c837308f5d10f2aca13d49e27a415967bdf3c082cab5989ff2d668733a060713

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe
Size

22KB
MD5

d01a7969e442f29a4f677c1a2fd702af
SHA1

070d960205816a261001fa0aed84dd3884e28099
SHA256

c837308f5d10f2aca13d49e27a415967bdf3c082cab5989ff2d668733a060713
SHA512

13232ab08f3394234b9d30878c1048c852e35e7b354671cd4cbdf316664bceb69ad3d4ab666ed32c41c1c5822309bee9d6a1ec6e3b3cf11e8d79552e82f2057f
SSDEEP

384:JbCEXMMADQIrUeNFwx9E5xtT6fkCMst8AdxIiv4dK8y8KG8szTO4Am7UnwtzwGqy:R1NAUsbxtT6sFst/3IrdlLUw2QLnbcuS

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3380-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3380-4-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 51 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1524	POWERPNT.EXE
764	WINWORD.EXE
1068	EXCEL.EXE
5200	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4980	EXCEL.EXE
4980	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
2260	EXCEL.EXE
2260	EXCEL.EXE
3180	EXCEL.EXE
3180	EXCEL.EXE
1508	EXCEL.EXE
1508	EXCEL.EXE
5644	EXCEL.EXE
5644	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1940	wordpad.exe
1940	wordpad.exe
1940	wordpad.exe
1940	wordpad.exe
1940	wordpad.exe
1524	POWERPNT.EXE
1068	EXCEL.EXE
764	WINWORD.EXE
764	WINWORD.EXE
1068	EXCEL.EXE
764	WINWORD.EXE
1524	POWERPNT.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
764	WINWORD.EXE
1068	EXCEL.EXE
2584	wordpad.exe
2584	wordpad.exe
2584	wordpad.exe
2584	wordpad.exe
2584	wordpad.exe
1524	POWERPNT.EXE
1524	POWERPNT.EXE
2132	POWERPNT.EXE
4980	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
2132	POWERPNT.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1236	wordpad.exe
1236	wordpad.exe
1236	wordpad.exe
1236	wordpad.exe
1236	wordpad.exe
2132	POWERPNT.EXE
2132	POWERPNT.EXE
3724	POWERPNT.EXE
3124	EXCEL.EXE
3724	POWERPNT.EXE
3660	wordpad.exe
3660	wordpad.exe
3660	wordpad.exe
3660	wordpad.exe
3660	wordpad.exe
3724	POWERPNT.EXE
3724	POWERPNT.EXE
4124	POWERPNT.EXE
2260	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
4124	POWERPNT.EXE
4756	wordpad.exe
4756	wordpad.exe
4756	wordpad.exe
4756	wordpad.exe
4756	wordpad.exe
4124	POWERPNT.EXE
4124	POWERPNT.EXE
3008	POWERPNT.EXE
3180	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
3008	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4252	3380	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	87
PID 3380 wrote to memory of 4252	3380	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	87
PID 3380 wrote to memory of 4252	3380	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	87
PID 4252 wrote to memory of 4716	4252	cmd.exe	88
PID 4252 wrote to memory of 4716	4252	cmd.exe	88
PID 4252 wrote to memory of 4716	4252	cmd.exe	88
PID 4252 wrote to memory of 2436	4252	cmd.exe	89
PID 4252 wrote to memory of 2436	4252	cmd.exe	89
PID 4252 wrote to memory of 2436	4252	cmd.exe	89
PID 2436 wrote to memory of 1940	2436	write.exe	91
PID 2436 wrote to memory of 1940	2436	write.exe	91
PID 2436 wrote to memory of 1940	2436	write.exe	91
PID 1940 wrote to memory of 116	1940	wordpad.exe	93
PID 1940 wrote to memory of 116	1940	wordpad.exe	93
PID 4252 wrote to memory of 4804	4252	cmd.exe	95
PID 4252 wrote to memory of 4804	4252	cmd.exe	95
PID 4252 wrote to memory of 4804	4252	cmd.exe	95
PID 4252 wrote to memory of 1524	4252	cmd.exe	97
PID 4252 wrote to memory of 1524	4252	cmd.exe	97
PID 4252 wrote to memory of 1524	4252	cmd.exe	97
PID 4252 wrote to memory of 1068	4252	cmd.exe	99
PID 4252 wrote to memory of 1068	4252	cmd.exe	99
PID 4252 wrote to memory of 1068	4252	cmd.exe	99
PID 4252 wrote to memory of 764	4252	cmd.exe	100
PID 4252 wrote to memory of 764	4252	cmd.exe	100
PID 4252 wrote to memory of 3412	4252	cmd.exe	105
PID 4252 wrote to memory of 3412	4252	cmd.exe	105
PID 4252 wrote to memory of 3412	4252	cmd.exe	105
PID 4252 wrote to memory of 4656	4252	cmd.exe	106
PID 4252 wrote to memory of 4656	4252	cmd.exe	106
PID 4252 wrote to memory of 4656	4252	cmd.exe	106
PID 4656 wrote to memory of 2584	4656	write.exe	107
PID 4656 wrote to memory of 2584	4656	write.exe	107
PID 4656 wrote to memory of 2584	4656	write.exe	107
PID 4252 wrote to memory of 3060	4252	cmd.exe	108
PID 4252 wrote to memory of 3060	4252	cmd.exe	108
PID 4252 wrote to memory of 3060	4252	cmd.exe	108
PID 4252 wrote to memory of 2132	4252	cmd.exe	110
PID 4252 wrote to memory of 2132	4252	cmd.exe	110
PID 4252 wrote to memory of 2132	4252	cmd.exe	110
PID 4252 wrote to memory of 4980	4252	cmd.exe	111
PID 4252 wrote to memory of 4980	4252	cmd.exe	111
PID 4252 wrote to memory of 4980	4252	cmd.exe	111
PID 4252 wrote to memory of 4256	4252	cmd.exe	112
PID 4252 wrote to memory of 4256	4252	cmd.exe	112
PID 4252 wrote to memory of 4016	4252	cmd.exe	118
PID 4252 wrote to memory of 4016	4252	cmd.exe	118
PID 4252 wrote to memory of 4016	4252	cmd.exe	118
PID 4252 wrote to memory of 4288	4252	cmd.exe	119
PID 4252 wrote to memory of 4288	4252	cmd.exe	119
PID 4252 wrote to memory of 4288	4252	cmd.exe	119
PID 4288 wrote to memory of 1236	4288	write.exe	120
PID 4288 wrote to memory of 1236	4288	write.exe	120
PID 4288 wrote to memory of 1236	4288	write.exe	120
PID 4252 wrote to memory of 1936	4252	cmd.exe	124
PID 4252 wrote to memory of 1936	4252	cmd.exe	124
PID 4252 wrote to memory of 1936	4252	cmd.exe	124
PID 4252 wrote to memory of 3724	4252	cmd.exe	126
PID 4252 wrote to memory of 3724	4252	cmd.exe	126
PID 4252 wrote to memory of 3724	4252	cmd.exe	126
PID 4252 wrote to memory of 3124	4252	cmd.exe	127
PID 4252 wrote to memory of 3124	4252	cmd.exe	127
PID 4252 wrote to memory of 3124	4252	cmd.exe	127
PID 4252 wrote to memory of 4572	4252	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C9B8.tmp\KingPatchByBazuka.bat""
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4716
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4804
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1068
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:764
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3412
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4980
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:3724
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3124
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3384
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:4124
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:3008
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3180
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:552
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3268
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1508
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5324
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5332
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5600
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5608
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5644
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6088
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6096
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3928
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    PID:5200
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2980
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5836
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3816
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4620
- - C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
    3⤵
    PID:4912
- - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    3⤵
    PID:4332
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:5208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
1cf096efdf87a0617071b48fbc405416

SHA1
7c979c06865b7d569acd02ddd2b7d6138c651d82

SHA256
db460718544d6b07718fe306a6186b8e5244a76fd03cbf48cb6a584ec46cfdaa

SHA512
ee2b55212dc5a68ac57eb151d0f0079648b6675b112d67b77b52fa1da75b1709cc96936011cc5ddc761cf80d304001fb510cdc157871e03f9e352ce2e188e2a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
53230a5cc029857a9c97edcfda11fd9d

SHA1
59d4fccccf3c38e62dcee1f29e8c52808561b66a

SHA256
2d75d4b442b9895713fec807fd2ba19578d0f4b84e17618df2a2fc4068bc067c

SHA512
303a1dff8bc9eaf3e4538667a08011689d0223e3b4b4d3f56d7f32e8927fd51c0a97cb47c4769e955d37f5515b479ab6b13b22f3ffbad70b189669ee7ea54509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
6081abad3f28979b21ae78e0fc1cbcbe

SHA1
08d9c46384517ecd5edb8edca06d28d14b468d6d

SHA256
eb94aab2c01a86a866df5b518b3f6d41e4b10f4ad63e452560876af494e36e6d

SHA512
a0e53684018169c21985ae01e7f3a1e5e844039c33b40f4712689d139e6b8f187037f2a9e2d90ed0ad70e257118574506b9d7b72357d2d8fa00782a219b1ac18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BCDF7CED-98A4-403B-A527-0E013E55E07B

Filesize
170KB

MD5
d6e9676d924a765180b9c29dfab82efa

SHA1
f658cc742c2482c9504dbebca9e2c86ef372bf80

SHA256
516185ce177c04963dc5eea98205695f90ec36016d96809b34072ab193c6b22f

SHA512
6e4727b86a0daf84a112c02a03d0699f979b433bba6a86021d4f54e6fb38f3e3d227c2678aafe8786158e90697f1f11b7fd3b84d891dde7b726db278c464c77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
320KB

MD5
1860cdd48aea9511bbd598c3d6e80ec2

SHA1
4d80fb389297d1b42330fc9cc043890b7de843ef

SHA256
c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035

SHA512
64718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
371KB

MD5
b74eb161d37d710b9b22271584485c1a

SHA1
1d88603f131117064de0400089891100ed121fc3

SHA256
e6e361b0652debef9850931222360c37526a2c0db7dee06e9a16c92875c0d433

SHA512
7db4e9e491ba6136947581c6aa66b5d7297520b0e11f4874e0d44dea034ce16e2ea3234bf593167acea944e8ea03cfd03a37a84838e11b9232944447dcd41849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
331KB

MD5
2d72c7fd107986dff9d09acdd4f8255f

SHA1
f60da83ed901faee7352589e46ae5a361a33af2a

SHA256
2bacf273a6b20fab94aec2c3c2fa483a24e62b36070121cd0dfd40ccfdf5be8a

SHA512
063c9a0b595480d50d3c5581d9cd4b15242c32f1ca9d24c72673835a577a8187a398ab214cea86a6c04a8e425fa81591be0369be80c9a1c66128a7672c039f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
37015e539334e81c2adb1a69ad327199

SHA1
7c0c14ce5d37d5da4ff7e388d05862c7c141db8d

SHA256
81f6c5fa3d205bb87ad17d5d740bd83d0a74eddab1300053f24b7c2175f1568b

SHA512
c0aceddd0e2b6a749332e929d25a02ebae446bdee37137ac577fa910a406b0e1a4da8b49067851c29a8b4e8dc99cc40f4daf01d488cfebe0a2e11de696d02231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
257KB

MD5
76fd1a622186ae7be0212f113b279fe4

SHA1
b7251400ba8d5fae40a4b5bb0fd2931a043cf48a

SHA256
b9ad833ea7ce6e81f21a3bf692b13c179386134cca86c99d1c324b4c8526d7b9

SHA512
35820d512a3b96ed624a739a0f36f70686c1c3e85693e9b87223294fd599dd5ec3a1e6811d38464c790cd934f66db2b7777bf5294cf8b06402a8ec08e2ff83a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
511KB

MD5
a7cbae235ed77f9a8e377b3fab3f17a2

SHA1
649337e4bc2c17d907438360aff1c4335acceefa

SHA256
30fc249a0329880bdec8875ab8e17cf5cd0f80d795eda01834612b4c5dcd1634

SHA512
6c0e8abe24eabb8d8fc3375b7cf7cb201c7ff0ddde628119a627fcf194d493585f879fb186f4d6623a836fd715d28429f68fb780dad214d9381f08b82f173dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
756KB

MD5
528bf783df698e4a2d42005dced29de0

SHA1
1cff0ea5852aadce617da34d81aca55bb726b905

SHA256
87ac036fa191b1e1d5bc18d132b483692d8b613a06dbf5186bfde4a0db24ab02

SHA512
8fd72470457f8324a8a39e650f61397187fca722a3107891ba1f0f582c3538f18e5f20c601c19d17418ce958f62a3a7803c7868308abadc1b9a64de3a3959ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
1009KB

MD5
246ab646e2443bd9d245e02ffa4a6c9c

SHA1
741fd9037fa9762394673c00a2a37dd196f73c50

SHA256
1f983e5b1c1cc9142b7be1a7b77b32111b670dafb79fb86b834ca08896088e8e

SHA512
8b069691a52a0227c5e2b9903dc720537367dd26438dc1613ac5a5d359bed50984920ebf842a0937e22efa8cb51967bf56ef72fd12bbaa03e58528f9a94c7edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
1.2MB

MD5
b664f76a3769614694ec1fd50790e99d

SHA1
307f99f98bc1798ca9f2f7e783cf3e26dc367ae1

SHA256
36bf835b6fd41b6c1f6cde9e52ccd0381c934d6855b430f0c1394ae5a45fe613

SHA512
394b2d18caba1fa11e2d226c6bf74e6ed74fff91449ceb87b2cfecf6dfb9ded3561d4bd8b1897d63689448e3499b4a394514ff2dce67a0b3bdd35f1c659689ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
1.2MB

MD5
3bca03b0530cb362fa70f7047a8f95d1

SHA1
eab1ed7ae31c9121027793e48257bd4fc8f4b926

SHA256
dc4af3e8be7a737e952944a5a127f841cdf889291b75b7b54ec51f36ba82d753

SHA512
63fcc556469a1aa4f2f85b0e841bf27ea4123e51fc2571675fd756b86235b227daf3b510ae060b78cb40942639179cd85b4b997ec565fac4560e9b58b1626dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
72KB

MD5
3544f207fbb0069394e02d5070930fa3

SHA1
af159401528bb2a98bbd1ff30d948c4990e0adca

SHA256
f2d0e90271fcda31d2083ba206170fc9d36a524d8bed990cb6eacfa7813eda56

SHA512
46f395d59cc0448c603877ba11a3da527d2714364b7bacb9bd738449cbf9e6009c4167cf139ff0bbba4343114023a597ce76761b6c8bc7977424bc96ca3d27af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
132KB

MD5
feedd46e1ac7bfd1401c60719aed021c

SHA1
51b5472b9ebb398179368d7075595e6ec8a30f0e

SHA256
9be32d6f613f9075915ff212fc184524a3e858929af01be730a8091a4b6a1aa0

SHA512
0edb4ee0cd325360c0b0a6fb9000e9ef6d652b3f4ae609ecf1a8c5bada7ac0229eae989e0059cd2684d0e6b8777773e4fcf1b36f70149cd26e458e64bd4625e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
188KB

MD5
8643fd092aac36767a4f734b0bd6db69

SHA1
3c8eea0b88f7a33c0cd17c91c560149998366869

SHA256
bf120dc183b2de803cfeb025cbc9b9aed63252f6ade1fc9878e03cc4c7861ad4

SHA512
43b8085a9bbe49cc771d30436b9e040e0f28252bebf095a4c5486f95d03a0936a6cdf1c285518ef021bb1e21fbee644bbc6fcb4e3ecea6d089a55590d2d3faa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
248KB

MD5
82980767838ac0039a8055d63db3253e

SHA1
245b23e4448bb1a2220f8a4932966580963a98af

SHA256
2cbac115068ab90ec7e140041380e00634e1b9bf06678e173acc454db6fe5b16

SHA512
740c72d54f5811309815ddaebb5fec5080d135997ef87703aeba7bd6793d2dd1f4e7523409063feb52c80d85c90d82ee34c79d3078a2349131bc60b64e3439f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
364KB

MD5
0ec6d19642ae2fae2c7c6ff92c0a48da

SHA1
d919e5092ed342eebd93acf4ac73ed0be40f31db

SHA256
4ccec76bc3fd5e050d20fbcf0c04d726fccfc20a6dd4eb20c134bb6a74836563

SHA512
b56d2fa932a5408b8e0f1d6200e682fe24bae00d15db7cd344e4dfdfb9efa6f0dbe6ea14d5db4722d20aebd79020e0dcecca3dfb3734f5481c8c3468946a4d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-wal

Filesize
8KB

MD5
174d93c28a78ea57b6a5193c633f2c52

SHA1
f241ae32c67dc200aa2a5f814aba292d76a5ea5f

SHA256
65f34c4b1034ed1ff2ba5ca7bfc3cf4982aa6aa438a066504262e9d6764560ee

SHA512
98b030a862317c3a16363ad6c8528dfdb80cf36ddb7fa89ea52400299de9155ce71a6d100672d2cc6720ce7cd5520187e3666baa4bf2e42716b3f75b8c2640cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
dfd3d3d7bf1fd650ffa3de737a056f4b

SHA1
43fdc401956ae73ae847976cd6602545e65e5246

SHA256
e18d2cf69da8130c7b6bc44c8de440154d4e2512f9d5c7ec2f5a8a93cbd5181d

SHA512
d89cf1c5df56dc23d1f5a717589b47f1b485803d7c149316e323e3cfe591064422ecf00426a84550a5b43559c8a9e684d3d65e369a178d7a7f4bbbad973a675d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4d89a7fe501802a583a8130a5b30dc4b

SHA1
2e1c92607e4a47fbc252404037268f6f7d9dd3f2

SHA256
6a34a651f8e4f6514e16ee15e956e432715e202bf5018860355c7639d53d9192

SHA512
5196eae5cd5eb2a7c0cdc0e8c1a178f08e19258d91400a2a80a8be7e5607a8620e458a8478e0ec13cd6375cb4cb3880956dc26e80cdde4d9d687ce857017042e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
6c6f937c562153d58f8cd2e8637bd855

SHA1
863c70e15411a2555442b20d050b9a6be54fa165

SHA256
9eab801398ece3461b3a804c87c72bf11cdcdaf66123f8f7b225934b6382fb76

SHA512
5afed808cc2dc74215a60da2553e40d7a9ebf3e9ed593e2af9f93b8a820c090829b5e8df512589f9975a627a2ad16b457d39ab93f32df63e9d1d918f5c4b2074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
09f362fea61f8c94663bef97bf48e7ec

SHA1
ce2d8746ae866a5b3ed4409ee496cdc467ff3b8c

SHA256
560716ee40eab44e51adbb7eabca46cf01a2a07bd03e813eb2b6f9a1a2afc055

SHA512
1bc7755c61f68f1010bfc0b7697d6a06b80c28c9b324a774e424af4f51aacbed7e650aa1ced64792e6c25399aa3c55e81144ebf741febc08bbabdd4361e6991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B8.tmp\KingPatchByBazuka.bat

Filesize
202B

MD5
32579218473666d775e9bf7bccd4674c

SHA1
e58a8922cc7541b5fec246a665839e4801ae3dd4

SHA256
2944fba0434f1157cf80071cd18d3519a2885bc648e82de0a43a80c37c6ba0a6

SHA512
c1fa40990be97c3c37ac6fcdf790bbab58cba9c2abe404751b8c89f8f22a5b36c96bb3c5f573e633d693275d727c3f0bb7306e74d5bd052ca61cc1538862790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD44FC.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
755b0f845e727f88150a7278a9a88da8

SHA1
8e13e8001cf2db164dad80ae61de04759f362f56

SHA256
1bac5d18c64b1054e7f7ef4dd66f35bf7a07aa7018ae23ad9cfdc0e5a1268fcd

SHA512
fb06e2ec1dc9b8c720a70ddde10eaea4f1b6343cb92f06f00aa014c97a754d42d7e95bd672591074b3d9972ce37836efe2c134eaf930a573ee5758681b8c2d92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
5de56bc1114d6ee70e0937fdf59484a3

SHA1
bb1953c5dd129262287f4045633eeb25a5951c09

SHA256
16ca3674cc212eb1143828849cfbc0f4f25dfcf20dfce62e360ff1f4f576c204

SHA512
7cf54bf3ddc14e4d519f112f2cdba9edab77dc36d9cd8ee097487b3ed1e405eda96f067ebd3b5ecea7e0e590c31a4ca9e4c290b1db164d6fa32ed344c1f0ac98

Download Submit
memory/1524-72-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-9-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-18-0x00007FF97C2F0000-0x00007FF97C300000-memory.dmp

Filesize
64KB

Download
memory/1524-20-0x00007FF97C2F0000-0x00007FF97C300000-memory.dmp

Filesize
64KB

Download
memory/1524-74-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-73-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-8-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-71-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-5-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-6-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/1524-7-0x00007FF97E850000-0x00007FF97E860000-memory.dmp

Filesize
64KB

Download
memory/3380-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3380-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download