hxxp://bCUyMnh0JTdDJTdDdEswMSUzRnElN0R2JTdGZ34lN0YlN0Z3cHElN0RnJTdEJTdCJUMyJThBenJjMHVsand3eHh1JUMyJTg1JUMyJTg5JTdCYyU3RjAlN0Z4b3QlQzIlODh1JUMyJThCcyU3QyVDMiU4OCUzQSUzRmdldHB1dCU3QyVDMiU4OXElN0J4ZnVlYnAlN0Q2JTdEJTdGJTdEen5oJTNFJTQwcFElN0YlN0JXR3NUX2lXLTMlMjEvemZyY3drJTIzJTNEJTIxbS1sJTdEcXAlQzIlODklM0Z1a3NmJTNFcHJ0dnpzJTIzJTNDJTIwJTIya3AlN0RwJUMyJTg4JTNGJTdCfnEyJTdGY3YlN0Jxb3V6cH4tMyUyMS9iJTdDJTdDcSVDMiU4MTN+cGVjc3olMjMxJTIxJTIyYyU3Q3QlN0QlQzIlODglM0V0ZSU3RHRxeXQlMjIlM0MlMjAlMkFvJTdEJTdEcCVDMiU4OTAlN0ZwJTdEdnB1JTNGJTdDJTdEJTNFZnRlbCU3RmYydGN+ZGolN0QlQzIlODklMjMlM0QlMjAtbCU3RHFwJUMyJTg5JTNGZnl+fnQlMjNvMy8lQzIlOEMvcXF1JTdCJTdDd3AlN0YlMjNKLy1ndiVDMiU4OWdkJTIyNCUyQyUyM3VwcC1FJTIxLzElMjIlM0MlMjAlMkFwZmd1JTIyRS8lMjMlM0QlMjMlM0MlMjAlMjJqJTdEdXVwJTdGLUUlMjEvMSUyMiUzQyUyMCUyQX56eHl0LUUlMjEvMSUyMiUzQyUyMCUyQSVDMiU4NXpldXgtRSUyMS8yMDAlMjclMkEwJTIxJTIzeWd0dnl5JTIzSiUyMCUyMiUzQiUzQzElMjYlMjMlM0MvLWMlN0NzZGdyJTJBRiUyMSUyMzElMjIzLyUyM3JicnklN0J2LkslMjElMjMwLTMlMjEvcWNkZHNyeCUyM0slMjAtJTNGJTIzMSUyMSUyMnF2b35nJTdEcCVDMiU4OS1FJTIxL3klN0JkZG9yJTIzJTNEJTIxJTIyJUMyJTg1VCU3RmlmJUMyJTg4JTIySiUyOC5KSkpLREQlMjMlQzIlODIlM0QlMjAlMjJ3JTdEa3MlN0ZiJTdGaC1uODMwMzIxMjAxOTg5OTkxNTg=

Analysis

max time kernel
135s
max time network
293s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 08:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://bCUyMnh0JTdDJTdDdEswMSUzRnElN0R2JTdGZ34lN0YlN0Z3cHElN0RnJTdEJTdCJUMyJThBenJjMHVsand3eHh1JUMyJTg1JUMyJTg5JTdCYyU3RjAlN0Z4b3QlQzIlODh1JUMyJThCcyU3QyVDMiU4OCUzQSUzRmdldHB1dCU3QyVDMiU4OXElN0J4ZnVlYnAlN0Q2JTdEJTdGJTdEen5oJTNFJTQwcFElN0YlN0JXR3NUX2lXLTMlMjEvemZyY3drJTIzJTNEJTIxbS1sJTdEcXAlQzIlODklM0Z1a3NmJTNFcHJ0dnpzJTIzJTNDJTIwJTIya3AlN0RwJUMyJTg4JTNGJTdCfnEyJTdGY3YlN0Jxb3V6cH4tMyUyMS9iJTdDJTdDcSVDMiU4MTN+cGVjc3olMjMxJTIxJTIyYyU3Q3QlN0QlQzIlODglM0V0ZSU3RHRxeXQlMjIlM0MlMjAlMkFvJTdEJTdEcCVDMiU4OTAlN0ZwJTdEdnB1JTNGJTdDJTdEJTNFZnRlbCU3RmYydGN+ZGolN0QlQzIlODklMjMlM0QlMjAtbCU3RHFwJUMyJTg5JTNGZnl+fnQlMjNvMy8lQzIlOEMvcXF1JTdCJTdDd3AlN0YlMjNKLy1ndiVDMiU4OWdkJTIyNCUyQyUyM3VwcC1FJTIxLzElMjIlM0MlMjAlMkFwZmd1JTIyRS8lMjMlM0QlMjMlM0MlMjAlMjJqJTdEdXVwJTdGLUUlMjEvMSUyMiUzQyUyMCUyQX56eHl0LUUlMjEvMSUyMiUzQyUyMCUyQSVDMiU4NXpldXgtRSUyMS8yMDAlMjclMkEwJTIxJTIzeWd0dnl5JTIzSiUyMCUyMiUzQiUzQzElMjYlMjMlM0MvLWMlN0NzZGdyJTJBRiUyMSUyMzElMjIzLyUyM3JicnklN0J2LkslMjElMjMwLTMlMjEvcWNkZHNyeCUyM0slMjAtJTNGJTIzMSUyMSUyMnF2b35nJTdEcCVDMiU4OS1FJTIxL3klN0JkZG9yJTIzJTNEJTIxJTIyJUMyJTg1VCU3RmlmJUMyJTg4JTIySiUyOC5KSkpLREQlMjMlQzIlODIlM0QlMjAlMjJ3JTdEa3MlN0ZiJTdGaC1uODMwMzIxMjAxOTg5OTkxNTg=

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2716	1548	CLVIEW.EXE	60

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	CLVIEW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2820	NOTEPAD.EXE
1400	NOTEPAD.EXE
936	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2460	WINWORD.EXE
1548	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2292	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe
Token: SeShutdownPrivilege	2136	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe
2136	chrome.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
2460	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
2716	CLVIEW.EXE
2716	CLVIEW.EXE
2716	CLVIEW.EXE
2716	CLVIEW.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2124	2136	chrome.exe	28
PID 2136 wrote to memory of 2124	2136	chrome.exe	28
PID 2136 wrote to memory of 2124	2136	chrome.exe	28
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2704	2136	chrome.exe	30
PID 2136 wrote to memory of 2428	2136	chrome.exe	31
PID 2136 wrote to memory of 2428	2136	chrome.exe	31
PID 2136 wrote to memory of 2428	2136	chrome.exe	31
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32
PID 2136 wrote to memory of 2480	2136	chrome.exe	32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://bCUyMnh0JTdDJTdDdEswMSUzRnElN0R2JTdGZ34lN0YlN0Z3cHElN0RnJTdEJTdCJUMyJThBenJjMHVsand3eHh1JUMyJTg1JUMyJTg5JTdCYyU3RjAlN0Z4b3QlQzIlODh1JUMyJThCcyU3QyVDMiU4OCUzQSUzRmdldHB1dCU3QyVDMiU4OXElN0J4ZnVlYnAlN0Q2JTdEJTdGJTdEen5oJTNFJTQwcFElN0YlN0JXR3NUX2lXLTMlMjEvemZyY3drJTIzJTNEJTIxbS1sJTdEcXAlQzIlODklM0Z1a3NmJTNFcHJ0dnpzJTIzJTNDJTIwJTIya3AlN0RwJUMyJTg4JTNGJTdCfnEyJTdGY3YlN0Jxb3V6cH4tMyUyMS9iJTdDJTdDcSVDMiU4MTN+cGVjc3olMjMxJTIxJTIyYyU3Q3QlN0QlQzIlODglM0V0ZSU3RHRxeXQlMjIlM0MlMjAlMkFvJTdEJTdEcCVDMiU4OTAlN0ZwJTdEdnB1JTNGJTdDJTdEJTNFZnRlbCU3RmYydGN+ZGolN0QlQzIlODklMjMlM0QlMjAtbCU3RHFwJUMyJTg5JTNGZnl+fnQlMjNvMy8lQzIlOEMvcXF1JTdCJTdDd3AlN0YlMjNKLy1ndiVDMiU4OWdkJTIyNCUyQyUyM3VwcC1FJTIxLzElMjIlM0MlMjAlMkFwZmd1JTIyRS8lMjMlM0QlMjMlM0MlMjAlMjJqJTdEdXVwJTdGLUUlMjEvMSUyMiUzQyUyMCUyQX56eHl0LUUlMjEvMSUyMiUzQyUyMCUyQSVDMiU4NXpldXgtRSUyMS8yMDAlMjclMkEwJTIxJTIzeWd0dnl5JTIzSiUyMCUyMiUzQiUzQzElMjYlMjMlM0MvLWMlN0NzZGdyJTJBRiUyMSUyMzElMjIzLyUyM3JicnklN0J2LkslMjElMjMwLTMlMjEvcWNkZHNyeCUyM0slMjAtJTNGJTIzMSUyMSUyMnF2b35nJTdEcCVDMiU4OS1FJTIxL3klN0JkZG9yJTIzJTNEJTIxJTIyJUMyJTg1VCU3RmlmJUMyJTg4JTIySiUyOC5KSkpLREQlMjMlQzIlODIlM0QlMjAlMjJ3JTdEa3MlN0ZiJTdGaC1uODMwMzIxMjAxOTg5OTkxNTg=
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7969758,0x7fef7969768,0x7fef7969778
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2804 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:2
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2188 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2552 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3152 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1440 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1900 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1572 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2744 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3008 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3840 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3760 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3792 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3312 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2808 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 --field-trial-handle=1380,i,6959590767283129963,17363807761638449190,131072 /prefetch:8
  2⤵
  PID:2836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1548

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:968

C:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe
"C:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe" C:\Users\Admin\Documents\GroupReceive.htm
1⤵
PID:2388
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\GroupReceive.htm"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2460

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\a.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Documents\a.html
1⤵
PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7969758,0x7fef7969768,0x7fef7969778
  2⤵
  PID:768

C:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe
"C:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe" C:\Users\Admin\Documents\a.html
1⤵
PID:996
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\a.html"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1548
- - C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE" "WINWORD" "Microsoft Word"
    3⤵
    - Process spawned unexpected child process
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\a.html
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2292
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\a.html
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\a.html
1⤵
- Opens file in notepad (likely ransom note)
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d314d1ba1c8073d0f1eaf4f4e50360ef

SHA1
566b0adf8dd46b6c468a7ea6a1c0d9e17e87bc3e

SHA256
cd07405b455da9ecda6979550df30f64f2c8b5ae8863d68775d63240d46f4e10

SHA512
4ed119ede00330dd8c43b79e04c105221cbcd3c16746efb0fa67b2e3a0b52bc0d9cedb93e151234090689c888fd6089bc3450c4e9408ff323f0f2520dbf67e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\19c80c05-6237-4b9c-93a5-a8e562e035a2.tmp

Filesize
5KB

MD5
c9210e995614f37e7aa9fd26447023b5

SHA1
9294d55105eafb5d8207a5cbff7732a8c7fe7abd

SHA256
cf948fa18c2d9cb62a044da44dcc6e188eeb2198006e0576b5af9237a0b9bf3a

SHA512
c3ea2723fe49d4e69b01c2fe784acf52baa3ce9a61811c3aff945c510ebb390e9291f7e6c9df4697a410303f1b79d755054b00fe89a362889716d9aff1a353f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
203KB

MD5
99916ce0720ed460e59d3fbd24d55be2

SHA1
d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

SHA256
07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

SHA512
8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
be35623711219222a8f6acc4713d7d1a

SHA1
8d08130b290eeaa0c725a0fdf805893912fb4ca1

SHA256
17aa76077e946d19539e0b73fd5866fde19651514c3408ad44fa4fbdbed0b2ac

SHA512
4b6516683cd5bd7946c4dca2f06d552e657964478afeb3eb519f36d4a3d45e899bcb79fdfa520b1e07726d6f45bd9b00a3c1144b4d2895ad5f03cf600ec8cdfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
3164d289792fe137637600f233609a4d

SHA1
077aad8a35d26094aff0a8e567701b31ae9d62d9

SHA256
fd41786f3b0ca6212015bde6dc4bd860fc602acae11f1d9273a2ebf562abedc4

SHA512
89c6bd4ffd55e793c01a99cf9dcc38780e2464f8f7874d721c15e9dfa6a39292a369445528a0a8f0753739f8977540f69acd4ff821cfa72c35f42d00d3d419c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
08537bacf9c7eb423fc3f14bc65888d5

SHA1
0dafc994776771117159512829ba375ffe3826bb

SHA256
c0aae9a5859c0a86716fda7282abc3695700a780b9985c01ac212c2d1276df00

SHA512
8f4aff22b0cc0abbbf4ebb0f7d0a2c1920170e4166948d96bea54530a499f7604d8aa4fb19e2a51e7968a363c8787895ec91c638898c4855b8e8360c35d2d662

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0b66d4730307c540f77cbed13c993375

SHA1
19052c4c602fad5316a91176e08e4bf92c3b0aae

SHA256
78eaa8d2d82b54269d088a923d539709fe8bf309d1311497244306dfba584b51

SHA512
6f851f563a36c1105a0157db96e41e6c674b8e0787df647892bc12083aafee8ba947cc4b44a03c4a0f501b41b5f47f47b29501eecde1ba5d6c1724660069a1c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6a3c21141347b58460c9bb886112abe0

SHA1
7aac2afc1736b4945a7472b0647592e472501784

SHA256
95ec5c1a62e23c680d3e169bc8bb24d1999ddcf8679007cd23d20f4dafbb211a

SHA512
35068080c056e24039db709d76d3a838c2ee3cb3cf761048994ef06c28c0b0ad847381f263d52f6618c72cc036eb6467ddb762b8c6e9276c97fc0c095b2de429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d8ceabf40014e088d066bcac7e7957f9

SHA1
51c3ca131ffa29de32a8393004a491e2caa49f54

SHA256
7525c7b8c4681324eff10ce5be087852ca191c4c3ce2a5775147bd492a3a2a5e

SHA512
17beb5d7d15586c426e1d7d727a628a4b9ba680755301d114ed49471567dad6ee9092cf1cf0a97824d808138d9ece90ca6d4bbaf6bf2a6a5a03bb0087101b01b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7b8b2b0c4ff9191bbe1755263434efb0

SHA1
27803a07878143bce63d0f464b835a5b44b2b2ad

SHA256
38a4939c7e287139a8a3d595f9d88f41ff6ad3c020b35369905385054ed6993f

SHA512
299bd3ffaf498174ed7c72e2467cb274e008fd7c0a085abbd64bf7f99e6114fbbdbc3af6efd08f9e0cf878567ca6bc519af13d77ea664394775cfd437b2e450f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf791008.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f951c4cd4edae36051bdc4ab1f943440

SHA1
862f6413d558536016699c8ab58619b16277d90f

SHA256
0eb3045d0859a39fce0730aadc304ba03739a1969f58bf13812bd619381c247e

SHA512
c55ac3cb8765bef92bad7991e9b0fc01fe49ec1bad710998eb61a598e61c06ec867ef856607d50ff98e611ac119c49b4d8def3a17811421e4f0420fd55dc7bd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
ffa24d8fc41ab035dac3f6ee9225de1d

SHA1
b26fc4b6415cf0470dd039822ab4f8ccf7410dfa

SHA256
cf90ca06dd8fe01fcdf8121ae7142ac8b4e340fe17f929af405f980645fba24a

SHA512
c96b0f3357d1764cad332ad988adaa6250e137ec2856a72433f713586771195756aa54ed32b1756d2085b2e3b0442487fc1a66b884ca12c623f4117790509db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
72KB

MD5
bca0d71a0397cb28c415d35683f75d24

SHA1
242438950c4ace120669d02d5bef80c79a258424

SHA256
33776df2a02934f88a7d3063f02b1c58c76989b0f59884f1528cce74e7926fac

SHA512
23ebaa63f20daf026e8602d54cca2d08d42b8e8a21318326e17eb705cf7da1e47abd2a10ccd9ecad3c92175bf4abe84b4494247a51f3d8d3bd8bb5e98a265aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH8133.tmp\BROWSE0.WINWORD.xml

Filesize
11KB

MD5
dbd8ac194675c096e7c4fbb1c6af3f74

SHA1
59d480d036ca1315a1fb096889c56cca211f9d85

SHA256
ca752457d8a4ccd847bdc11eb1697e5fa5b2da08f3252569b92ccf0e93df62e7

SHA512
e9a00738800d0c843f3a3f05fb702fe1c83bcac36fd088eee5c170465eb3c02f429eb4428a624c9ef2adafd858610a3542def9ecbe07c235f8b7a4c2d872bcd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH8133.tmp\ClientViewerSettings.xml

Filesize
7KB

MD5
88fbdbf0b8ed30038abb141e26ad42b6

SHA1
e867446eeef83f11ec0b9c3fee7499442923d9a3

SHA256
63a2227b104139265e9d2f43e5e4c8c61aabcd92ffee838fbbe18e987e911c68

SHA512
e3924be97958268b1ed49e396965b901121ac4c1c04e8fbc209517b00c9f2de386c821703e31a7d85383055f381a0191a59f0aad159b94e5071a81325eb4d25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF474.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
50B

MD5
9d2373534679940f2b2ee3a40a7607e1

SHA1
1ffeda00d4f5fd4e31986aa0d828d9febd74196f

SHA256
18829ef82f5a708eb54c2401db6a4c17117df3a108df53fef1e524d531df5439

SHA512
4a6e6232bf4f2b1004c06afd752fc4e64d071f638572f47c9e9d5af03c36aff37883ec9ac4b79427589a5ccc9219a291def6cd970297ee593bcf9275dcec8340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
efd6955c2029fbff1c88891a00cda21c

SHA1
37f1f07c8cfd55cb0948138a970dc372d2a369a4

SHA256
89c1aa94637d1c1508f3713f389462492d550cd72b6bce6265d98d85661592d7

SHA512
88bdd428c0268ddce99bb48dd6052945f46129d8457377bdf61e3ca45630604bd8334e80e41745338ea98ca5fa40e6a88add42eb1ef997acf8e0713630390e57

Download Submit
C:\Users\Admin\Documents\a.html

Filesize
1KB

MD5
6b5b82f45d00aa06a44a648c07a902e0

SHA1
3fccfbd1ba6c5e0179b44e795c13b82edcd9f940

SHA256
50c95806026be6b9330d99c66d01163453bc21ba9af33acf18e5666b5ca6cdf2

SHA512
7bf3a2ee3ebc6f2d8bf8e40bbc7f144af57bf5a5e7a938485436a85d3d55058e4da32f61362d5f2d4f0a77b82fc5f0e77890b8b191d77fb946fbfcefe2d89476

Download Submit
C:\Users\Admin\Documents\a.html

Filesize
1KB

MD5
671430b577b8176bd9fe8f0dae12c9b2

SHA1
de0d60885bb03d682ad7e90dd9b19f32b72d2226

SHA256
30e0cdc89e31c86dbe1851b9705df5df18d2c1b1ec14db54827eccc177e35832

SHA512
b627d90290bf790feec432291330cbdb6bc2003d748abb96ddb6b3ee3ce141c1bb497a50bc68532f6f0ed048125f982ad2d3edbf4ae00790b9c0de24b63bca4b

Download Submit
memory/1548-141-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-81-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

Filesize
4KB

Download
memory/2460-115-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/2460-114-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-83-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download