Malware Analysis Report

2024-10-16 06:29

Sample ID 240528-xsbmdsgd2t
Target 7e0de5f425bb3abc0205dd876df0dbec_JaffaCakes118
SHA256 3efeff9954a353b328da1543183cbf14b5896e5a0366c632ed5de2f253cb5957
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3efeff9954a353b328da1543183cbf14b5896e5a0366c632ed5de2f253cb5957

Threat Level: Likely malicious

The file 7e0de5f425bb3abc0205dd876df0dbec_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Checks processor information in registry

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 19:06

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 19:06

Reported

2024-05-28 19:09

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e0de5f425bb3abc0205dd876df0dbec_JaffaCakes118.doc"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 856 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 856 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 856 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 856 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\g3.tmp
PID 856 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\g3.tmp
PID 856 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\g3.tmp
PID 856 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\g3.tmp
PID 2728 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp C:\Windows\SysWOW64\explorer.exe
PID 2728 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp C:\Windows\SysWOW64\explorer.exe
PID 2728 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp C:\Windows\SysWOW64\explorer.exe
PID 2728 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\g3.tmp C:\Windows\SysWOW64\explorer.exe
PID 2284 wrote to memory of 2292 N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2284 wrote to memory of 2292 N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2284 wrote to memory of 2292 N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2284 wrote to memory of 2292 N/A C:\Windows\SysWOW64\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2284 wrote to memory of 596 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2284 wrote to memory of 596 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2284 wrote to memory of 596 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2284 wrote to memory of 596 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e0de5f425bb3abc0205dd876df0dbec_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Users\Admin\AppData\Local\Temp\g3.tmp

C:\Users\Admin\AppData\Local\Temp\g3.tmp

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" %1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rebdownandlo.com udp
US 8.8.8.8:53 litthenuserom.ru udp
US 8.8.8.8:53 herningtoling.ru udp

Files

memory/856-0-0x000000002FFF1000-0x000000002FFF2000-memory.dmp

memory/856-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/856-2-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

memory/856-56-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-58-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-57-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-55-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-68-0x00000000058B0000-0x00000000059B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51B77026.emf

MD5 d113cd48aced029381a781e0bfdc6762
SHA1 cbff4799775284087d9a511059d90107c158f222
SHA256 c5642411081eeffde66f9a2a042846cfd270c29fecf6c3aeebc9125099ca094e
SHA512 26e56bd1f616c1670a8b8c83f4613998a8ea07b350bbc2ae07b26ba3ca2d16d58f865996ffeb72a8765a501cbf742f2acead3818e243abca4417ada946fc7339

C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp

MD5 31cbc6beea45d83cfa2361753e77339c
SHA1 4cd5aa4e7a0497a31d133ca1cd1b77f4db71317d
SHA256 453b169b3fcfc348382eb34017453fd1d5eda4d24a72f750b7dc7fd135491d60
SHA512 bc79435a8689c4137b929f41f28cffc348732ca667f92a3d119945ce20030c05420f6d67fb9f573fa5f897c323e90895d822e48910d4793a9a3e320b2a13f7d2

memory/856-84-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/1072-85-0x000000002FFF1000-0x000000002FFF2000-memory.dmp

memory/1072-87-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 e83835b210ed8543a4166d85868b3446
SHA1 4164c6d58d96f64e76e20aef1a318b941101cfea
SHA256 9819d4b434f81fdb97c66f96850f831df019530bd9c4c72106a284a3c2b86da8
SHA512 b7e11a929fea9d5d0089af91fb7b79a73fa94ebaa762c4fd3863f8fe4a13b56a473dd4ad77e9e4e422204053318d5470edfa5863e1c964545f0d2fd3baa89887

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\fhew.rtf

MD5 55f487f5304adf3968ecf719968ac7c0
SHA1 2f40e45c34dfac4da8b7dc1e9fcfcd981f65c33c
SHA256 a295fa8cad1b39aea64916b475b482ca0cbc12aa691a86042d9c7a73463a33c4
SHA512 bf8ce7644df52b4c8bfb8a2dec19e587c48c1ba302dcb85ecc8515d2e55f9e7325439ee35c7b73c68b4e44326ef2cb83df79cf2dd11b48958360bcd0f7bb9291

memory/856-99-0x00000000058B0000-0x00000000059B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g3.tmp

MD5 fbbcdd063ce0c567637a409d3bddc976
SHA1 d66256648ec6a4b418a022e3cc454388f18d6909
SHA256 28294f3f65b235af167c43552284d7a4d4cdbb7ab5fe6d0c0d3b9b78f3f4b6f4
SHA512 9ff2b01cd6837431e221799965cee4fc7307cd18a6bbd2676aa8382eaa2bd4f8585a4bfd9284c2ecf674c435b3619874458e42a1e1055db1b760556b11895308

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 1bc0aadd34253ba2bd5bf66ac507dc23
SHA1 5760d0015f7d11a0a81b512bcba919fd425d757b
SHA256 044466b00c6d4056dae2348988560106dbe2a6e5c62189c72bed47d768f1a4fa
SHA512 0170f13354dce37370b82d0071503d986a65891dfce9d945b939a62d634484d32b5cd030e241e2c96158dcec53a303e2a423ca72f6359c6b8effa4d3efeb0812

memory/1072-122-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1072-126-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

memory/856-132-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-131-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

memory/2728-133-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2284-134-0x0000000000730000-0x00000000009B1000-memory.dmp

memory/2284-136-0x0000000000730000-0x00000000009B1000-memory.dmp

memory/596-135-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

memory/596-138-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

memory/856-141-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-140-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-142-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-143-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-144-0x00000000058B0000-0x00000000059B0000-memory.dmp

memory/856-145-0x00000000058B0000-0x00000000059B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~$0de5f425bb3abc0205dd876df0dbec_JaffaCakes118.doc

MD5 e90bdbd8553ae6bb3b749ba77cd49ed7
SHA1 4e55b954592850d180edfab8745654f63c6e0061
SHA256 726226af2bf7fdacb2ee59e7c18a182cb4a6fd18a58ef48ed92989412b6f5a43
SHA512 cb587c25fd32c76fdf2640122ced8bf4bb6772307594b030c53d73e5f8029d78da989525a8f82a88957010043cbc2ff84bfbd66f7ee290ab9bb4a33ac9f32c93

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b04fd3884038b13390e7a065db5af8e8
SHA1 77766abc66b4466c2bbbf7c95ffce8e88888cb2a
SHA256 dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650
SHA512 a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4

memory/856-178-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 19:06

Reported

2024-05-28 19:09

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

157s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e0de5f425bb3abc0205dd876df0dbec_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{5E106F91-89C0-48EE-9F8D-C8924495596D}\g3.tmp:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 2292 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 8 wrote to memory of 2292 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e0de5f425bb3abc0205dd876df0dbec_JaffaCakes118.doc" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.199:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/8-0-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/8-3-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/8-6-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-5-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/8-4-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/8-2-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/8-1-0x00007FFC84C0D000-0x00007FFC84C0E000-memory.dmp

memory/8-7-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-9-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-10-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-8-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-11-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-12-0x00007FFC42AF0000-0x00007FFC42B00000-memory.dmp

memory/8-13-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-15-0x00007FFC42AF0000-0x00007FFC42B00000-memory.dmp

memory/8-14-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-16-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-18-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-17-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-20-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-21-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-22-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-19-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-54-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3664F3BE.emf

MD5 d113cd48aced029381a781e0bfdc6762
SHA1 cbff4799775284087d9a511059d90107c158f222
SHA256 c5642411081eeffde66f9a2a042846cfd270c29fecf6c3aeebc9125099ca094e
SHA512 26e56bd1f616c1670a8b8c83f4613998a8ea07b350bbc2ae07b26ba3ca2d16d58f865996ffeb72a8765a501cbf742f2acead3818e243abca4417ada946fc7339

C:\Users\Admin\AppData\Local\Temp\fhew.rtf

MD5 e91a9b93e1223320a53069576cb043b5
SHA1 948cbf7164f9ea217736e9f77f2b96557f3f77f4
SHA256 f50ec077249cf349e14039f5acae1d3ad9016301946cc360490a8536e035dedc
SHA512 9aa03f5055437e9456b95980997c5b7d64f005dca69ad38d31341af0fde8c75db41f9b8cf555b5a0a0fac2b132e96d7dc81261d686f68a59a4f855ca7fedb4ac

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2E10D81C-AFE5-4B95-9DD4-0420B87054E1

MD5 4d150a5987c9d6d4f0ce6d1d550ac6a6
SHA1 80d8d2326fcf7777e2713f6d78baf1a263cd3457
SHA256 54a47aa96b899358e50336fa5bae794484924993d2acdeaee912271041587679
SHA512 5627c884f9ab9b3fa55e84c455257bab1d0dcb23057f7d0dd2806c1a9f7e9f4fdb78255a1122db70d498244ec551d170f78ff634eb6da80d85c386219ebb6c7e

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 6bd3781b37b5660e62317bdc611a0ca4
SHA1 b762524dcb10758b02738b01c3bc96f3266a1c43
SHA256 32c40c9834fea7266cce0d095830e815e5cdb1c177838a873fb4fd74e806829b
SHA512 9351fa7895702336655a2421781086f0347cffc3a5fb016928aee3acea81a502737d7ee0af207e50f6ef4f1526ccf547f3c71f7f28911caa845022ea7674d239

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 7d7767e04900e55bab5ece8423cd4695
SHA1 c3d0cb8381c90b15071ad4d8fb36182a54783da0
SHA256 ee560acc9426ca995d3d5dcc3047dfe5f0a1d57b217f30f305fb8ba168ab58b3
SHA512 5bc17100391c35dc2418af96f5f57dce077f0026c290172ef8489a7ceb787fc0ce4779b32179fb88a63c75737be0a969cfe50e26e45634fa9430a273c2c35f81

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 4060eed4194ba7b049bda72b29a7c5bd
SHA1 bcbeae511f6768ac6a43443a88b3951d1669cbfb
SHA256 ed1fe439912d04d677f21e89b5184caaf44ff84953b02aaf6a0d7efdab1a7d76
SHA512 413bf5d25282c993c110c2f768a6c595b4c4ea2e5cee1db2bd4ff7128c4ed981f73079d62551ec0fe13135b927600c467c78ac76e0c54df36d80daea265e0bda

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 a8c61264a45f94534c81297b206a271f
SHA1 036d2c5ab008d2633d2a0e4220f92e2066aba7fd
SHA256 996ccc5a64c809c3d6e3513841e05cc3639bdcbc74f41caa2c685ebc3f3433f1
SHA512 4def2c653fc14c2f55baefd91bb9b0ce3b0d9d4bdd8dfd933f26275ad663b274218cc91dbe1927f7010c19123cf7ae51b2c9bb27811b8a3262a610893f6d7bf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 2871dee453b96277e243698d0f613b81
SHA1 70414e9430664fe1f4c32a7a72e11a34555440a3
SHA256 5fd2d245f69c579ae2ca68d0ee634e57b1659b9ba658fa517c2bdc8e38ce01e0
SHA512 f3945e8aa01c23e10855413418afd4aea461bf6ee441eeb11d283e2d3e8c17bc0fee45a1d250b2e1a68b4e43c01fe3ed93184017b0f71b59a45f9dd071b20ee7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 18517355fddba7993d0502ed4217c452
SHA1 d29c93e95d74c39aed3ee37c8243763563edd01d
SHA256 70cb19b52e857eaa1855d418c683cff5a49e0fea7265d0ab6c98527d9973b830
SHA512 84e6d4f49a0dfb8ef0879f05c38d494ded568085c90ec0cd9633e41cae683ec62e1e609943bec92e4e4b4918f1faf5f01e74aad920bddb3d4a7a5098ec814947

memory/2572-178-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/2572-180-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/2572-179-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/2572-177-0x00007FFC44BF0000-0x00007FFC44C00000-memory.dmp

memory/8-181-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-182-0x00007FFC84C0D000-0x00007FFC84C0E000-memory.dmp

memory/8-183-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-184-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-185-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

memory/8-186-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDCA4F.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

memory/8-700-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp