942b44255f18791689aa1678d5c3e1cd5c8b2f98065b3df11686c504b5121058

Resubmissions

22/05/2024, 13:18

240522-qkbh4acg52 4

22/05/2024, 13:16

240522-qhrgjacg7s 4

22/05/2024, 12:57

240522-p647vscc3w 6

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 13:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Wednesday May 2024..rtf
Size

3KB
MD5

d78531f7c747000e7128e67ee95c7a0d
SHA1

81d240d0c5f5ed7c108c6dd2b1c84238b2c3131b
SHA256

942b44255f18791689aa1678d5c3e1cd5c8b2f98065b3df11686c504b5121058
SHA512

9dd6e48b37303c46f3c2483845de480eadffffa8814ae30067ac8f2b073e9ccbbfa176207d35e9b309eb8a831bc1fb510c82547bacf357a45f8e5acd11bed7b3

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 308374784aacda01	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B1A0F491-183D-11EF-8B04-EAF6CDD7B231} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{913F7731-183D-11EF-8B04-EAF6CDD7B231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000d3623a45c40c1231278efdf44c5e987c01850cd49a8647ddba7b134d5a9c94cd000000000e8000000002000020000000e2daaae5998b188d09ff397e86b6321dddc69d201aefe0a543697417592dd23290000000c67a7c4ca6a05dedd7aa8c48af51960a1301fc7ca0f49a5431195d871a7ec815b3cd18f5aa83b5797002f40cdf63214aadcf1926d0cec34f312e747b25f5fe4f2f68a8a3593b425191bd1e7c949e077634fcde8416ce1c0773c25830e9eca03d08aa935ef9d4d75bc9ba2d37603c1cea28aaffe8b47e348f3a9ac279e52da869736597186d850ac95bd44c697e1349c0400000003f4d032c30442916fcb070e5f3abf94bb0fe648e6ba321a6f55006cdc69fd27a6717b6eb91dbe2c7ff157fb6a506073dbe31951017ab9b4833d818e5fff1482e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d051d6664aacda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000009b1983e261819a7d63a12bf95fdfe2f4c164006270d0b5819bdf94948636213d000000000e8000000002000020000000efb645c3433edb3c9800e055ab065e0667a93c38542da6a331acb2a1098dde6d20000000338b364a55ae8e028f90f1aab15a3a3c7f5c5e912dcc306771e9ebd5f71339c540000000b5d0baea703924cb378bb4fe07beaaef27142bb84577257ce9a55737f02a1c3174942f6951a5cc8b68fd87e3d731eafe0647fddf3388f2ce79bfc0d016cf0baa	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2104	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe
Token: SeShutdownPrivilege	2132	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2112	iexplore.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2184	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2104	WINWORD.EXE
2104	WINWORD.EXE
2112	iexplore.exe
2112	iexplore.exe
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
2184	iexplore.exe
2184	iexplore.exe
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2576	2104	WINWORD.EXE	28
PID 2104 wrote to memory of 2576	2104	WINWORD.EXE	28
PID 2104 wrote to memory of 2576	2104	WINWORD.EXE	28
PID 2104 wrote to memory of 2576	2104	WINWORD.EXE	28
PID 2104 wrote to memory of 2112	2104	WINWORD.EXE	34
PID 2104 wrote to memory of 2112	2104	WINWORD.EXE	34
PID 2104 wrote to memory of 2112	2104	WINWORD.EXE	34
PID 2104 wrote to memory of 2112	2104	WINWORD.EXE	34
PID 2112 wrote to memory of 1220	2112	iexplore.exe	35
PID 2112 wrote to memory of 1220	2112	iexplore.exe	35
PID 2112 wrote to memory of 1220	2112	iexplore.exe	35
PID 2112 wrote to memory of 1220	2112	iexplore.exe	35
PID 2132 wrote to memory of 2148	2132	chrome.exe	39
PID 2132 wrote to memory of 2148	2132	chrome.exe	39
PID 2132 wrote to memory of 2148	2132	chrome.exe	39
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 316	2132	chrome.exe	41
PID 2132 wrote to memory of 2768	2132	chrome.exe	42
PID 2132 wrote to memory of 2768	2132	chrome.exe	42
PID 2132 wrote to memory of 2768	2132	chrome.exe	42
PID 2132 wrote to memory of 1404	2132	chrome.exe	43
PID 2132 wrote to memory of 1404	2132	chrome.exe	43
PID 2132 wrote to memory of 1404	2132	chrome.exe	43
PID 2132 wrote to memory of 1404	2132	chrome.exe	43
PID 2132 wrote to memory of 1404	2132	chrome.exe	43
PID 2132 wrote to memory of 1404	2132	chrome.exe	43
PID 2132 wrote to memory of 1404	2132	chrome.exe	43

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Wednesday May 2024..rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2576
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://lc9kx44366.strudse.com/g3enb92510/%20-%20a3V0YXkua2FscGFrbGlAdHVya2NlbGwuY29tLnRy
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1220
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://lc9kx44366.strudse.com/g3enb92510/%20-%20a3V0YXkua2FscGFrbGlAdHVya2NlbGwuY29tLnRy
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2184
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6469758,0x7fef6469768,0x7fef6469778
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:2
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:2
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2188 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:2
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1380 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3556 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3624 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=1364,i,13836529399091847440,6884214130210843428,131072 /prefetch:8
  2⤵
  PID:1308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
6728aea2631b86a76c237508d8ba9b55

SHA1
7a670f95cac088313f7558869162fe01c6dc0ec9

SHA256
e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b

SHA512
533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
aab405e163e1ca363f89cf1ec7b224b2

SHA1
9c50f734f67987c0e8a0bcef73154434b119b888

SHA256
d2c6957a269343437266d34f6d3040643afae5e3c59bc182fa6df0a8166ae4dd

SHA512
a331249896d92631a94331c9231e09f7a2fc1e8f347a8f429a1f98a1291c19fa9dd75104a7df494e22414c61fb9250cb07a9c8a36ecc8ec243c934eb6a86e552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10756c959cf5934332d025a3634a4e2f

SHA1
b511b1fa8b8f6856b19094ddc3e638554a7b26db

SHA256
2b4f7a9acfd02742acde4a40b32d7f5561d5341b050e30c9b3b3e1aa7061d43a

SHA512
e8cf75664b35bd5a6654433f3effbb37e20bade4b4a1a6a57396d537de245218896ae3198d78ca3241970219fd711a0ffcd1ab0fdb550db70e7b7b47e741a900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22b27e47d109e46823e5151ff47ab6cd

SHA1
6d20bf7ae07067dee4a50dbb99b53246575d827e

SHA256
3c3c11f0482c82f83780808614e7f4005377fc6edcc69c812039c3c660579541

SHA512
a12f1f0d802d1125ac367acf0648268d0404292e2ae6317072517d21ea43d3edb9571025909bc3fb18768d8de2e97535f41edf3db7e560e869c37c3a89150372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b06843df18f55e382674be6b8030de6

SHA1
5ef890129ae3edf6b6779540bd663c318c7eef45

SHA256
895b9809a413d938c2f9045c5da61a85c55e9e64ce93ef1ca724fc2aaba947c1

SHA512
236606e1cbff0002271ee9701eeb6c4e1286db1492a73aba1794e0f2dbda52ec546c80bb8dc31b8ae2fc0807fc79fc3c842b61070ed1c4b92a13c1b16f0d4fe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8680958179598b774937fd70b9528c0

SHA1
30863c23f1c970e456b1f7999fcae14604dee826

SHA256
2ce38b76887366ca48bc28828de3e017715597d069ff8cdf36e9d00b01a0c096

SHA512
4abdc55e97be1a7fc27d8ef13ac0e7be87617cf6706eabe9dda6d554348faca3be64c05515a4e640763a049d9332b428e04446e7a37e18d14bf1b905d003bd30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9ac429f8c05200f67970581d2e19e51

SHA1
e6d5d9be86c1c0220cd512b052d82eab99d687e7

SHA256
368b8c6b6e4a313fb5807ba1e7832e680889ccc3ab26e0f96e20cf286fa7d04f

SHA512
4fff0dc60a655525e3c529e3200f1288740e317a6755271e5b5e3856c412f4922c33cf99a09ef191e236ad501b93178acbe7f096e7014a1ac4bf0426742e3eef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
943f58a7ddfc0f42b4aa1fcead7cfcc5

SHA1
3649d91cbe338c50c357a198ada79dc684480ca3

SHA256
307a7167ac6d9b5c41335f4f1f63a3046db8767d0ba3bdbf2b2c65b375b3718c

SHA512
3600b716daf4dedc1670d1043443ae42ea61e2e7ab79ab9e933c93f4df726738bfb7ed39cb435c240727cc6ab97e64c673157abf93d905468d2d7cc6279217a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a419364b87970c7a474afb7b2071fd7

SHA1
1d5faf24fd586855826fc1219e687f23b8ab8036

SHA256
1f5b47129c40aaaec70177b8a4f1ce608dd3b9bc59a97d3b00aad5d340692664

SHA512
c0592712b63dca4f2eeb32fbbba50d689a2f17b8fb928c7db146434590e826bdec479116e0767809f9b9f2e4130e97c618f2a778d74b41763a194e438d32f103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0805a322d5fe820fe5659dc49f7e9763

SHA1
a98d30d377b340575448251d3fe4cef203ea5a74

SHA256
49b39c8d59f7118f78dfbc2c93b608f4f51ddc83448cf8f8fefbc5dc73108232

SHA512
b0f5ec8e6fe2a79dd52a69196f97fd84acbb1efeefbe96b69771b520f15cbd5447faaed0564a162ada4acc27adc3c71ddb5bedde44c253c2a30289965588d37e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b517326056f2dacffa77d3f891b65b6d

SHA1
3526f974d9a3a5af71700cd42f285042042b9a02

SHA256
dc8465597b62439636109338fed74718c16f0ca45741780c534a907f6e3c22e6

SHA512
b95245c436c437e110bb024d19cb1097200aa116114bde0d32e23facbaf416a47006a3aef08beebfccaff85901b5631647cb5bd088eb65a55a423461867e1dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
847c9d2ca658288777f7519ecd74b813

SHA1
5fa3c98cbef13aa6d81f18c7b9efb0f63cd8b528

SHA256
d987a2d4f0595baa695523e7a3ad3c70e0d62f2fc84d0fe452b83f26a38cca0c

SHA512
11705713150d730eddee0dcb6c01dd730ac9d02cb5c87d36719b297b1d3789b2f392aa5dd57cb8f1278c53c2d73b3ec89690eb2a000cf3b5f711a6405b5c31a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c13c1dbc269e86c42e2ecd25ac4256c5

SHA1
0ab1cc8324193073c2809498d0e0471baa421077

SHA256
1de55220acc72356366f8a4d17c60b171f3893be7b6106e99476be39a26d0737

SHA512
03ce41816345f213564d80df1be682598995b88593c5046c7ec5481376c600e3a314cac880791db4e25c02cba56e85dabfbca6607218e052a4cbace09010182d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52848b45a80925c3a4b9f325082a0bb8

SHA1
956c3748bfd96011fb80338fc8edf1ba406a0446

SHA256
5d1c2c03cee2a928ab0747bdc8a0a36d31ff0817b542d16f2c37d4b72e432349

SHA512
44d7eb7c77875dd39d6fded116d17a46b2809cdf5f993994df3f8a7b0699bf60c0b3167e57c80674b5cf19f19c9b94d51a5cb02b000aa8f193d3bb51d22706f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2d3903897896f5017ac43a2f62546e1

SHA1
ce3688cbfb4a9197f9b240635a96de0b57ad3c23

SHA256
99965461d4535f19aebb5162345a46377629e37c84242e8d88565b05b9e93c76

SHA512
e8bc4802de15fef0747140c90f7401619b01188f7fe85155e79cb9c5a2923522d7d668c112b0e74a522edda7d8d3d5d9c93ce99df3d37c2061e3e8230ab0c788

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d8f8bfe2b635ef74cb0aab04768704d

SHA1
9fd406afe2848664140b0b31977b1bef1e2237e9

SHA256
23db7ba6ec4b55b6ff6922b89e2c0c4f9bdb4b4518276776e3d7a6513b214a77

SHA512
04cd076066258b758c6cd29f9ec31bb89c3b6aad187a1ee600b4a15198893bc0090e2ad6ad50e5031f7121f9f17a59e2a9c192e600da4deef8b4c1d79262c9d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc77cc6d17b27371ca1d2600e44e081a

SHA1
547d737f04443dc0e6ae9f0753471112d951e3f7

SHA256
ae6c72872d4d57d133cbec3c48cff090739914ce93150c7a945eaa1bf970681b

SHA512
4d3204dad4a5d68d451a3009872a905407bb6f30e6690b75d788b73e812b870142f2408a02dd181002fccdc6f943e088f4d1300f832b5273225d24b5467d45ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66e1368aad0ece9e47b34c5699e64905

SHA1
adc497fd9406a19b4dc491f1c658327c2eac22ad

SHA256
f073b840d8be9b14c4de65653036dcfdaba7a94458cae4570d542e5006b49662

SHA512
40d6ee738fa724f53ac8430e124f746951731a1d74cbd0ab933a0a39e3a51eb703ffb8df12485f811e71b7c4580d1495544ff65861697fcf2bc44b876152e82d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4683329067b09343256f417ac625a56

SHA1
51ecb46262f36c25d91c7204f2e59567d5fd0bd3

SHA256
e81c9c386fc44487bbe380a31c50b8236f301fce72bb86cf5362d4bbec83f01b

SHA512
9f7f6b5e52fff0c4facede754d90b737c12c40623be61fa8c540663447f8dc9269e85ab7175fb77992f939cc0ba884271c83759ab22381e50560dd31a75b12be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4793dea10f30106e9c3331b00567382b

SHA1
41eb63e51881bbb213416a9ba3708883f33024e7

SHA256
7c90066cd112c285409bb72c362a7aba5e7f9e78e8ad38c621af06d1eb958cf9

SHA512
d04d088ab8fe9b8b0246c988cdcc51786d43430aa545c76f0fbf0b8361b9a70afd9ff0558ed2de27db6e3c0fa0e30a5ed623c0b0aa2614c43e43d9b67a422972

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33265539276a0e449049805fd2347664

SHA1
7680474b27c2d39c937fb8b4f69000e18f386d9c

SHA256
edef3ac71e0ed0058086befc553079c11a8824e4b3efe4bd9a4ad64dcec1d327

SHA512
af14f03eab85886c6642562b9085d8d8c553ba8c3d396c4ce4c7de1c89a77441eb5446a50d44b50e560bc112edac00357cf5db51bd65f7e403bff0d51c543e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b9533d02cd88dd747acf6a8ca46c696

SHA1
780f5e3e6cbbfc93d18efd230abb5ac0a26e82bd

SHA256
3956f5e793f24ceada0db2821b78dd43ad1b5683f6255f5e4335e661d356da40

SHA512
6c2dc66698b04a1ec75f3313821f2ee5074835fd90ecb0b600365db8e7229084c655865311b724bfba23e4bafe04ba79e397a63732cfc061e7690c0cd81b2d32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93806243d9138999780868bcff0458ea

SHA1
60e2fcb2b11ceb12a21de3011b4518bf64726bd5

SHA256
ce811a5ae45cc472c96485927665145616413781ed7d0bee4c69a2f238d8ade5

SHA512
8a5e5d4eedc5d59ab5f0cfb97d70f2c6cf3e16cffe02ca303862dd748dbe2e66d1f176a9cf8d629c3261ac7b7e6a0e829f9e026ae17aced1c47d06104d8bda54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
5497de03f739d61b9b6a44de28d5ef82

SHA1
351ae3b4343a185353ac36462a1cb5f7e0c76aa1

SHA256
ebe9d2e54277ceb4415391817013afd5896e171a64714051b80439176e32fc75

SHA512
d656c2a8b2441068ac72068799e6e8ca37b3c61c194e1790274943786114c398dbee180339e1b10d9cbf8d2b5666f9f2b29391c4556022fe6943749078cf79c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6a081a0b8e9f20bb10c4a6217792d452

SHA1
18f86b11ad530cb45cb268a594491237d6a69555

SHA256
e68e111ebf5f20fd777de8abb2e9778cc9ce4d59f5b896df1aa3f463bedb9fca

SHA512
366b7336e88c5e7c1186954208bc8ee62115da7214a1fbde5bffc999da85617e20d627bfc3ce0491fa57f13bcb35e3aa37a8df3983f7e227f226b805e2fd0535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
a692aace8c05d4f3edb52e16b2d4c3e5

SHA1
990769d787c2ebeecdd8e3666550e64011c30171

SHA256
6fdb013cf65492e12d902a674f1ca9c77b320a75505ff72d4d9ea6cbf4296a52

SHA512
c0352bc838bef9e999b56eda5b3054b986f910091525dc029db002fbf4de23f1cb1096110bf306ab60f3d7f24ae392684942ea8f4eb9e5d5ba5751bee09b0b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\da402807-576a-4869-a532-a4f8cd72cefd.tmp

Filesize
277KB

MD5
669265d49df497924312de31b9eab1a8

SHA1
dd6216ef34aa4b9eeaeb070f3f280857ac84be9f

SHA256
23509da1db47c77216b7bf3c27179887c360c006433d023d929f99fd3df41417

SHA512
c34bd5a7662b5f7e5a648cd6dd9108b29c543e57ca1440b7feeeacda4d9f949510d3a042183e1ef2f301a2e3f38436c1cf021c8811444d03c487f5616b8273d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{913F7731-183D-11EF-8B04-EAF6CDD7B231}.dat

Filesize
5KB

MD5
a11b918319d03d3fe1f3aaa9bbc6c1db

SHA1
a51d9795ba312ff18e79d6b42470c8a00444e4f1

SHA256
38f929d27de6870ba428fa10d910e9ef5190ae3baad5cba688cc6b80c7acce14

SHA512
15608aaaba6008360f65d3f34b593e8cc4e0c925b26e26bd959d3e16dfaaca2b35fd743c33bb5f23a0505b2393458a9fb48745b5d67341713672c55b88af4af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE965.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA9048F136D827D6A.TMP

Filesize
16KB

MD5
482e6def32444ec8aaf8b1cf54b07835

SHA1
e3ca5f66610f3c1e4cd6a7ff6bf787b6c9d9249f

SHA256
16bbd22676df8c1f15f090cc2121c8cbd15a7816c71c20076b9251869d80434d

SHA512
b7e135a7c873b94dc25a9b23037938b2a26fa9ca142d729b6bb158e2ba1d7f256acde4e6e5685412c66b21d7fbbfda979c86d223132a06d3d7ecd55738685c58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JQPTYT86.txt

Filesize
853B

MD5
b46dbb2df618c3c3d5cda08da385423e

SHA1
e1bdacd2ec0bbcff8c9f7c62568751534c6bde60

SHA256
8d668b08e22e8b9c9fdcc0ddfb66c564bdd0708c2e09b499b8914d83bd64c018

SHA512
c8d1e917cbeefcfa9f1f61e73eeb2f3ba8a46ee8e8946815fbae3ef7f46b444bcbd63ee21fac24f72f0a01c55cf4f2204063528d0f76a97a0f58d2e64c01721c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NUOBYMBK.txt

Filesize
853B

MD5
2a3fc96fd8e51b681c5b1db5ae12287e

SHA1
ed1b68e4d00b4b4a4dea07a87584f569e5b5093a

SHA256
c0bbc1215a6f0251f66d4bb768443730221eab843ab18a86e342a84ce548952d

SHA512
c8619f9a1c2c627a035ad3ca9f9592e99d342ff73f7b4704d6a98aa60d552f3619e88f3f18bcb48d771701fd398864966bf877b75a765d54296825ca29cbbb20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RUIIIG0M.txt

Filesize
853B

MD5
3d8794da6db52f03b3ec4990f4956c9b

SHA1
e27b6fd3977139fdec14705c5e2d300f97bd28a1

SHA256
4f093ee933a0ec2fabc6439e1d18d086bfcbfaefde1a407064bec15454b1d10c

SHA512
16e4cbd2c133e523a08b2e39831f20d2fb6f8744fdd7712682e562c7a4f63ea62e3a3d00ef8543a9e9516c0568170d34a21da69b93fcfadae67f0beb01165ad2

Download Submit
memory/2104-0-0x000000002FC31000-0x000000002FC32000-memory.dmp

Filesize
4KB

Download
memory/2104-11-0x000000007168D000-0x0000000071698000-memory.dmp

Filesize
44KB

Download
memory/2104-2-0x000000007168D000-0x0000000071698000-memory.dmp

Filesize
44KB

Download
memory/2104-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download