9cb8c4fd9a6753364fa28d64640acb1f2e3cefe8c71d20e2bd1fbfdd669669f9

Analysis

max time kernel
136s
max time network
132s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

virus.rtf
Size

719B
MD5

28b03b91c0f4b5d2c0683754801ba2dd
SHA1

f654760600959731a1d992ea05a371beb1591f3b
SHA256

9cb8c4fd9a6753364fa28d64640acb1f2e3cefe8c71d20e2bd1fbfdd669669f9
SHA512

293ed9e0bd8048d911ea18703065c1adc23e6897995d9d2022f7c2a13ef0309cc1ff17e4412274f2206bb0ba7406d34f060ed0a9030931266b91478b565735d9

Score

7^/10

execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	MEMZ.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c82e7449066f14bbed42635f6196c81000000000200000000001066000000010000200000003335150ac0783e187e16c09e09da99dc92c7cb8a6fd0a834b25576bfc2a3fc9d000000000e8000000002000020000000e0bb755a55152533596b667b35cf8108646617ab9337d916b27269e9deeefad7900000003aeddb9343135d6b80b4e1296dfafe8caff0c2f73294ef789deee2719bcf2adc92a4c4fb58960a0a4daa89b69b7ef781f41e93e5092f38a7bfcf1c57bd8820c5ad371f226881d3a484645ed5ab6cf695aad66d6c5a2f3951bd6954269c927cd5cfda036e15f705495e87a07c974c0b6d28f14e682bf7e56780ff04d962604030ee3d932427e117fbaba31cd82869000e4000000012f652832a320e4b0fc5731b3f22ab2e10d0053c55e0474f3fb9884a841961b436223f2e737b55a9fa00a66ed5ac34a88affa7ea0e1d0c01ab6ddb8e6d5917cf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107771346ebfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C769CE9-2B61-11EF-A3F8-62949D229D16} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "50"	IEXPLORE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1992	WINWORD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2100	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2456	chrome.exe
2456	chrome.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe
2580	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe
Token: SeShutdownPrivilege	2456	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2476	cscript.exe
2516	MEMZ-Clean.exe
848	iexplore.exe
644	iexplore.exe
2580	iexplore.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2456	chrome.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe
2516	MEMZ-Clean.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1992	WINWORD.EXE
1992	WINWORD.EXE
848	iexplore.exe
848	iexplore.exe
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
2516	MEMZ-Clean.exe
2100	MEMZ.exe
644	iexplore.exe
644	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE
2516	MEMZ-Clean.exe
2580	iexplore.exe
2580	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
572	mspaint.exe
572	mspaint.exe
572	mspaint.exe
572	mspaint.exe
2100	MEMZ.exe
2516	MEMZ-Clean.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
2100	MEMZ.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE
2516	MEMZ-Clean.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
2100	MEMZ.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
2516	MEMZ-Clean.exe
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
2100	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2524	1992	WINWORD.EXE	28
PID 1992 wrote to memory of 2524	1992	WINWORD.EXE	28
PID 1992 wrote to memory of 2524	1992	WINWORD.EXE	28
PID 1992 wrote to memory of 2524	1992	WINWORD.EXE	28
PID 2456 wrote to memory of 2124	2456	chrome.exe	32
PID 2456 wrote to memory of 2124	2456	chrome.exe	32
PID 2456 wrote to memory of 2124	2456	chrome.exe	32
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 1776	2456	chrome.exe	34
PID 2456 wrote to memory of 2180	2456	chrome.exe	35
PID 2456 wrote to memory of 2180	2456	chrome.exe	35
PID 2456 wrote to memory of 2180	2456	chrome.exe	35
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36
PID 2456 wrote to memory of 836	2456	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virus.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6049758,0x7fef6049768,0x7fef6049778
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1632 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1276 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3732 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2580 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2824 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=1388,i,6164383206726687232,14286072115583281686,131072 /prefetch:8
  2⤵
  PID:2000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2928

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.bat" "
1⤵
PID:852
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2476
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2100
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=best+way+to+kill+yourself
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:644
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1196
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:275461 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2960
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=dank+memz
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3040
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:799753 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1028
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:799762 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:924
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:406546 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1296
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:472104 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1756

C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.exe
"C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2516
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:848
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2492
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275461 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1660
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8cae16cf51c742cadf51daae1e36324e

SHA1
71079e010faa5f49dfb56d07b6e80410a3c92d64

SHA256
aac62454dc9da9f0d820e9c9bd570279300957525cafc95942c1541da846f679

SHA512
eeb15c6bd7f6d093a187293b2055e8b7d187ec0e50b4f78a277ef9b2452aba7f668a570dcac28cc9c9fe01c26f41e2ef86a2d32b0cd503f9bbd3848afbbc9388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

Filesize
471B

MD5
b7f0ed5edcc78dc28a007d62ce8f63f4

SHA1
dc1571dbdaf199cb9373507ef61f6e4c85e397bd

SHA256
6dafcff9cf8a06212f3976ae929309491493a1546748377a46c95591caeb26fb

SHA512
590633bd5acce09ccfb98ed7a7f1c688dfabb22381ed2e17b7bd5e310cb83e0e051b9c6fce486027b96754512ab21dc86284a066aaa0b92d1a9f2b88a5be1383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_47A43067FD26B14BE12C55F112579786

Filesize
472B

MD5
43d3d51ae02025d484a7dc16fc90a6b7

SHA1
08d183a90a7aba880e32c44ec23753e00410e3f1

SHA256
7c552f07f73f2cf88caadb1dfc358604bdfa663c57dc7b286490270652a8efb3

SHA512
69b80f6cca3d46d5eecbb71addcc655aa67614b0cb6bb4c2f0ddbfa2ca52d6dcd7c008572ae2c1d69db0809018774520bb58f779fda0e1c11067cbdfb9ba1570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
0fc64658f351d1698c565e5faedd9e9d

SHA1
3bfb2f2bbf140225cfba84b054c59ae61e528e98

SHA256
6332af4a26bd0b43ec471fdea6654a5452a6785e8deb6b06678f8e4c98fb3958

SHA512
e101c97c496be01ae19748ff4c2d1d2109217b710332956c7389f4d5f527b926618d137af1e8e4172d836b07e4d7a3eae957dd134affaad4178e9b4624378db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

Filesize
406B

MD5
2b50f8251de79ea1475febeb53a2c68d

SHA1
bf3598404caa81ab30d41c0fca93ce1e25216cb8

SHA256
6f51fdec8e2a30ccdf68849f7c1e8ee51b0d394941ec5599d1abd9598ee09b85

SHA512
ab8b4ccc0ea67969f08884c2467c021f290758a469b2c21655a9839b094bf73e17584cf777adc38493634b4e62ac446e3274013c31ddb3ec5da23021b2e9cd48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

Filesize
406B

MD5
b4a2484faf8e77f736aa9cd76f489818

SHA1
3b7b8056d5781e5f5c34a85802fda32d81c8624d

SHA256
f862b65d7ea5393fc37097c00cad3985d1d8b58c3fb634dcc862858aab9d705e

SHA512
c684c331d0101646d83e81a2970e869b544713336418bb0d72defdeab9bca759788dacf640a211ed7dd1074260864804676952f5a46bf88d6cad6734fd05d96f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e944ad01fbb6bce7f01235fbaefa5155

SHA1
f80fd24115c5ae57ee6bfd1f0181d14dfa7ee6eb

SHA256
4687973adae1ee070e6e31422f7f1a1b59d8b798b726e160191ef99179fcd7d0

SHA512
1ebf0e7044613bf6a8bd19c6e8475a3afcda3a67de5f2997ee73281a53eb49d09db1d912097dfc0d2d080076de8e5aadc1947b9f98a37888051793fabf213784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0568c4935472462a058c425e0432255

SHA1
3355d0eea1e81a0e24ad5c95c52b54dc5db1aee8

SHA256
e03d7fe583a8b762ff0ac164cf3bb02ec6d61a38ef8031c68e4051eda3cdf2d3

SHA512
8a8ae03608e102fc8644d5e790a54730f7a5c312bfc5096597280fdf4a737af7027c0400ef0cfa22966ac43734e5efa60369c8a789cd14c8e44ec21459ab6815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87950220714657c1eb3732bf7647adf1

SHA1
c25bba49c6a73e410e1e41606c8903a3c3cd7c60

SHA256
8057f257b0051017cc777c72681d2c5dfb5399f2f83b371d2d02eac4e4bc68b9

SHA512
237bca4774af97cf8494488b412e64df0321701ffdaef6d4a004179e9b53b0d169574311bd86094fc5515d477bd51df39ed67d63e12d33aa6199dd50088f965d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5fe102a819aff405cee2d78f6cc75d9

SHA1
2f1609fa5401669f266231fabf62617be10f01df

SHA256
f009487c518bd5e0875b2e0f7c5cdf392a4db20cfae65c8c513c2babfad81a3e

SHA512
f47367e60e4fff1fceb79c2adc3d2825fd40af79dbe49de68472e68a05636fce2b7425c05349d1307a30200d27add1acf3d8509fe82850dea01506ed519b3da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f81a89ce97887647f2ac1cfab6a0131

SHA1
22d5205235d963fbf2681935ed8e717fa4cd183c

SHA256
269120f5938c49f8260f53bc45810c602b28e7a14a7d95137791a81334f01325

SHA512
f29a6b6e2a47b24ce6e5fa6139c481c888c007f558bd026c743354520d37dc7ffdecfae45bc86e6c5d81686a52c4a324ff43fa8854eb4cd352feb6eed40aaf56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab719f19ffbf3f38020d1ea1fe7b28c0

SHA1
31d5fcbbbea24e5ca8e360f32225ec603fefb5b8

SHA256
d267ec5e2fdb05b9d4d56e43d9d02c4904bcdebb1d9a8a983c61a11d0ded5574

SHA512
d3b6b69b4fe864983aaf97cc6d77f712e8000f3d74caeb118a50398aa20bb4d31087fd4ecc403f9bf90ba9eb32c962735364fd5139d2f44c91180346b00996e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9893a701e3ffda722206f3a4f5c8a7c5

SHA1
7198b4ec7c47f482c3280784cfa930f61dbb304f

SHA256
494bfa3f979c614a2aca83ed5299db876118dcd1f88b96379d3263a84631c6db

SHA512
f472f81e7dbad6500f049620c8a163f20f8a9108b7eca4a8a0fbd6bc1b266958c5fbdc53b75046dddeda1e2c27d2d090a9b150f9cb0f6ff23c9633686f68f182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4170833cf1d479c7870f77707d722600

SHA1
20fdfd9e3b6d413ed1a245c9fd8099ca3674efd8

SHA256
f13266bfbbdca870eaefebbc59e74f9c50bed53a18979a0f5337e2d8692a9dd3

SHA512
636e2fbc5917455cf4f939ea5971317de99a90af2891d3fa87646ddd88f007e1ff391358801a7b4e8a8a235d95f0b820cc19ec5d7715e280168795203cf1fbf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abea2eaed711f18409f889a93a81361e

SHA1
dbac8e88da456e55cf32738425c81714d4014559

SHA256
7f85c61ffcb1b1cd16df474a41c95eae3d01fa9768c3c71c0b40d1f4659ec764

SHA512
45d22c3121ef2a307a4c41af64b53867c5a9398dd78834689e58ca9c9ac94ffd848360891bc9b9766a19c92c27fa6e7002ec6e66880460e53e327e47f997ca4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cba566bf220af0e25478e95e21168a4b

SHA1
c2ed0da51a64025f44d90b32e57b1f9c2a425afb

SHA256
d49f12c60813c2ee4059be64bb87bcefd3cb68b9a927107a1abb577d8432079e

SHA512
2dc7a24740ff51da20343ef5bb48ae3870bf442820b396d0f67617c3e130f7ed34a37e2d68bb420ed4893e2513029c180d840b24f19e650b8fa697b21817d9e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f375638cf76cb94151535a4bf20da35f

SHA1
da79ef3e12dc8c962f36aa22bbd5cd1f9e2d3f4f

SHA256
c35b2f1313ca51d71f7609c6c890d92c769eea2f173272d0924f9af1518e8b65

SHA512
36ec74bb15bc515c2be37adbd08679962e6312fc2ce266ec07d83e8a9c5b5906e80f15ee0698ecb7e9d0c00a6cedbab81f5ff11a818d10b64c39c7a258d64b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8559a68429b51d23b772d1f1ed281df9

SHA1
0358c29e5f7acce1be633ce1257d21f3b8b0f011

SHA256
d8cf25e2ce4e8524f5a8b8ea313fd2e36839769a0141dafe79b93f7038f2b6a8

SHA512
d237d73f8e5448824d5ab2a526c8e65b5648c95ceab92a8c9edccb502919704ed576882e8c02e618bb9100cce55f7174ab51861ebdade5e59af267f85e764f0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
0ef17e8659988c46befb23e5d24331de

SHA1
5502b04535c0f674151cefde295bcebac44a56f7

SHA256
07626bd772b7591ec74bb6ddddde33bbd7653c0d797fadc8d8a4ad1b5401673c

SHA512
baa349c4e291abdfb2409f363f4bfb00aa320082e285df62b63cf5ab91682bb3b55f2dd1db1428d5e0cfabc133563ec8f6a12e000fef51baeb83ce2b79d60ade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_47A43067FD26B14BE12C55F112579786

Filesize
402B

MD5
c7da83b1b4faa453d63b8e8c37901968

SHA1
0dace90eb78ec45e2301465f9b8efafd64754216

SHA256
ba1f0c423ae140ba12dbcfbd7e61ea7645e69ae6a566231fc2dc9ed875f5cc27

SHA512
45d7625d863373da69af9df9be242842e275df235615651dd1bf08209f0341a14382c2b872437a04c36eb91dd2e3fe4120c70eb26aabebc7493a64820aee3af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cf56e2bce5d6b467ad1b5d0c8f5b0661

SHA1
5866f8c8b9f854a1f83b0526524c850837cd5060

SHA256
c69272476020969b41d3d3220278bcc346c60d81434666a90acea7fa3fae5d8f

SHA512
5d310879a54a329d133abe18b334550b7ddd3e4ed81ae88a12dbe65c072d8dab08d5b51cc1d530673c15b4085bbfc7d1ffd9556d80e7ec42d2a4e05125636a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
0429636b2845063cd802113beaa51cd4

SHA1
0f1cfac7dc3475d19ab0d0f0a00123d43f1eec42

SHA256
ba8dba19ee3eb8cf64d7a39544cb86c745b58a861ccfe165ca06466dafe98710

SHA512
4a893a194192aa5c382d18b68085c822be655c31f1d951a2e945cd7dd2cb801cbbe62e0df3cda8096a5c5ce4a7ce7779e9abc54b132c45cfe692a0352d538ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
de936f31dd21360cc4d845e3d18f9181

SHA1
820dde021260f0b3cfe5112d85f7eebb55d109dd

SHA256
7c93ebe99bc1bb38cb38b94cc73717ccf2ca4d6e5817ce8542397ed68062c47b

SHA512
a6c4439d7d56b83059d6c8dc92fd93b1dfa47ba733955969011a4cb2bf31a389a6affd3cea9eeb4f4dfc0abb84db4a5fa7f333b520f37a5ebbe13ee1c7bd5a98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
e94ddfce7a14cf1424ed1d3d0169ad73

SHA1
8999e280d9a38a540c8eee999659b14c72d04e14

SHA256
b0b97fd5e2101ea6a2a12f9586c342af3a4f3f2b4a20fde8a07aef23f3fccfcc

SHA512
fcfe297b46a10f4f0a5d7c44e05d2b98f8a013105c1ba146860ac05a625a44d2cd94ab29efda1175372e58d02747d6d083380e2d056e45f519a5ff0a0fbce2d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c1803a02-821c-4a3f-9725-f63e4490d189.tmp

Filesize
277KB

MD5
25b07858edb980dcfa9ac3e214707b00

SHA1
febd3f0c07510bac74c56d2bcaa20f96af32b9ef

SHA256
59026c6636a735fd8484e4b0dc0178931c58b899f5fa8fe44bdf7631160cbc54

SHA512
e26a9f332be11655198217c791642edfa20132d00a067458a22923b609a1b8159526372aaf33de2147490d19d5d887b4aa14d3a3f8463515c22bc16c4daf82e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\2IRSJ5G9\www.google[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\2IRSJ5G9\www.google[1].xml

Filesize
98B

MD5
5e87936d56b6a8fb6ba7203087889eed

SHA1
b9a14fe28aba07cc56323161d4a6831a23488a29

SHA256
eb4ca041ae57b2791fb5f9addd4adabd7cd5d82f6e1c73bfb069bffe07a07d0e

SHA512
4ee4410cefebcaef0359a914974f5ca5f088eb1c418471a162a9b8a11e90ba3b6aa71af1c5b41142ffb224404799d6f9465aa0ebfa93114ad9de26a75cc6a3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{70DCA851-2B61-11EF-A3F8-62949D229D16}.dat

Filesize
5KB

MD5
91ddd43498d1ac162956a16b931915e5

SHA1
7308d8bc8db08be7747a75a184cb07da719b2f1c

SHA256
245f86d2181f605886f817298681439d7155b6446398214663a0e9e0cb698792

SHA512
e0238d2c39c23f5962c5bd96e5c450f57292495f539990ac64fa650b736f514b12e6a77f85e920ce94c45f279ee23922ab3da9e04e6078ad66ea46075759de0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{F0875AD0-CFEC-11EE-9B3F-EA6B8212FFD3}.dat

Filesize
5KB

MD5
a886fdae536c1504e8403bd89b30918c

SHA1
efbd30c0a72e4599df9b5832ada7819868a416bc

SHA256
527f5f048470a52cf0c2f23bac54915cf509d3444d3173a89195a3e75c6b160a

SHA512
f7348e7975201b4ae2d1b6f23c2b8dbf9d5f20f0eaa3a8a62012e3aa9818528f041e9527169ec49a5739624e9333fbfa14c9f79b5ed0eac5b17b9c30462e4c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{70DCA855-2B61-11EF-A3F8-62949D229D16}.dat

Filesize
5KB

MD5
4ad792efd86e994dc1eae698ef220dc1

SHA1
3b0760b8ca51be0c9925cf66f3163f5ca29121cf

SHA256
eb75b39996dd95de7c94731dd4e6a9982d8ad5a30b810ccfeca923fc8a65dace

SHA512
4774fc8346d39b90aada95a7c2ecf4160c835f7dbdddbbd0fd11444e1804025d8cf842ed701a266c52f84bd771a31550f9f7412e1a9a31eebc8c571dc0ae146e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{70DCA856-2B61-11EF-A3F8-62949D229D16}.dat

Filesize
5KB

MD5
a84001b58dbae87a44b1afea6148b81a

SHA1
3d3122796b4565a92a25b133e013ac204cee22f5

SHA256
3070ddf6ec24bacd9d49878f5d3af4341bb698b221f11a9873fd34aa686b2f55

SHA512
bb6c3f533ca9501e875113658186d1d8a9232f59ef7f7e0a823fd6f30b6b1ff4ae15e10eb2031a06986b6f1b26d83f22ee919e2585fccc5f307cea5b01cf6115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
11KB

MD5
5709230c49c86dcd6248ae7b574d8bec

SHA1
2005f33a5d7449d01e0eda10f06f7f27bcbcfbe9

SHA256
126c4ced69d745dc3d8f646eff4ee543286a87315426b6ff639d1f9d85eb20de

SHA512
cea80a7376e430543def645ec2d69de49002d944f0139c5272cef525d27688d2d14b03043cf2ad2fead4779ba5abdd2c5604a89a91abe280047c38176b94c236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
64127435c637a15c0df60dcefef408e5

SHA1
5d98b6acfabc1647d5e101092265671d8d0c1b93

SHA256
6e71292755c68c5fb4a31f13b2b2d67b5d9a5250b95db9f3902745870757ae2f

SHA512
098554890f7077259ce4e68382ba39c7d41e39680f1cf14cb627067844d839f8d10a67605bd009a24112ef142ace2b9c24d1702ebb838a4acc9d48362335b12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
9233c428164a6eef9aa38a330ed7d1ef

SHA1
6f6748dd1c14856d2e42a7cd41e808a19fef2b51

SHA256
649c4fa232dafa1493979074e861acae6b0acb95261c69d1ad0bc4a6091be292

SHA512
5923ee21cd83cefc43621722c140052c35b0ec2de4c96d51f470a50fdbe351c603726add0b529c8d34fef9b6eadef66a5c19227ede81554267f183a2403a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\XVS3LyjBK-lASMPd26lduin_hcOQQT6JA1sEiPtbJyA[1].js

Filesize
24KB

MD5
3138a2d90af4d6f6c1ebef7fbb29e918

SHA1
ccddc3e08d2481ffc52485106a9f64ef5a6162ea

SHA256
5d54b72f28c12be94048c3dddba95dba29ff85c390413e89035b0488fb5b2720

SHA512
b273431e3de89ada4ac7b87e73700fffc293dc3357d3356b28ef2243ae9e55ed6051cd35db7e4f2a699f9438d5fe8bf897000e321d56d6b61adf6d7c8a3d9604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\recaptcha__en[1].js

Filesize
514KB

MD5
38e25c4634858aaf2fc6125b7a8a1205

SHA1
ee075d53e8668a2267610b05df51416d1912de63

SHA256
3be69375a428a615caa7c5307c15298a41a4f272c77ff19051a462462d1af5a3

SHA512
ec8cca0137d29dc8eaa217a6d923a8c49c89a6bf9bca01748f09a2d4cb8d7863b7393f15eaf096591933373fdc96ca6fff0f1097e7505e5a699738a61498c066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\styles__ltr[2].css

Filesize
55KB

MD5
5208f5e6c617977a89cf80522b53a899

SHA1
6869036a2ed590aaeeeeab433be01967549a44d0

SHA256
487d9c5def62bc08f6c5d65273f9aaece71f070134169a6a6bc365055be5a92d

SHA512
bdd95d8b4c260959c1010a724f8251b88ed62f4eb4f435bde7f85923c67f20fe9c038257bb59a5bb6107abdf0d053f75761211870ca537e1a28d73093f07198b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\api[1].js

Filesize
850B

MD5
43777d56ff985ce00b69a9f8ecf4550c

SHA1
563a28ec5261287060ad78334860463a410306d9

SHA256
d2f33b09cd1f4a2a14c0498a973167281909656c84a24093775f9957413c7ba7

SHA512
5bb6f9c7364601bc0218af632e85e3158c87f0f91dc5f53b54643cc215bd0c32c94871eb456825de5de4d47881d653bf4a812071ec845c2a9577a404a0a1c553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\logo_48[2].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\webworker[1].js

Filesize
102B

MD5
94f719ac8a712acf01ae4c4b97ec3ce8

SHA1
4f01cc4913362743c1d0bf57b95f18f9d59b51e4

SHA256
aaacb25a6d0228ec65f79f3428ec76ef7d383e0e81e16f0a0c35a629da5e8378

SHA512
1f44d70be4f4e5f77a6fdee2df42031625dcf25e174f392934b7175a5e40957bc8877eae9d57f1fa03204e56a1e8f384bd156eeccc3a461a8af863992e87712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2DB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF5D72DCB559DD15D5.TMP

Filesize
16KB

MD5
df94fbb16f672736d73faf6caa748d5c

SHA1
e919ce59d84d47388a27abca7d159e74ba4dc2c4

SHA256
56eae566071097eebd28ed7726f64fe89f7f7cddc5f8e2eda5cf004d45385b88

SHA512
10a17c3ad931b4771a321ba519bf9713dae4648711b3335c3ace01785c8ef51a69a92a04c15d5cf103b83bd7f8449ba60f9dc00f63187d21cfd0999a3f121659

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
9c642c5b111ee85a6bccffc7af896a51

SHA1
eca8571b994fd40e2018f48c214fab6472a98bab

SHA256
4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5

SHA512
23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9af015ce4d4d12eeda77bc213035acee

SHA1
e94cf4e400fddc7820379e0076910a75f71401db

SHA256
b7aa5ac01e6510b33af4cd5171924dcb424be55bbbc54399eecb95c7ffd55000

SHA512
592f961053f647a69a6dce4dda3d70dfaafd6a5d844111eeba1b7288d9553c46f6b8fcada0df8779b6a832f8bc09e585d7489388f3fe8e765bcb8a4784d4ad42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7CIKS7XA.txt

Filesize
123B

MD5
4300618d09e612c0fe256ed826fa88be

SHA1
fb961991007be892c16a9bdeec6113d0c0c3983c

SHA256
d2cc0c697a236960b48c826a8a2d8a1693f1cd05d60d376e75c1d524e4aa0953

SHA512
29f8599f0d264f2e868b921c42cc76e98151c266fd45714fc667c3569e1223a16f5a5b526afeb14b2d671cd8b479b201d1590e4ac318b805dc45eba930a627fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CA2YK649.txt

Filesize
124B

MD5
bde77c06f842efa43e31fd4ee33adc8d

SHA1
0d4730c1d5fa4df6d04d74a4dc56ef3868f0f14c

SHA256
488d62b292df3bb0eb96494447eb07e14d4cdea56cdc2675d4ff14575ec11219

SHA512
7327c2a062617e1bb51293d5787b6f0b18740286217e159cd65a2df5ace0b8d35c62ca26f81343acb5722b4ebd1cd901343d55f4e7c949a6657982606c435a02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LWSW8NZM.txt

Filesize
122B

MD5
8cb0d405a06a607c1868f62d7bda2bac

SHA1
196a0ebed8f8ea700295942e7793fe219feec985

SHA256
232df2b7403f308f06beef2b94d045e50a5e6ab494f2ee6ff6c162b7c82a7737

SHA512
b33200b5ca50078e0661fc90d02ded166bdc6f33d4d59dfac95cfe9db546271ebbb24db43eda3025cb7c9d1a99b5eab41b0b13149942518e4d5d5d5dac603895

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O430IA0A.txt

Filesize
123B

MD5
00e254d69d2879f4775e11771956b232

SHA1
94c9bb6f9207190ddb22323a1411d37dced81397

SHA256
859b5b5bda540dfcf1ae765640fd4dbab11d7f47aa8a84b5b13c407322cf4230

SHA512
e0fd9dc5a3dbc0377f05d1d856e7b74520ef1330fa500504df4a8f80197126e0dcd192dbe6ed1c44db769e1b79547d908a38d1ef24bdc13069ad7362993151b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OOY8W0SZ.txt

Filesize
124B

MD5
17a71e89f4cfac930037e45bc7b19338

SHA1
df445086bc7bd63fc503b5ae1cb754a3ea6456f7

SHA256
8ca627968654b53e5e73121575a45ce3150815e95759477ae65dbe47183d1937

SHA512
b1c5b5e21d741ecf3b76adfa89c9dc256d4e8ba420b4c76476ddb021cb0038f98081b2b19f665569e1b652e417665e7f32523bb3e5bec80f32ece3346092acbf

Download Submit
C:\Users\Admin\DOWNLO~1\MEMZ4~1.0CL\MEMZ4~1.0CL\z.zip

Filesize
5KB

MD5
d2ea024b943caa1361833885b832d20b

SHA1
1e17c27a3260862645bdaff5cf82c44172d4df9a

SHA256
39df3364a3af6f7d360aa7e1345e27befc4be960e0e7e7e060b20f3389b80e76

SHA512
7b7cfb5e689feed6a52eedf36b89a7b5cc411191571c0af5e5d704b5f24bfa04afa62d1daab159a7e5702d80e56f3946bf32db0551d256419ca12cd3c57dcecb

Download Submit
C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\x

Filesize
4KB

MD5
20e335859ff991575cf1ddf538e5817c

SHA1
1e81b804d67d6c0e22c0cef7e1cb9f86ce0ef5ee

SHA256
88339750431112ed60cdf9bdb7697434ba9b38e2d15ad604c4462705bc1bdfcf

SHA512
012251b342722cf35ebec2c7d071db505a992d81fc4b3492cd87640b5c955dc084825fc5e72edc821f4c481867183f21d26cd904fe7f0373d1156332f87b031d

Download Submit
C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\x

Filesize
8KB

MD5
5ce1a2162bf5e16485f5e263b3cc5cf5

SHA1
e9ec3e06bef08fcf29be35c6a4b2217a8328133c

SHA256
0557ea4c5e309b16458ca32ac617b76d1a55f5f0103e368d05c0f0386b7a0a43

SHA512
ceb5e270bdbcab5be645e50705e3111a5c4751a7a865580d53fa86580025201264a49dd0ea9135b10cff28d7bb21b767ac5d4aff40e880a866ab35df273b5de1

Download Submit
C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
memory/1992-29-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download
memory/1992-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1992-2-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download
memory/1992-0-0x000000002F981000-0x000000002F982000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download