2795153f640f44d5fd12c73aa5291f29f3448bade08565e5e326c07184c594c3

Analysis

max time kernel
146s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S3LF BOT.zip
Size

11KB
MD5

0a8cde3c0dbccd5e4292315e9fbe384a
SHA1

70af443250f498f9087b45527330ff85af1c116b
SHA256

2795153f640f44d5fd12c73aa5291f29f3448bade08565e5e326c07184c594c3
SHA512

030a8a01d958cd37ffc28d7c2c27d3c42d90074b35d9ad7260a04fd64ebd47454249d3829ff229a8f24eaaf6829bb533494f572e9de01074ebd1ff2b9368abf8
SSDEEP

192:4HxfJ4mCW/GVdPT9hIXjBKExJZRIgoh5oZU3ZbekgVPDGcPgBwAH7V:4HTctLWNKO3Cj/o8ZbeXtPgp7V

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Groove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwwin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 908691b856eeda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "about:blankhello"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E2C11923-3E20-11EF-AD9E-EE33E2B06AA8}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE94A471-5A49-11EF-AD9E-EE33E2B06AA8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
540	Groove.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe
Token: SeShutdownPrivilege	3004	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
112	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
112	iexplore.exe
112	iexplore.exe
668	IEXPLORE.EXE
668	IEXPLORE.EXE
688	IEXPLORE.EXE
688	IEXPLORE.EXE
688	IEXPLORE.EXE
688	IEXPLORE.EXE
112	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2012	3004	chrome.exe	33
PID 3004 wrote to memory of 2012	3004	chrome.exe	33
PID 3004 wrote to memory of 2012	3004	chrome.exe	33
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1672	3004	chrome.exe	35
PID 3004 wrote to memory of 1824	3004	chrome.exe	36
PID 3004 wrote to memory of 1824	3004	chrome.exe	36
PID 3004 wrote to memory of 1824	3004	chrome.exe	36
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37
PID 3004 wrote to memory of 572	3004	chrome.exe	37

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S3LF BOT.zip"
1⤵
PID:1152

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6679758,0x7fef6679768,0x7fef6679778
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:8
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1632 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:2
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:1
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2476
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f657688,0x13f657698,0x13f6576a8
    3⤵
    PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3660 --field-trial-handle=1304,i,8547802975131883465,15627525143556742588,131072 /prefetch:1
  2⤵
  PID:1564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:112
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:209934 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:688

C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe" /TrayOnly /NoLogon
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:540
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1332
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1332
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
007867bf4422c98a1ba1ea7c622a444d

SHA1
45ec07e46f7314718eb095a727e945eef8c32fcc

SHA256
682d1afc2588f69117b5547b68c3455560607780c8e3f8ea606b93ec84f30048

SHA512
4b0179a414042eb7a3727cea1eedfe4ce0a71bb3fbade5d3fb059a73c7bac7808c56654c0e059f5ecec43567016f4f348bf6f035738a4ea87d09c4a17bedba4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67119229d0352464965b06dcdd5883cb

SHA1
860ea41dfb19bee1e6c12dd8bb863da608907576

SHA256
e832464a640ee5b659864dd8dffd558f3b90d7c01c53b78f069bf4c8354d2eed

SHA512
2e0b92ab48cead7277d29a5af8c05c61c1cfd93686baac9f0a771225754b67b6262de59a372f767ab0e21adda8deca2812fc33afb4bce14c3945643aeff7d435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2afbc49a3a911f10073cd0f5f5bb08e

SHA1
be66211aeefd78d48b283b344963045261b5efc4

SHA256
3c771a8ac18c6072909321bb678a3632a07dc9fb88ae03d5ecdbc22ce73e3725

SHA512
8f000892d62e53345d8caf91b68715635d80c940ee78a5940a178dd70cb3762773e6857fd9aaa1a1d393438b2d56c8dd1afc78fedaa9fa8fb65c4c1a9457cbc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59d9cc1574de5c989bd35eb4594a4501

SHA1
f591db92b613c5611b66fa5c59a22dd7cae14786

SHA256
83fba3c8b985980fb7886e3bea734f7b6fbd00c2d2d758a16a98559ebe9f2a3e

SHA512
224f7208ebca420377d8fd2b334c8f9c9175be7b6448f5a6dad81c27c4e843f1356aed51c3ff21c464fcb7f7b9994f21e293beec9104dc67c2f5bddc597ad04d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db872fd868977b1f9c729a9735446239

SHA1
7e099f836a19d309496cf0c9f025bf1ce1465f80

SHA256
84a859346e533c4a54b01ec62ecb8ec64a99b8ec4e6b8dbd2ac905d5e6b433c8

SHA512
b9d26371b9af741fb7dc1cc38262a31fc0bc940837518b177adfb7cd92de95f5a4bf8bbc466f2ca7af61796e6b5e0a7d11c2875315ce87411936c18666ae50b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d24d107200e8c7020e0e5c11a5aea028

SHA1
3867ba5f34950068daf22c2d26d75c9de4464b18

SHA256
dd2122618a2e4ec3f0735fe6ba61d6454ca8e89cb042280db1a10df7ab179c92

SHA512
9f21623e8d514b1e9441823647cdc7ae451a28d014dd254f85c88cc52c81bae0197b6e4260db59f07d68cc2772b92370382ecd67eec58c113a58cfc2af7b264a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
483ba4199a82bf7216fa088c20f6d5c6

SHA1
37cfede4258c9b3f1e1a5e5555ff63b0c78c11be

SHA256
82d20f16294a647e74e5856865f974367fa1154d5dd08c99ede080e8a5f0669b

SHA512
0f6a076eb7c3335d8e6986dd28c594537874d380b311efaf91effee41b87677658b1f926e05f0a30337e2be8fc41d7550b7e356830e9846c364421b15c71d4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b821e167f22c111aad39c3ffcad93694

SHA1
d13bd70e00b9e74ad101edc0ef2b9aaf7d24a1cc

SHA256
3dc5d6d17e01d5495a6e6f1770d9e59f8b125ce7424fca3c2c5457e7251d6bb0

SHA512
0866b9e9a939fb1eb6030e6c57fe228937bc51d68aa716ed423f545483a73aa71369f5889686ed9d1590c94ff58c8c917143871fefcce90de1877638dc67094f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
5e0b838c007eccf3dcf66c6be5af8484

SHA1
6fbdfffeafac5a40f589fabd455b4d30738a6b35

SHA256
9aee2fd5f03f0d85afd1f9275a566ffcb685898767a65b0d9a38c6fd81d754e8

SHA512
16ad20cea726180d9b46f6f2a615e49129cb7345594abb6d9fc6bfde32ffa12ea2a517cef2ac7c442d3150a5fa68dca949a8fff0483b0100eaf5c4e914c08edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
09584289648ea7c6da06a4ec20d6b56b

SHA1
bbb37db6f252f69e12b95f372cee0610f462f754

SHA256
7607e36e942c515962a5ea31623d8a4a5c52594fef163d14f339641f435a2e5b

SHA512
299d74d4b64a17ed0f61bb4d4006ad285e954dee5a62a25611b2faf39ad3d80154b7becb3ae7a03cc5e6b27992c037cd609e3690a4c9fc319bd348a9e0655f3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
016b2f5234f8464a832baa1fff9d16e8

SHA1
1be78f44f0d6c6233aed0b612a9e3239c14badf1

SHA256
a6a471bd84a21188ac50c46a1b0927e26d11a3ba6650a1524bb19e11a23c6958

SHA512
fc0626e61c7134f5c90b545cda16e4f99cf573fbf22bc759ff6a46e86aee9f672d44f3c1fc3f387624e14dc18500e7b826e4a5964bc4316d691ef2f6da23bc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
310KB

MD5
9b17d8f975a85772a47a29c9c9eb347e

SHA1
c7c4b5eea87beed30028894e850aa064614b1a91

SHA256
9d0ddb9e59b85d5629d2b03351bec68e82b0e025af5344ffb119ee7b90556f78

SHA512
044a07790b1460744413381cfb7fffb1d4ee0b28b89c81f1df10f9c4ceafc3f146422807e07abc35f2cf0dd7d3ac374ec75c50f13df5b4fbae900e92d8eb78b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ccb17f88-2137-437a-ae9b-d36e93da4b8a.tmp

Filesize
310KB

MD5
85af121175d3e74a757d69142ff7c913

SHA1
05088fc223c016896186b6894e48df1f84ac21ca

SHA256
e7f439f9d7321732c8255de38f8a91164c2fc75d677dc05c887c8f2dae959211

SHA512
ce69a4d49f1fa1302bc9cf78a62c0876aed170aa461ae04d1d584658e7f967d38ac76b268ec340e60438f2f17f1240abd5ef135a46d48e05d8e8b6c501899a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{55268EE2-7A44-4E4D-9408-AF3D58129A86}.FSD

Filesize
128KB

MD5
a1436dbcb4e46126d02d3e49f2504192

SHA1
75b60ed0ca52dcd3b16d66394748b8ccab7b2b88

SHA256
7a2ed94436fe2f4af9d96252f5fcbf5b1eab954951bfa9b729153137bc07b116

SHA512
26311de5171410f54cbc0841390758f47a2dd0d36923625a6072ba915f1c5ea1a3d97946bd3a85e5b142257331b3d4c54451e09f89c14b6744a7ef98c8ed56f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7bb371376e6d8644ae9e83c8058190a0

SHA1
68b66dfbf9715c1c91f8c1fd43506daf81346e10

SHA256
93cc3e88a37b0a87e5b2848f86e8078f7ae9690e97d48b7e4630895a09a70fbb

SHA512
d38d7ee625d90d623a20f29a2e4b04181dd82908839e94b16e75d2883cbbe493eaff7ea0c65e6614669ab848047121139708fa399af7112e30bc68f7734063d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{06B2B161-705D-4336-8C57-EE7C74B34807}.FSD

Filesize
128KB

MD5
0fd22e83429d578b94caf6b13beab82a

SHA1
c7b92b14d6f5e73b8ed3df8b1638be593d212843

SHA256
2fbc30fe375d0e722e849f53448d6486c53231a115ab6a55c31ea801927c4866

SHA512
ab47953bc676aead7ce0dace32ab113289ab0f7d7283ad6c4427319c699cb744f6fc61139999019d99e06ba0435083a1c3ba83e13c50eea33ce456c8c9e9807f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\qsml[1].xml

Filesize
256B

MD5
1ca648686e3b29e4c56333cb10a52b2a

SHA1
f3cd1a0ccb73cdadd0e4e8bf0cd9eb5689806778

SHA256
2b4da9003314efc28c4ce05728271966ab7bedbb032d2fc7a47b8ef686842757

SHA512
5812b3e8d7014235e1d7d132ac91b52b5f760cc3f2b6e24eadf301ac84de2b52fa7ab26c03ed70bfc3e882b6700bf5b425acd96e9a64032527cec7314720bb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\259605335.cvr

Filesize
560B

MD5
600195aa8e276585af41bec3046292af

SHA1
38eb8b87a1d40f6b3681f5bc35a3eb72b606b6a3

SHA256
1f660a11e91f1d2f8efe6fc30eb7ddf5017f8ec192dcb92e150338f0d317e361

SHA512
7ed50c254e5b027a9f1db6cddc977b4c670d9be844708a2d92dab38a891f4764de7dd1f59593743e743eb00a9c14d6c38820fc09235317dfe687f8ee4b2974c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE4B7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE546.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C4DC2AFE-73B3-412F-8237-9980C046F02F}

Filesize
128KB

MD5
181517de766f19204613c7bac7537ac1

SHA1
0fbce63385d0a28782a4c049a39111b6140c6096

SHA256
caadb75d3dfb8f2c72a8b96ac0df1de5585529ce0b796af38b73bdf0f3fc8173

SHA512
d999660a798dd187fa64d184bd8c9c279fb260bfd0c90a0f16d68eaea5961df8f4982d6351adf3409c90fdbbc08ee1baffb826db2f1d82310eac59e0054f8a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF634F9E7486B3F37E.TMP

Filesize
16KB

MD5
127bccd816593016a2f9d5ee48e58bfb

SHA1
884d4fde6125c38e3a583773dd0b78440f1955b7

SHA256
92339260cfe9c3cbeda6eec8444d4bf932761f02681864995e69fc5875839320

SHA512
1bffec47a8b27d2815317d435e5d28805609d74dbc873a963d752090d7279699c919542521d84eef17d0f5a402e08221c45129b1a2aa84869057578e6103be11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XU2474XW.txt

Filesize
509B

MD5
1a5f10b1e278047940ba93e5f4560561

SHA1
2ed880202769b8e092cf1f7c74fe100cd82ddbfd

SHA256
bb01368805a601fec028b310f22092f7dd41a69698b2ae399f1722447d97d1f0

SHA512
c9a66bb352b251ca503f96ea7c8c0859ee317b29e42afead6a4f8c4a64ee46d10b02ed0adb0fbcdbfb31f0e893fb4233c12c167c5f26272368a05567e552cb26

Download Submit
memory/540-683-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download