2baf07c2fb727691719bbbce005f283e1503848c360b319dbb97a76498a8ea6a

Analysis

max time kernel
255s
max time network
256s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Complaint-Copy-418501764-03092021.xls
Size

82KB
MD5

a0817c869164c4c79a1851b0ecd2a7fd
SHA1

3e4e954b6dd66c108e692ed15ae41f7a013ee9bc
SHA256

2baf07c2fb727691719bbbce005f283e1503848c360b319dbb97a76498a8ea6a
SHA512

6d2755e7fef2fb93d065b9e3117516eef232f056da98de4c8c7675a44dae4c1f0548dcd71ea30c03f0017f1acced6ef6088286ea5c0ebe4fc994c1a8e27bb7b0

Score

10^/10

macro xlm

Malware Config

Signatures

Process spawned unexpected child process 20 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3396	4688	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3256	4688	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4304	4688	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4052	4688	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4088	4688	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5052	224	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5092	224	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4032	224	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2952	224	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4160	224	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2336	3384	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2244	3384	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4944	3384	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4296	3384	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4200	3384	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4052	4232	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2924	4232	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1144	4232	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3064	4232	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1436	4232	rundll32.exe	EXCEL.EXE

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Complaint-Copy-418501764-03092021.xls	office_xlm_macros

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 37 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "2"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000005c5120911100557365727300640009000400efbe724a0b5d5c5120912e000000320500000000010000000000000000003a00000000007288330055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000005c51409d11004465736b746f7000680009000400efbe5c5120915c51409d2e000000275301000000010000000000000000003e0000000000f47c24004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000005c514d9d100041646d696e003c0009000400efbe5c5120915c514d9d2e0000001d530100000001000000000000000000000000000000ab0e6400410064006d0069006e00000014000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

pid process

4688 EXCEL.EXE
224 EXCEL.EXE
3384 EXCEL.EXE
4232 EXCEL.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXE

pid process

224 EXCEL.EXE
224 EXCEL.EXE
3384 EXCEL.EXE
3384 EXCEL.EXE
4232 EXCEL.EXE
4232 EXCEL.EXE

pid	process
224	EXCEL.EXE
224	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

pid	process
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
4688	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
3384	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE
4232	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

description	pid	process	target process
PID 4688 wrote to memory of 3396	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 3396	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 3256	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 3256	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 4304	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 4304	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 4052	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 4052	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 4088	4688	EXCEL.EXE	rundll32.exe
PID 4688 wrote to memory of 4088	4688	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 5052	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 5052	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 5092	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 5092	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 4032	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 4032	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 2952	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 2952	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 4160	224	EXCEL.EXE	rundll32.exe
PID 224 wrote to memory of 4160	224	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 2336	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 2336	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 2244	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 2244	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 4944	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 4944	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 4296	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 4296	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 4200	3384	EXCEL.EXE	rundll32.exe
PID 3384 wrote to memory of 4200	3384	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 4052	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 4052	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 2924	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 2924	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 1144	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 1144	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 3064	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 3064	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 1436	4232	EXCEL.EXE	rundll32.exe
PID 4232 wrote to memory of 1436	4232	EXCEL.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Complaint-Copy-418501764-03092021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3396

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3256

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4304

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4052

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4088

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\Complaint-Copy-418501764-03092021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:5052

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:5092

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4032

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2952

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4160

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\Complaint-Copy-418501764-03092021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2336

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2244

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4944

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4296

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4200

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\Complaint-Copy-418501764-03092021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4052

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2924

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1144

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3064

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\svvhos.dati4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
41d01362da050fd46f40390a22c8881f

SHA1
9a6db863accd707975765738d773e95494d08818

SHA256
dfd39cdd424c7dc4604c046b7411693dcee08e8bdbb909883dc9fd9044be8127

SHA512
c1cb15a0ffeda40d87f99f89cc19e255bf23f33b96693e608ba3af03d1a3522cded4fe295df2044a3c23831bd2c23707923969e1faaa408c0df9d2dc35e1fe96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
4b78880d4d764af51ab9e4191c11fcde

SHA1
18076aa2af0f2762b004f504b5befbd1ce5b41e0

SHA256
1006b06230c68e1b03071735f2f8a8a845bef7bcb931f1fc9bd170849237fb92

SHA512
69c41a7191371328f0331fe9261435ef2c67bb797a43ce4179a31228ece44f71d9112a9e4224b95a72671a0354d06efa06b1e958bf690705b64b361325bff931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E29890E8-10C3-4A7D-9753-1E9855604CC7
MD5
1b0621b87b9343630882375e03008390

SHA1
959ed4ee6962eeb19cbd63cbef0a007136bb0917

SHA256
da3984e8c0e564e4a706ac858f7e821bfcc8b5bee15b05c17a149ea8a28ed82f

SHA512
23679de87914232b667889b34dfe2f03c3d017c2e8a59c46e20eb0ca921283ffeb1623d121f682d3f28308018da0b29d9ebf1b25c9ad713bad5d3917b79b72ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
31f2078b00daf10c98c2bf060d972c7b

SHA1
1bada25fb1a2d84cfec038033c673ceddd2e6dbc

SHA256
644312fe7550dcc821cd3ec5a663429ef16e911e230083b1118eabc25bdbb529

SHA512
ff2dad2155d943d07ba51c2536493e9aa35114b3c9888b79e0e59a472df05360871fe26adb1ef9b8e3db199107b72ca5d99e7899a4aba71dd7c183fc33d8bf0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Complaint-Copy-418501764-03092021.xls.LNK
MD5
dadbc20897120c60cd3cd39e8352a5f8

SHA1
0c31ce0824d48f21694f085c7a0b0fa0afa51e9a

SHA256
b0d8e478019676f9a9e63c580c1bbb6e209ff144d9e29a73cfe1bc0f9124527e

SHA512
960f925eeab06d240bd76b9a09cc59f870f6c418204f4a2974b4b1fd0bc37132203a05b33bfe7ab31347c664b04221011667573eb7053005c014564f4766a334

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Complaint-Copy-418501764-03092021.xls.LNK
MD5
c148ba629026a88846a5c9cc14289081

SHA1
0f5c8d08ac38b13ccfc9b94d3f258b61ee87baec

SHA256
a12b1aeb400f87e85038dac3d2e1af7f9813ad20ab8c5f86504f6909f5fc606f

SHA512
dc5b42f30e75be02cb0971c49a4a1700a957b32cc6fe6780ce0164cc871c491612c1bbf2b1f8567f4e7e8633d07dca90122de2667d0f0dc954ef45122820be4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Complaint-Copy-418501764-03092021.xls.LNK
MD5
108bdb1afce9e53fb0f67a7956f65d5b

SHA1
8e341f7e990b1431ee68ff8227c7745ca77db26f

SHA256
eabf718309c3a7bd5e26e36a8ee140caced9c35e85e08aa811fabdfeaf91503c

SHA512
66bc91b99a845b66bd3a88de074789ca31247f05cc0a3dffe8eb831e68ee32d3cc8241b4ceb319e003d713e0673ff666fce87689e1fc2ed5a3309711f17d19d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
694fbb4948b0e47ec7f6e56e44ff6bea

SHA1
aa9a72ff38d5b329d3ff2b2c87e90ff9d5693492

SHA256
4af2bfa6a849b792225ed1988fe3e870d9767c595a160bab998c4279e6c703ae

SHA512
2ce6190468b16285e963f7f873cce0a919bfced299c325004e49d76bd5c0ea8ef58ba55da97a630739369886cc3f010dd349456532b45129bfa3a0ab123a1ad2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
694fbb4948b0e47ec7f6e56e44ff6bea

SHA1
aa9a72ff38d5b329d3ff2b2c87e90ff9d5693492

SHA256
4af2bfa6a849b792225ed1988fe3e870d9767c595a160bab998c4279e6c703ae

SHA512
2ce6190468b16285e963f7f873cce0a919bfced299c325004e49d76bd5c0ea8ef58ba55da97a630739369886cc3f010dd349456532b45129bfa3a0ab123a1ad2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
MD5
b1f4de90f413dba62a613b981657ecbb

SHA1
433241a4ebe361b628bf1814bc325b622c3bcbfd

SHA256
adb2d32f41772849a0116d2d5cfb627a6d462286194246c4c190b1b37eb7d8f9

SHA512
4479ec5835677c2b4d53f8e695cc648b38d619957bd8b524d525fb3f3cea24d02e143497df7c9b51c3e1f0b1cc298f8b3efe97b227512030257fd752d0ec2f0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD5
8359788b0623070576d1d44f753bb557

SHA1
0ff56c90c53f395cb0d678bb0a5d371548ae76cf

SHA256
c8a735c76853b518f5e4aedec7b859679399a4d3df4026a9ffd82d6899280cb4

SHA512
6582d69c41a80b6f270a037efc09f45345843a1cdbcb5fcc0fb6668e28bf5ad2dcd222a8ccf90ad86eef677abc3ddb0f49e77a28d208a8de0f5425dfce9e4ba6

Download Submit
C:\Users\Admin\Desktop\Complaint-Copy-418501764-03092021.xls
MD5
db18485fa9bd1cdcbf6355200ebb3d76

SHA1
90bd6360159a40023638487a90922fa6a6c636ed

SHA256
acb0cdbf3bd6a69426f2db3de2166466a0e53149c5889eb1e72495df33517a19

SHA512
685f9985577c939cd27d75b71d660e326fead62a9a14c32cc3d739c8a1d74ae50d63af45e52e8b1cb3e5630f921123e817ed243ce84009ab7f7e1830f3f1017b

Download Submit
memory/224-39-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-36-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-37-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-38-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-20-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-16-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-17-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-18-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/224-19-0x00007FFEE8460000-0x00007FFEE8A97000-memory.dmp

Filesize
6.2MB

Download
memory/1144-78-0x0000000000000000-mapping.dmp

Download
memory/1436-80-0x0000000000000000-mapping.dmp

Download
memory/2244-53-0x0000000000000000-mapping.dmp

Download
memory/2336-52-0x0000000000000000-mapping.dmp

Download
memory/2924-77-0x0000000000000000-mapping.dmp

Download
memory/2952-29-0x0000000000000000-mapping.dmp

Download
memory/3064-79-0x0000000000000000-mapping.dmp

Download
memory/3256-8-0x0000000000000000-mapping.dmp

Download
memory/3384-61-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-40-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-41-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-44-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-42-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-43-0x00007FFEE8620000-0x00007FFEE8C57000-memory.dmp

Filesize
6.2MB

Download
memory/3384-63-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-62-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3384-60-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/3396-7-0x0000000000000000-mapping.dmp

Download
memory/4032-28-0x0000000000000000-mapping.dmp

Download
memory/4052-10-0x0000000000000000-mapping.dmp

Download
memory/4052-76-0x0000000000000000-mapping.dmp

Download
memory/4088-11-0x0000000000000000-mapping.dmp

Download
memory/4160-30-0x0000000000000000-mapping.dmp

Download
memory/4200-56-0x0000000000000000-mapping.dmp

Download
memory/4232-67-0x00007FFEE8620000-0x00007FFEE8C57000-memory.dmp

Filesize
6.2MB

Download
memory/4296-55-0x0000000000000000-mapping.dmp

Download
memory/4304-9-0x0000000000000000-mapping.dmp

Download
memory/4688-5-0x00007FFEEB2F0000-0x00007FFEEB927000-memory.dmp

Filesize
6.2MB

Download
memory/4688-13-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-6-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-2-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-12-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-14-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-15-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-4-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4688-3-0x00007FFEC57A0000-0x00007FFEC57B0000-memory.dmp

Filesize
64KB

Download
memory/4944-54-0x0000000000000000-mapping.dmp

Download
memory/5052-26-0x0000000000000000-mapping.dmp

Download
memory/5092-27-0x0000000000000000-mapping.dmp

Download