Malware Analysis Report

2025-06-16 05:12

Sample ID 230125-mkc55sfg28
Target Doc_230125.xlsx
SHA256 8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be
Tags
formbook xloader poub loader rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be

Threat Level: Known bad

The file Doc_230125.xlsx was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader rat spyware stealer trojan

Xloader

Formbook

Xloader payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Launches Equation Editor

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-25 10:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-25 10:31

Reported

2023-01-25 10:33

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Public\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1496 set thread context of 1380 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1380 set thread context of 1404 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 1380 set thread context of 1404 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 2012 set thread context of 1404 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 988 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 988 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 988 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 1036 wrote to memory of 1496 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1036 wrote to memory of 1496 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1036 wrote to memory of 1496 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1036 wrote to memory of 1496 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1496 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1496 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1496 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1496 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1496 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1404 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1404 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1404 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1404 wrote to memory of 2012 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 2012 wrote to memory of 1376 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1376 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1376 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1376 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Doc_230125.xlsx

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe

C:\Users\Public\name.exe

C:\Users\Public\name.exe

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Windows\SysWOW64\wininit.exe

"C:\Windows\SysWOW64\wininit.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

Network

Country Destination Domain Proto
N/A 64.93.80.148:80 64.93.80.148 tcp
N/A 8.8.8.8:53 www.welcomelephant.com udp
N/A 62.116.130.8:80 www.welcomelephant.com tcp
N/A 8.8.8.8:53 www.makcando.com udp
N/A 192.0.78.151:80 www.makcando.com tcp
N/A 8.8.8.8:53 www.look856.com udp
N/A 180.215.68.138:80 www.look856.com tcp
N/A 8.8.8.8:53 www.webbestsec.online udp
N/A 2.57.90.16:80 www.webbestsec.online tcp
N/A 8.8.8.8:53 www.orange-foam.com udp
N/A 3.75.63.160:80 www.orange-foam.com tcp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.nortonarmouriesfilm.com udp
N/A 104.21.4.103:80 www.nortonarmouriesfilm.com tcp
N/A 8.8.8.8:53 www.anaygus.com udp
N/A 72.167.68.223:80 www.anaygus.com tcp
N/A 8.8.8.8:53 www.edfitzgerald.org udp
N/A 167.114.206.193:80 www.edfitzgerald.org tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.577hcc.com udp
N/A 34.117.26.57:80 www.577hcc.com tcp

Files

memory/1972-54-0x000000002F851000-0x000000002F854000-memory.dmp

memory/1972-55-0x0000000071911000-0x0000000071913000-memory.dmp

memory/1972-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1972-57-0x00000000728FD000-0x0000000072908000-memory.dmp

memory/1972-58-0x00000000756B1000-0x00000000756B3000-memory.dmp

memory/988-60-0x0000000000000000-mapping.dmp

\Users\Public\name.exe

MD5 58a93d1d064b9e8265ea798531adb0bf
SHA1 d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512 c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

C:\Users\Public\name.exe

MD5 58a93d1d064b9e8265ea798531adb0bf
SHA1 d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512 c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

memory/1036-63-0x0000000000000000-mapping.dmp

C:\Users\Public\name.exe

MD5 58a93d1d064b9e8265ea798531adb0bf
SHA1 d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512 c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1496-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1972-69-0x000000006CBE1000-0x000000006CBE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucpha.v

MD5 d934356067b6133646fad1aa12371a1e
SHA1 23fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA256 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA512 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa

MD5 28eed71dacb4522dbf2c1aeca39e2c5d
SHA1 b5633dcf66f1657552ba992c55e7124250c23a35
SHA256 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA512 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1380-74-0x000000000041FF10-mapping.dmp

memory/1972-76-0x000000006D0B1000-0x000000006D0B3000-memory.dmp

memory/1380-77-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1380-78-0x0000000000820000-0x0000000000B23000-memory.dmp

memory/1380-79-0x00000000002C0000-0x00000000002D1000-memory.dmp

memory/1404-80-0x0000000006D50000-0x0000000006EC5000-memory.dmp

memory/1972-81-0x00000000728FD000-0x0000000072908000-memory.dmp

memory/1380-82-0x00000000003A0000-0x00000000003B1000-memory.dmp

memory/1404-83-0x00000000074E0000-0x0000000007669000-memory.dmp

memory/2012-84-0x0000000000000000-mapping.dmp

memory/1380-85-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1376-86-0x0000000000000000-mapping.dmp

memory/2012-87-0x00000000000F0000-0x000000000010A000-memory.dmp

memory/2012-88-0x0000000001EB0000-0x00000000021B3000-memory.dmp

memory/2012-89-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/2012-90-0x0000000001D20000-0x0000000001DB0000-memory.dmp

memory/1404-91-0x00000000091D0000-0x00000000092CA000-memory.dmp

memory/2012-92-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/1404-93-0x00000000091D0000-0x00000000092CA000-memory.dmp

memory/1972-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1972-95-0x00000000728FD000-0x0000000072908000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-25 10:31

Reported

2023-01-25 10:33

Platform

win10v2004-20221111-en

Max time kernel

101s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_230125.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_230125.xlsx"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp

Files

memory/1648-132-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-133-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-134-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-135-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-136-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-137-0x00007FFA3ECC0000-0x00007FFA3ECD0000-memory.dmp

memory/1648-138-0x00007FFA3ECC0000-0x00007FFA3ECD0000-memory.dmp

memory/1648-140-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-141-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-142-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp

memory/1648-143-0x00007FFA41590000-0x00007FFA415A0000-memory.dmp