb2712eca931b27c83dc2252b284571c39c9204675ec428cce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7ebd37bd073a967381b39648d6a3797

SHA1
584d8a6b3b5dd3bef41ecca9ae201c73805e8c91

SHA256
7a04709f36030bb38e00682f1ae41fe7165f35bbd15b7bec77dba917975545a5

SHA512
350e239edefabb6b94fd3e0ea4ad551a07c41dde913d49843e183b79d4b60ed82f145cd424dcbae9f5034e8aae817abc34efb5d7fa045f5519f8177d78ba50e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e37442e7375aaac811cb9bc31fd4042

SHA1
f16f9c42762bd074b1cfd4db497a24922d10da91

SHA256
411e1e9ad042ef7b318798acb5ed8f9ee0b3567f3fbfbd218f48d86c74b7910c

SHA512
f51b0e681569bfc4db128b2b1496ccc22793b83cbc2c7b46097bef9232bd7a53559837755fb84f2f80478e427a76f7da09d0cc5d4304d6da32d86b4e211cdd9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03d5837cc4992464b44e3f93fc9f3ca1

SHA1
6319a3450187d27ba87f4ab52b192e681008f21d

SHA256
be00089bbb12065181e873f4904bdf6ee478e59e1f5379181c9156afe5be2da9

SHA512
c54ed4a6210c7b4403e3394bf60f4f2f20a93bba7ba4116b57474aa5b60e98a0ef33c544d9c9b0a0e56a0efef30551e53f7ccf5fd2ce679f65acb0046da7c1c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8150ce0e68eb467d85290d0c48059b79

SHA1
35d5cf5c5a6654775b235e2b9558e9d55785d3a1

SHA256
554212b102c4229148a926231f5ed412878bb6c83ee42137360e3d8aa0d64607

SHA512
71df57b77db539073f8800d502201eb59b0b9b326147ada27de640bde71bda79e376c2ddaa4cd99960f95d6201c4a3a7c8148d555977eea73a9e34348edaaed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d12d77cf014675b9867cd70cf9f4c086

SHA1
0896c1303316960f654683d39388f945b9f8e65b

SHA256
dbe962248e16eff5ceeab4f8b2e97ffdbae255d61c9d8e9e5377b81bf6526034

SHA512
5e1f3bc5ddae6816589690a24287f731ea9645f58d712692b1ef4690a513d2f1ece2c29a7e8c3452692ed56e456b05544fb1c40d76791454ea3612d7092e7322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
561214701232094e12f766d9d1496700

SHA1
d516714642f88961b683c9b743099f33aa89571f

SHA256
4a1fab710e83b6b125db13655ec4b2e0d241e25cfb86fbda0eee42105afa1426

SHA512
913170a767822c5a4cb793a4e418ab3aec976f5a3e72793a7b6d0a65c2ac81d0f247f0b8fc4b056d4af9059372d74878fc7ec934b7e1bc7477c7a1b87856e488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3fbcf747d1ce2eddd061009441ba3a7b

SHA1
19a8e314a728e1b83bce4d409ffb79d68fd9f307

SHA256
fd5271bc2433d5d25e6904b604896db3b00548e09a847af6375f320e3639da1a

SHA512
bda573eb83010f85b7683a0df1fb19aaf9f061e23fe69ea30caa792ba2145425ab424e2772e33b6814cffadc69732d0f59de52f0e312ef6d9fc171a19ef110b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
288a27b46bab49cfe3b1a9ee4c061251

SHA1
898d15d6d6969d234928dc4aac0827f7df0234ef

SHA256
677f90bd401806bd90c7cd3fd19d6f955975554f57d8b37f95543d22a35325e6

SHA512
8aa89b6b55bba049e2d00c92954c3fd3955f2fb7627b1247eae7963ea1dac5445f47943fb4bcbac16402c143c2701337d514bc1640b1c787a56e7fa468fa0a13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
b77e801ff52db515625f7c64fc53d9b3

SHA1
b6d2bfea799e6665c880f186682b194cfb125934

SHA256
fdc89788fbf88f61987734ad0a344338bca24607106e58d778b509aaae0404ae

SHA512
705828d7afc055079ca657e5163c85f09361b89d72f82eb37365b4d5231aa2c23d47bc2837421377254f7ee8ff0e9cc6bda4da5e90acd99193346b3ec409d95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\YR9333QO\www.google[1].xml

Filesize
99B

MD5
8fa5bae439e387f9a012a5751e3a4642

SHA1
967a449db21cfda66fe13367fa03139dceb5a4fa

SHA256
363d25bb94c0f7f716ca7f6d9b065d755a6fc93047302e0bc15f9ac351a11348

SHA512
0943f76a615f615f648ad8f0580443f5b06cc61aec14a172c826dc57ba235ddc021bccd2a9c2fa44c2736bc5e9ec2ea8f63c493712082bb61219adfa94e2070b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

Filesize
5KB

MD5
8fea6a5c1704f9ef98bb2ef21e42e20f

SHA1
6a4442c989ff7ee1bd26e52082e3633c52fbd06e

SHA256
433d27517e6d5f34c6129f2a91ddeb603319dc798973eed5ed57617890b75899

SHA512
8fabf919a21c27de4dabdacb4e30e96bdbc3fd5dce2c13ec1049ec365444829f9fa8be8367b857c48420e571bdc783aff5bac630c4e568d9bb328cc8d0d8b7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\fortnite-Download-Fortnite[1].jpg

Filesize
3KB

MD5
4dd59b88c47196abb1ae0ed52c25df72

SHA1
7dddcb2395b8ae7724050af902d9488441915b39

SHA256
b80ebf233f10ba43c5b9863187f02247e04a33a3eae47c74b79356cfbff9741d

SHA512
69243d9b46006dbc28676dd935ab7408e1e959d69974dc65e47708335257e190690b60ad988c37332dd1cc7f1271a68e30046a536eaff0baf6c4af39b1969e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\supermarket-simulator-Download-Supermarket-Simulator[1].jpg

Filesize
4KB

MD5
a202710e7a79d1b7560f93644a9e9675

SHA1
d48e7c202b8a8f0552bec7b9a5c2f5203196f103

SHA256
08b6a6e2459e8800f493ab10f1713f3aa8e1e2d3b28f2ac1183fc0ce8750a322

SHA512
a2baec76310003fe5adbe20a62be1d67d28ff06c46120d43288841c640d3602993879d09272710d8223aa9eb3abeedc1c799ecdb7ed284b861d2a9c50496e532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\dream-league-soccer-Download-Dream-League-Soccer[1].jpg

Filesize
2KB

MD5
1c03fff0a9ed43494c7b86a56cf95f59

SHA1
89672bd841ad60284bd16555607104f38164c39b

SHA256
5d1b715b47c97324f060068de99004cf65989c7d13ba84cb843d240046912964

SHA512
eea102329133224f1ca736a88bc6e3ae6d1d059e2b4f3a9bf89ba0d57a7323705c8eefd4d33d5ad6385053127c94c81f489ec01acf617e7bb3ba48aa58b85f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\gta-vice-city-logo[1]

Filesize
2KB

MD5
d97af543e20f24b8561747fd88ab01d7

SHA1
1983d938c1006e4cd5bdc123a5ad97e74d97d298

SHA256
0c08248a8f202589126371931c33b4d9c235cf6121c0ce485d6cf2d7f2d4663d

SHA512
62c1341bbadb28ba415fb953364d4571af156e715e4022bc4f6789262df91d011743ce3c536f41421c6360c7a91f45386bf1705cc54171195268f13ff20f3d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\youtube-ps-vr-ps4-logo[1].jpg

Filesize
728B

MD5
5c26d9d526126f9a45e3e04b35c2db98

SHA1
5321cc5ad5980db3da7009412ee14f70fe270f86

SHA256
6088395d376873766571d20c1d7cbe3b18906a2ecc154bc24343362f9e60128f

SHA512
8a0c94d98ac65509c6a1a79ad6f0bd14ab5bf616af588dceaab7f383f8acc73a7d139a5a678732db1a3324fe96a5455c77cfdb3931b185465cfaa1a98cd8874a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\MEZOR2AA.htm

Filesize
439KB

MD5
ae458200ad8b24d159bd05a87ef395e7

SHA1
fbc5adb02e7f0b395e1d6a6f70bd693013af4bf6

SHA256
49c68670c5458f9c6f5694f92caaf25e70bc80af71fe3527f356ab73e25b63d0

SHA512
b686ade047cb0bc07c7d3abbaf5989705789bf4426f287c0ae8de35d8379da6851db600e2a691a05d66f6110bba5412efda39f5192ea77c775ddb677d0743313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\call-of-duty-mobile-for-pc-Download-Call-of-Duty-Mobile-for-PC[1].jpg

Filesize
4KB

MD5
57b09014f37c8973e57e89bab4beb7de

SHA1
d7e7c7ad80b195fd4309a3a2f642c514f850c07c

SHA256
cf62d2dec13b451572c4994017f6c95fb873f41653c2570d973fe3724ab35869

SHA512
fcc16db2ca479c1eac2e57311a5791e1ba56dd34d9266551ff2f0b26c8927d551ef40e7494355f1f3a49ec357f86336b591f9ff1d82ab802339cb177f2d27a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\gtm[1].js

Filesize
450KB

MD5
d01f54675ba2935dad6d6efe0ffc1e45

SHA1
cd01e7ed05af3fffb9fe9a1c3b9d794a9d29ec8c

SHA256
b1ec94c8776b76f4fcd65cef2a97ca272eab05be71010293eaf1ff04f3dde4a7

SHA512
ba981c38f90f79d02c8d7e2f11c34df4c398a83e74e99a94e380f71d4b4b4fb79e12193227bbb003bb45117361196dfeec5d4069fdfc193695c471265b532686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\minecraft-logo[1]

Filesize
2KB

MD5
16c4daad995a142c6989ec7722bfa65d

SHA1
47d4e8fe7fec1838e81ac1ca2b22c8854c678a53

SHA256
f7c141b84ca8c64d3ac0e042e805b4cbf741f0f2de77e594a95aa703ea87e6da

SHA512
ee0e7f817bf3304eff6b61850fd65cfd4603909bbcef8d52b35478527124464d1aae8a24bbc4154cd5585f8829114ea2c4155596372e0c7cc0da3356568cbefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\need-for-speed-most-wanted-demo-imgingest-1311440161785819718[1].jpg

Filesize
4KB

MD5
f15123ef45604789ef90191d77092518

SHA1
21cd62939654ed07674ce859a387f8139d803d36

SHA256
73d82184f021ab9555d1ac7d6078bab4f98d71b91f7be9c76928bc8b3e805c91

SHA512
eb201b617e5820fa6bd7f678b93e5849ddced0481695815a426336c857c19edd5ca53732f9df86678f8f45a3e49a464045742f1aa40d1000345c91960c08c318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\favicon[1].ico

Filesize
1KB

MD5
ac0cd867e03ed914827807d4715bdfe7

SHA1
4051a8c23756c10d9cc00fcde6f7215c780fdf6f

SHA256
b50546da121186fbffd2aec430249cb21c7c2e2c85e561a393a9df9abfc4477c

SHA512
fa11d1d76c39719c218b4ffa34de8dd44d398bdcbb236a666f0be6eeee96bcbe4da9ac65a89441ad284c0de21788c135dc4fd21f6f82c7039f00c8a7c705c8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\gta-v-Download-Grand-Theft-Auto-V-Unofficial[1].jpg

Filesize
2KB

MD5
acb0de9bc214ebfe3eb9eb033456d6be

SHA1
eacce3b82db8623755f1720efd1d3bb689e126e9

SHA256
74b9570dd1fea70495944638939e2fd842d03482a72d89e92e84a80fbd0a7c39

SHA512
b69711d21eaa521933eb4f33215b661a81bd535be48dcfb3cd2f2893d7ec676f769580e28bb0ce7e8205c729c28865387f3e315b8d81923dda0638aab5804642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\predictor-aviator-Download-Predictor-aviator[1].jpg

Filesize
2KB

MD5
e68186e1b310b6cba5224fb2ee689da4

SHA1
17fa79bd0e920066e88f77b735b8c308d165feca

SHA256
a7ff551d46e8b27fa600065e70da4442b33683d66f38be7fc4bc87e3d575e8b4

SHA512
9d0ec57efd13777e3a02a2eb0c5bef7a8920664ac93652b73caaa190530ce887f751d7872b1ae12c10419d77060c39252edec11aa7089af3845e115b873f1d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\roblox-studio-Download-Roblox-Studio[1].jpg

Filesize
1KB

MD5
702ee44566520e8ee7923b5c8e3899cc

SHA1
0efe5f6091ac80bd718a0b2692edfce270715003

SHA256
253c0ecad2fd54412a868a2fec488deca00348d055b805b37196dcdf568b4637

SHA512
ec1c42a0fdb9fac0b9e5a018d396b0be7d5590c0222dffbaef7da930fb513a4e06fe0d4d3cf78dbb6413c3f783067b0b06587ee05b23e303f653017139a64ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB50E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
2KB

MD5
5c9464eff107cf34aef548389cb96fde

SHA1
493a512d5df317b2f9381d6186bbe4037902435f

SHA256
e3c176fbefe67bce97907792440625be9a379805d11067278348892891f9f600

SHA512
3aa85e516bc23c85ce5c36f002afa46d9f38369d5a1efea81065ca010944eb95d98a4127ff79f16f1797032767066e5a7acf84449edbaaadc9823c2d1f9db470

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
858B

MD5
8e11d9336e570e302279dac091e2b126

SHA1
8807be72d61125d027eff45f838395a0396752e3

SHA256
2985b89191150636a0dc1f4b03262a5fc9694eb7700475c1a15a3fadd90d6b71

SHA512
4202d504b827ac244c8137e754d33261359a423574195c6a4544f7b1388bdce495418aaccf5fd6eb548a84585cea205cfb30a61a1e630947ecd6df6662eec6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB511.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB64F.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF0A72A7CF8A585E9C.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5688A2T7.txt

Filesize
90B

MD5
d5440d083a1fda7d184339524eaf9457

SHA1
aacfbe7abb3a6ed16795d724544c45d75bb8e589

SHA256
2f42d7fa0f6e60a4fc107600e4c29a47cfc670a22806c1add8788a309d53fb13

SHA512
2b3733e775460486bb1bd6f6e509fa75546dbf7544baedf1a0427730fc310f061879c9e15ee1af672468137cc0428c178ae35fa036dba24b7d5f185744c826e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J1KV9VIO.txt

Filesize
378B

MD5
4269f7e071de7aed6cb8f60e9da5924d

SHA1
2d787842a2af5817db7593e7aeb3c8a07eb55ac0

SHA256
28853b9ba84175bcb6b5357dad1c056735fd6079db0c71fec3429bcc78b1050c

SHA512
5a03fab28df2cbb3b8aece205c0fb0aada386120f5170e1f26684a7e1119d3f7dcb2caf144885dded8976198fab730278aa3be8048549c22f4565dff516b3a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
5ab668279d6f03aa059be54587054346

SHA1
99757b61d5abd048f841f32fb87b99982439aec3

SHA256
1799217619da1847e96825c675f70a8584d421d0e87ef3b823d25ea40521dd25

SHA512
77e31c175752cd2b19c259339bcb805afb0b0a7961c07b549f2dcdc33587042a94008807ce277126b29e74aae1b8e329989597116fcc813e098d48d927c27fc8

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/280-150-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/572-1881-0x000007FEF5580000-0x000007FEF55BA000-memory.dmp

Filesize
232KB

Download
memory/572-1954-0x000007FEF5540000-0x000007FEF557A000-memory.dmp

Filesize
232KB

Download
memory/572-1872-0x000007FEF5540000-0x000007FEF557A000-memory.dmp

Filesize
232KB

Download
memory/572-1830-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/572-1814-0x000007FEF5580000-0x000007FEF55BA000-memory.dmp

Filesize
232KB

Download
memory/572-1813-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/624-743-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/624-741-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/956-1871-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/956-1878-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/956-1955-0x000007FEF5580000-0x000007FEF55BA000-memory.dmp

Filesize
232KB

Download
memory/1280-1745-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1280-1737-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2624-744-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2648-1742-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/3256-1897-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/4080-1875-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4080-1867-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4508-1959-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4508-1965-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4904-2011-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download