Malware Analysis Report

2024-10-16 02:52

Sample ID 240624-mqewxs1frp
Target 0805fa4e9b4ab35c675fa0089811e8b8_JaffaCakes118
SHA256 f438da0dc1acd53f14a4d91f7eb25d760b0cd6738baf2264b9d8ac0856c10e94
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f438da0dc1acd53f14a4d91f7eb25d760b0cd6738baf2264b9d8ac0856c10e94

Threat Level: Likely malicious

The file 0805fa4e9b4ab35c675fa0089811e8b8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 10:39

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 10:39

Reported

2024-06-24 10:42

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0805fa4e9b4ab35c675fa0089811e8b8_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0805fa4e9b4ab35c675fa0089811e8b8_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 dailyemploy.com udp
US 3.130.204.160:443 dailyemploy.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 3.130.253.23:443 dailyemploy.com tcp
US 8.8.8.8:53 dailyemploy.com udp
US 3.19.116.195:443 dailyemploy.com tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/3068-1-0x00007FFF6B290000-0x00007FFF6B2A0000-memory.dmp

memory/3068-3-0x00007FFF6B290000-0x00007FFF6B2A0000-memory.dmp

memory/3068-2-0x00007FFF6B290000-0x00007FFF6B2A0000-memory.dmp

memory/3068-4-0x00007FFF6B290000-0x00007FFF6B2A0000-memory.dmp

memory/3068-0-0x00007FFF6B290000-0x00007FFF6B2A0000-memory.dmp

memory/3068-5-0x00007FFFAB2AD000-0x00007FFFAB2AE000-memory.dmp

memory/3068-6-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-8-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-7-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-9-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-10-0x00007FFF68BB0000-0x00007FFF68BC0000-memory.dmp

memory/3068-12-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-13-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-15-0x00007FFF68BB0000-0x00007FFF68BC0000-memory.dmp

memory/3068-11-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-16-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-18-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-17-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-19-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-22-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-23-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-21-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-20-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-14-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

memory/3068-40-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDF145.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3068-572-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D8F26686-507A-4A5F-9600-D50018AA925E

MD5 3f8ca61696503049bd79ea8f5524eddf
SHA1 42ddafc97a9db8e8d7c119055028d19a6314c3a8
SHA256 2042cec6606b245ce884be26759c3d29611c01a601abe8c0fa626df3a83ba333
SHA512 55dc1ca78a2a831ebd9c8e05a71ce98fd3b195a413c6c2fd15354cc77dbded815ef994c838576a8287c04ed3ae553190a7fbfe1109b568464998d0e9c4b9aedd

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 c6c04edb0c544a64dbc18b984ea87798
SHA1 5e6d1e8899cbb5fc2e4ddb000cc7afa53952ff99
SHA256 e81ff48194692107f0c218ba3b6c0fbcc880dbe31e56695690451b81be35e26a
SHA512 9d9f3f05a09fe00b7be15d5ad9baee44a9e213a5a147109fbdaf9f536ddf40a57571840e9d9df207d402cfe4da638a21e5338355e2695ece646d47117a4548ba

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 b56377b9fd3137dcdcde6921ac0853a6
SHA1 92d2be78b9961464e7ef14ebd6502583d36d3283
SHA256 a34c2a456b6fe716f581784a0fead9475121a6c8cc2861abadad96feabd43825
SHA512 020c216170069f6053c128a357312763018c31b68d74e8b5f1de5763ee8d9e2a2ea1c1dc58271257e1a2b42d111f8bf67a25d9a6ad664ec7a0576938142d93f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 c456860a2f449d4ae4da35b50d026859
SHA1 099fcabe24502f07a5b27df363ecea7d038f247a
SHA256 f8ce4ba7123143cdb4b4e2be7054b64e36178c8c9902213fd4bea20595795ee6
SHA512 e0f5d7b4b915694ad6758dc401a4b705aa27fa8ea1409d8f55496d1942e3ee7f7a8dff7e90b3f1cc84f9584f896e0424323c054b577499d0d487481ef343d3e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 98d379846b5a66b8a82e94a27492bb66
SHA1 9365015e8eaa145180a255883d1732f95d651961
SHA256 3a27504a4926a89278382f6ae1b963cbc05769f0ba2571457ed33f4c0d7ed089
SHA512 48ca58541f6730d1b67c92435ccea4def957d3a7f08198edac7ea9eb83f9f73915ef4e5ff70e3b20b5a2cfa6f5717eba6c5a530aee505421c85153c992857c5b

memory/3068-1074-0x00007FFFAB210000-0x00007FFFAB405000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 10:39

Reported

2024-06-24 10:42

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0805fa4e9b4ab35c675fa0089811e8b8_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?ZJ0b4UpV70U0E5on0NRlEKEB4ux4BiZd:Ur490197 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Common\Offline\Files\https://dailyemploy.com/day.php?ZJ0b4UpV70U0E5on0NRlEKEB4ux4BiZd:Ur490197 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\TypeLib\{FB97EF0E-5846-426A-B630-92464683E52A}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0805fa4e9b4ab35c675fa0089811e8b8_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 dailyemploy.com udp
US 8.8.8.8:53 dailyemploy.com udp
US 8.8.8.8:53 dailyemploy.com udp
US 8.8.8.8:53 dailyemploy.com udp

Files

memory/836-0-0x000000002F1A1000-0x000000002F1A2000-memory.dmp

memory/836-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/836-2-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

memory/836-11-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

memory/836-61-0x00000000049D0000-0x0000000004AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{10327FDF-21E6-4BD9-B8C8-984D47D128BF}

MD5 7e1717d5f94873fd900da3dd3eafb91f
SHA1 ee2a99752ae8f374624ce094e8a2917ee230e31a
SHA256 bfff5f01f954f5cb2dce6c6baaee2c92dd6abc0d54e4503b5cf17af7ac265a42
SHA512 d15bbb2cf6e6d960e103f1606988113024dc2626be5aa43d39be93d4d913cd92b89314bd749bc35c2544512c9464c90642bb0a2e7a559fa74b11b809712fe345

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8709FA94-2B55-410F-A19C-813EA2DF4DDA}.FSD

MD5 74c7b0f3502f523e3796616793c73702
SHA1 6a0a33274ec7fbd4fde566c055e3fddf01b97565
SHA256 9c484ef850d3ea6382da2a53f94cd6555b7dbe3e70effe737d270251e83956ff
SHA512 4a65c7fc6c6989de913a66adfc8699d68d2cc92a7f5e815ff6c012fa4965e3a98a828d9d5ac8ecb2fd2d6b4925524889d1644835979ee8fa012aa89ff979f26d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 8232f5d8c7df7a193042fe17b938056b
SHA1 91aeb16877f52a153dbed207f47fdcd82873b685
SHA256 8879665fd0906093b2fcc61359f4e08cb4949f3192e53418a0d990f094dad1fc
SHA512 a26568b06599fa6ea631ee294d9ffd4ef32ef257c9f583c8fa95018c1639c79648fe8bc74395e6a7c29007d8906ff1b69804af12732a9126d5ee27ef3c788f10

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{21F0A17C-E65E-4952-BEED-F8920F127E26}.FSD

MD5 c1c9b36781bc3fa7309b9491116db8b6
SHA1 b6ef751ecff80ef75c0bea00c32c66981514616f
SHA256 e63266f561653947a6501f9af960063bf0f760384260e5082ad65967200c8b41
SHA512 6375a64f6cdce9acdde6196da996b09ad453ea0d27c201a3e8a2be6160beb2924c1c09c2d7d06b288da5642dfaec7bdf9d9571b7f87060a4ab48f9ea90d16cae

memory/836-573-0x00000000049D0000-0x0000000004AD0000-memory.dmp

memory/836-574-0x000000000F8C0000-0x000000000F9C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 24bc217a9366dfd1a2f25acded1c2c92
SHA1 af3991d998be6dc154502c138e63f66d86ce575b
SHA256 4c28aedc0fb2a1d6d7aacdadf94c1d90cab0f0c521034c8744edaf2753405bee
SHA512 6ef483874e6a9b2906ee1b19a803ea660c9e78fb4a63cbf9bd028014ff3ff3b96c8492885466dac1b5f3da4bf4af5b4184b001deb8b6f0d7f96de4d3f2cf4a91

memory/1820-1017-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 30454002d10168c8c96f59c08abd0376
SHA1 e4d869e5359f91a3c904b623b4028813f6eb55c8
SHA256 dae85ebcc58f1f5b7125b46799271ad4440baf93a0ad0bcdc8938b98b0d07e56
SHA512 46e5ecf363da038a32890b853a4b269569a1a74b5fe284e692111c15429543f3c8e7587cb5e55c9e9eaed16d95d520ac335b053b84f9704ef7082e2e5b777009

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 38310b941ac0d4a4ac64af27cb46d4ce
SHA1 6e6b352f173b3069977c283528ad2f614f63b09a
SHA256 c50f6820fe5a2b9ef22c0b45cc093ab9a2454fdbf63414fe5dd017d9307e4d81
SHA512 fd3e66e172723b7f5d550a5686f47844e67f85139f972b1aa49e4a6758830eca3e05c7f378da250f3b4e6bf062e6d8793dcecdd66c23d214a6be862afe4d52d6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 e1ae46f51d2b3d191f6f43d64b5c9abb
SHA1 d497949101c5f7f04576e682fc6a5b602b987c40
SHA256 4168c6a5d2545bb5c78e0bc08960008ddfab5f349ccc84075b96ce5c6b364f07
SHA512 ba95ffdd529ea15300e677f9959efd7de81f5626c93b101e07c7ae8b0045589822f2bcbbb0a2aed3e72a5dbb6a7d3e2bb187fe51f5da25520c638051b3073bc8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 cca5cd835653b3f5871a7cbe5d56a35a
SHA1 905ca130b36e5b083dcf5cb617a35736f93aeef9
SHA256 1b8d2f3f4d9cd659540618b342037079f7820362dc255ecaf2eeac7a96314687
SHA512 eaf7bab0844cad210e7c81eeb1b95c9a9314147ec0c0811263a698b680e23673a0f40598296de45fb72fec99bea8134a337dc287eb72bfed1ece03d808ea0851

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8709FA94-2B55-410F-A19C-813EA2DF4DDA}.FSD

MD5 53087c72aa8e5ce30349d20900502363
SHA1 d7d9da4a3f982ab57e4669bc6509531e040fab81
SHA256 f37ebd08633fc80e09905556c583d486a50a2a3def5f1842f2547c2cad327c4b
SHA512 c63bdd91856e7a0c0ce8c21159d1c1df336d8f45ca4b0060211db54b1fa379bec0f8c7d25e8ad0a9e1d37159585f4f8a53e51d89a6d6409a22c67f9e18c6b092

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 6d5e77c5edc269db34e08610ffd7526a
SHA1 dc27f81bc018b467421226485da2f1e6763f4d4e
SHA256 6ef016044232cc882f26d82cd8fb471b1c8e5cc6f1957d55325544718f81090f
SHA512 cf8937d478856072bef2cdfdb1c3bf2e3ea377acdf7e6c82d65401141c95c30ac1d99fd65ce4544b032a4f1f20358ec5846379b68bedcbd5da4295c016fcd5f5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 abab3f93cbbbe7bb81317a49fdd995dd
SHA1 e3b5a0e1b288c180d4a8304b57e0807bae6de4ad
SHA256 4189a7ec69c43f5abb7b77c1f673f81c6c878d1b8058fa4bfbdc85db7ed18435
SHA512 37f98bb4ada0bc493de96f85ac89bf8639b832d1fded066c0f294a092d0113c24927414b24654b7b73e1f61070f5b40a12ce66a7f273e5516d027ea76697c5dc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{21F0A17C-E65E-4952-BEED-F8920F127E26}.FSD

MD5 d0d8b2ab891b1751ac78fe197aa988ce
SHA1 8154efd795d3ee7e01e58a6759d8c6215159ae2f
SHA256 6a81d7dbf8c5219327d5cdf4c0d806debebf47a8551a2566c2cde415bcb5ceec
SHA512 7921a4e343e608763e1a34eb6e4324f68a5c3d4b36f723b01662a9c9abc6994bf2066783985229e89f15bb1a8862d3c4a77fde9ffe7af53ddf15df52eaca5136