Malware Analysis Report

2025-03-15 07:58

Sample ID 240816-hsqc8avhkl
Target 9d6073aed037108448c90e5495969ebd_JaffaCakes118
SHA256 0b18ec92065020e7de0e0508299743783aac3df5d97bdfacb5cbc2118a9a336b
Tags
macro macro_on_action discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b18ec92065020e7de0e0508299743783aac3df5d97bdfacb5cbc2118a9a336b

Threat Level: Known bad

The file 9d6073aed037108448c90e5495969ebd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action discovery

Process spawned unexpected child process

Suspicious Office macro

Office macro that triggers on suspicious action

Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 07:00

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 07:00

Reported

2024-08-16 07:02

Platform

win7-20240705-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\WmiC.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87DEC55D-3352-48B1-8A77-201F5C27B961}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Windows\system32\wbem\WmiC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Windows\system32\wbem\WmiC.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WmiC.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls

C:\Windows\system32\wbem\WmiC.exe

WmiC

Network

Country Destination Domain Proto
US 8.8.8.8:53 demo1.fhmarketing.co.za udp
ZA 41.185.8.61:443 demo1.fhmarketing.co.za tcp
ZA 41.185.8.61:443 demo1.fhmarketing.co.za tcp
ZA 41.185.8.61:443 demo1.fhmarketing.co.za tcp
ZA 41.185.8.61:443 demo1.fhmarketing.co.za tcp
US 8.8.8.8:53 nouveaumanagermedias.com udp
US 209.17.116.160:80 nouveaumanagermedias.com tcp
US 8.8.8.8:53 www.sosexymagazine.com udp
US 8.8.8.8:53 trtboost.com udp
US 216.201.82.194:443 trtboost.com tcp
US 8.8.8.8:53 kalingakhabar.org udp
US 8.8.8.8:53 darmoresidencehotel.com udp
US 8.8.8.8:53 raptuns.com udp
US 8.8.8.8:53 gos.mvlews.com udp
US 8.8.8.8:53 remalaldhifaf.com udp
US 8.8.8.8:53 ibirdsservices.in udp
US 184.154.193.210:443 ibirdsservices.in tcp
US 184.154.193.210:443 ibirdsservices.in tcp
US 184.154.193.210:443 ibirdsservices.in tcp
US 184.154.193.210:443 ibirdsservices.in tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.132:80 crl.microsoft.com tcp

Files

memory/2728-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2728-1-0x0000000071F9D000-0x0000000071FA8000-memory.dmp

memory/2728-4-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-67-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-70-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-69-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-68-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-63-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2728-28-0x0000000007550000-0x0000000007650000-memory.dmp

memory/2728-20-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2728-71-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-96-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2728-95-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-101-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2728-102-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-100-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-99-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-98-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-97-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-94-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-93-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-92-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2728-85-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-82-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-80-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-79-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-72-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-103-0x0000000006E70000-0x0000000007070000-memory.dmp

C:\Users\Admin\AppData\Roaming\D6E2.xSL

MD5 6f0da330fa6ff42ac3d4bf71afa80d78
SHA1 d39c20e6c13cc54c07f3a42f0c5bb7116b0df1ec
SHA256 cafef64a34a6450137424e39e9c100475c050d28d742283ef4084fef3cac649d
SHA512 e851ed7ef631a1ac27387ce63cc1b190aa3765335a09d9ceeea5f43da9b65a95ea04a2e0b39fe2c01875030ddb61d01e56d35e8cd36d5362f4d12e875538066d

memory/2268-105-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2728-106-0x0000000071F9D000-0x0000000071FA8000-memory.dmp

memory/2728-107-0x0000000006E70000-0x0000000007070000-memory.dmp

memory/2728-108-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2728-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2728-131-0x0000000071F9D000-0x0000000071FA8000-memory.dmp

memory/2728-132-0x0000000000330000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 07:00

Reported

2024-08-16 07:02

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\WmiC.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wbem\WmiC.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WmiC.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\WmiC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 4992 N/A C:\Windows\system32\wbem\WmiC.exe C:\Windows\System32\rundll32.exe
PID 4372 wrote to memory of 4992 N/A C:\Windows\system32\wbem\WmiC.exe C:\Windows\System32\rundll32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9d6073aed037108448c90e5495969ebd_JaffaCakes118.xls"

C:\Windows\system32\wbem\WmiC.exe

WmiC

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:/Windows/Temp//0dxf5.dll InitHelperDll

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 demo1.fhmarketing.co.za udp
ZA 41.185.8.61:443 demo1.fhmarketing.co.za tcp
US 8.8.8.8:53 61.8.185.41.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 nouveaumanagermedias.com udp
US 209.17.116.160:80 nouveaumanagermedias.com tcp
US 8.8.8.8:53 www.sosexymagazine.com udp
US 8.8.8.8:53 160.116.17.209.in-addr.arpa udp
US 8.8.8.8:53 trtboost.com udp
US 216.201.82.194:443 trtboost.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 194.82.201.216.in-addr.arpa udp
US 8.8.8.8:53 kalingakhabar.org udp
US 8.8.8.8:53 darmoresidencehotel.com udp
US 8.8.8.8:53 raptuns.com udp
US 8.8.8.8:53 gos.mvlews.com udp
US 8.8.8.8:53 remalaldhifaf.com udp
US 8.8.8.8:53 ibirdsservices.in udp
US 184.154.193.210:443 ibirdsservices.in tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 210.193.154.184.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/2428-0-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-2-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-1-0x00007FFCB80ED000-0x00007FFCB80EE000-memory.dmp

memory/2428-3-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-4-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-9-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-10-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-11-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-12-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-13-0x00007FFC75B30000-0x00007FFC75B40000-memory.dmp

memory/2428-8-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-14-0x00007FFC75B30000-0x00007FFC75B40000-memory.dmp

memory/2428-7-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-16-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-15-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-6-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-5-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-17-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-19-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-21-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-20-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-18-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-31-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-32-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-49-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-56-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-61-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-66-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-70-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-77-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-76-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-75-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-78-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-79-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-84-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-83-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-86-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-87-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-88-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-85-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-82-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-80-0x00007FFCB80ED000-0x00007FFCB80EE000-memory.dmp

memory/2428-81-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-89-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-90-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-91-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-92-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

C:\Users\Admin\AppData\Roaming\D6E2.xSL

MD5 6f0da330fa6ff42ac3d4bf71afa80d78
SHA1 d39c20e6c13cc54c07f3a42f0c5bb7116b0df1ec
SHA256 cafef64a34a6450137424e39e9c100475c050d28d742283ef4084fef3cac649d
SHA512 e851ed7ef631a1ac27387ce63cc1b190aa3765335a09d9ceeea5f43da9b65a95ea04a2e0b39fe2c01875030ddb61d01e56d35e8cd36d5362f4d12e875538066d

memory/2428-94-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-96-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-95-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

memory/2428-97-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 25cb8321660fda0a1d4209a6a408acb1
SHA1 c082f5b0c165bf087b75301e643571ca27d37506
SHA256 ba02c47a3c468420d6716241f4ffe75ea8252281dbb8c15eb4e47dbce7f4adb0
SHA512 401a0bcb466b0a31c60c302472a056c16f3872ba22b09be58eb8158ce617b349a577594221a8924cab9c84ffc119759207be88f21b7fc05913e9a887d1e2d51c

C:\Windows\Temp\0dxf5.dll

MD5 6eec91078598dda5fe8ce70eba349b3b
SHA1 0e9da0372116f63ed42441b4ccb15ca4a632a2e7
SHA256 177b8546356bfb211df2308b09f44b999dd86c6bbdbc57e41e6a5b8ae40992b8
SHA512 057e258ca1fe109ec0e5a47031610777f2e5b2bdf4eb234000f43ca422420d0471c6fa8262f27ef25d125f88833b1f378606f199e3ec8482dc69a82ccc78acae

memory/2428-145-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-146-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-147-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-148-0x00007FFC780D0000-0x00007FFC780E0000-memory.dmp

memory/2428-149-0x00007FFCB8050000-0x00007FFCB8245000-memory.dmp