Malware Analysis Report

2024-10-16 02:52

Sample ID 240625-p7b8ga1dma
Target 0e296dcece26f5e18331f387168269ff_JaffaCakes118
SHA256 1c62c4a7b08e83202682f923fa4072087851182562dd49d0239661a32e12f1b0
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1c62c4a7b08e83202682f923fa4072087851182562dd49d0239661a32e12f1b0

Threat Level: Likely malicious

The file 0e296dcece26f5e18331f387168269ff_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 12:57

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 12:57

Reported

2024-06-25 13:00

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?dHE6_KI250069.0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?dHE6_KI250069.0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?dHE6_KI250069.0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?dHE6_KI250069.0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{83C89059-95B4-4BAA-96F9-470C5A638F0F}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{83C89059-95B4-4BAA-96F9-470C5A638F0F}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2512-0-0x000000002FEC1000-0x000000002FEC2000-memory.dmp

memory/2512-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2512-2-0x000000007119D000-0x00000000711A8000-memory.dmp

memory/2512-11-0x000000007119D000-0x00000000711A8000-memory.dmp

memory/2512-62-0x000000000DD20000-0x000000000DE20000-memory.dmp

memory/2512-61-0x0000000005DB0000-0x0000000005FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{6997042B-F2CC-4D87-950B-6A376EC41F1C}

MD5 1c838ac8d33e814b41f15fecf2d5fde0
SHA1 f9533f9bd8fad3f282788e28ca52dec9fbe62877
SHA256 c8668cf535adbd8a38ece65afe469a09e31913d26c4d75c3e57cc53ec7ba5069
SHA512 320cb2bffb9e69b857c0ef745d1a92bfea466698c825f71a34617f8df820e3f265370bebb5c26f76a1b67afc475d2b39a0e0bcd997604af557cd2d9db815257f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9F004B15-1A7F-48AE-B5B7-C5C370EA98FB}.FSD

MD5 c3d41f6dd88b2d0ef5129567d72e86d0
SHA1 f845bdad0f5c3f52831ad051c51476a44b32c809
SHA256 a32cef7aacb647b435edb62ff5dd8303e949064ea9857c0423d6f54e9290b834
SHA512 2fbf7df8c1bd38e4dd902e8b60ae02d2f95aba42d7fa6d5214b5fa8e1570055a35ac0d01606051092ed31750969cbb3b8d08d89835e1a3cf89456c318a3f4b6c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 ca291880d8e5a721b4b5b8f04c4d770c
SHA1 8ebf958dcf79d2088422f0d8787295d487b742de
SHA256 f5d57a200b46438ca2366996728fd71a2fb74ba0c6e3e41f454cfe076b82da5c
SHA512 2dea5a0c8444808ef68674f6080a588b46761aed40555235a973ba58352e262d5fa41e5c544da1189fe36531b143b90d25911baf5ae097b891c3b7ccf830e87d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1C004635-127E-4CAE-88B1-CE3E0B5EB7B3}.FSD

MD5 73a4c6d2d654df682d22e687670b056e
SHA1 ac374a675c5859013406e4dc0f90ccc711b1b477
SHA256 fd61b1fc69bf2aa13b7fc8ef1b747dceb13604f8f8b121d46e13d2c0445e8e41
SHA512 aab2fe81d98c77a00500970769edf2698176828fe1d16ebca48401f4e800f30aa53f4018ab3765e42e552f96bd3f2f25ce8c2ce801eada28acd86cf7a27542c0

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 3d084759a1f995c269a618b36bdd0b4c
SHA1 7e20ed7d0832e9d0788d3b2e43755a3052dbb3f0
SHA256 a938271c422538e5b08f5f660bfd637ace115818c2ceb08c947550efbd62271a
SHA512 3a7e7a4fbbc959bfc09ca40e6aef2aa212e5eed51c737357ce9f2971e58c03e0b5fe931218a914194a93d09e473327288248b60bc530f874c70e3f5180920b3b

memory/2608-1022-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 904ec17bb045e70bbcabfa4c7f58ca26
SHA1 f53fb1560d5043cf0f999e4f3125be9e875d3ecd
SHA256 ae4a6c5644a601fe3feed745ddde2a4df962cb6a3e42c0c306f68a51e541e7c5
SHA512 bdcceb3b7aea83aaee622b8220a3806a2d78273c480a282f63a5e5e68786f4926fff860407ec4d9c9e3c1674dd33ee8a65f731a0629493c2498674d59eb334cc

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 837977be7a2c37ce5e055f27eed3af3f
SHA1 6be8da59d714ecc3132e0e5bc4b51b659e80f5e5
SHA256 bcf07f41b03bdef56f703f651771aae3b54f2e66ccc602a207f49bc725666ace
SHA512 4cae4d99c89c0e47834765abefa59ee72fb588aa83dac33c5bbc38ad70bf35e44b2940f1787b713279decbb1eeabb60e1f7bc139525fafb80f9f0cc0b071e60b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 95db796809a342d1ddfea2dc0237ec8c
SHA1 88bcf69a7fefe2b15abbef3c4a885d6c70ec133b
SHA256 5f18fc5a8a9f2f4556f904fef19c398221da613659dd45bc36ee5ba19fe64a22
SHA512 4c7d73aab44d7db11dde97d7c3f85066d220c7c47bda9ccd4fec017c3d4f84b3fe6d1f38b997b25e6cdcea4082eac626ebfd35d89211ac3b6f90b08c7eb6dd64

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9F004B15-1A7F-48AE-B5B7-C5C370EA98FB}.FSD

MD5 0b100883d97e691fa647821d85cecfe4
SHA1 caf4d2e8ba2a054bf205a7e76369fe31694fec76
SHA256 07ef9e9856adc9a5df9c9ab3a7b2812bbd89eb90d59c197381da3a35fefd4dfa
SHA512 37012b8fd39ba5ee1817bbb5d568a755dce6c9a0d9a6b62bbdfd899cb03514c7eac0a9363db81f78da5cc35c8a751073e86d6d2cee1cfe2ec8def3306f4d5e18

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 aa233e62b458fb2a34b216e33eb4db90
SHA1 35e33ec5ae181862791e447b4c9e059ee4acead5
SHA256 a9b584e4c3f736b071790da9c142b9fb98477775c51284ca2f136e636b54bce2
SHA512 4d3a79aec68d6d228b314453035f456e940c38366261120783097b1eb893fe391548d9d9fd3348148e15058955596a6103aabc847f3dc569fe22050c6455a649

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 48389bf4a8fd685243bbbc4d8d102129
SHA1 6f88b67a46b8b55a9b71ff47787015c1bf3d190e
SHA256 cb4748f25eedcd413153e1c96633fdcc42a03ec37269a3b6d93ac3c1114ab93d
SHA512 525a02559ef0a79425047771c4d51f125560b04a4b24d56c208e41338caea8fc535d0cd658f0585fd668ffb3c36428887530755dfe626872ff3af08fa7df5387

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 1db366a329ea2e185f9c784e83bc24c9
SHA1 495e8e22a7a4133082c15cadffb8db7a9beb69d1
SHA256 64a17af455e03939b279f38ac308780c5dbc83c6dc57e1e95bee98fadde07ab8
SHA512 835e4f3167a5f290f5e0b4e32075b08154dd6acc1fbdf57d17895544e35ef0e9c1be4546fddb78b04b7721aedf275496debada1a16410539e5a1163a33009068

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1C004635-127E-4CAE-88B1-CE3E0B5EB7B3}.FSD

MD5 6baba508a0350f0bb96d9c1ecaa67f06
SHA1 514a1b3f940a88cfd3e8636c91ac1a9e7442746d
SHA256 a3cec24b40fbd201746e0f2c38014681df3e353a09617a859e2dbd8376c0ae43
SHA512 2b3029a94040b37f5d94a8a6011bdc79c78d722d38ed29b1f6a5bde38f2b2626d046c71235d3f1c631230150ebc464a2afa0d26699dbdade0d3fd8d9351da48a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 12:57

Reported

2024-06-25 13:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0e296dcece26f5e18331f387168269ff_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
GB 96.17.178.192:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/3840-0-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/3840-2-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/3840-1-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/3840-3-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/3840-4-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/3840-5-0x00007FF8E094D000-0x00007FF8E094E000-memory.dmp

memory/3840-6-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-7-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-9-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-8-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-11-0x00007FF89E640000-0x00007FF89E650000-memory.dmp

memory/3840-10-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-12-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-15-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-14-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-13-0x00007FF89E640000-0x00007FF89E650000-memory.dmp

memory/3840-19-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-20-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-18-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-17-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-16-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD829E.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/3840-514-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

memory/3840-569-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D1423F63-9A5F-4A21-83FB-478974C7E49A

MD5 3ee6fe4c74d96a10b66bd6681e68f581
SHA1 61ebb8d3d630ccf9b0a505f0fd321059dadad136
SHA256 fdf8070c6662c4e2a694d2c52e2667d609e346739156d8ab9fff770ae1c634e7
SHA512 54480bff19ed47a6ad5a83cb2ea1d7fa47b5823f286885249161af970b50bd27e40d73e256c101cadd1342ea01002e2a69d6c73f5893f9333c7514fb0615c07c

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 e5e33982a0415b8267a7d9f638d5a477
SHA1 c0522010aaec2c926bef1aff4f32b6e192d025b1
SHA256 3956ca5c61f150a1de589f4af2dacf2e189a679f1c5ed5898adf797cabdf674b
SHA512 2005823b5d957da3841f3c98a4a0cea9df1f2296da9b093dbc325b8f2c41a0c46c5d4376f2224be2e1d73d862541fd2f7162517344f7af544e8a454ec5a2e9b2

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 8ddb011f252c3c8ac562cbb111d2ab6b
SHA1 9ec0425224fb004f64b826071efbdb7a81c6bd04
SHA256 7b340f9ee9832ab89c9551943b81224beff07adf56b62034765b8d1e8e32918a
SHA512 59d29f2bb59d734b1e0ee62c92673f216683cadc3dd4e06fc68e9eb955099a3ca04dbd3beeec49d8c1b36d9243ddcf3f6a2b1878ca6b58229b357b0a890b2b68

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 e7f663ce715a2b74c17a013567b05926
SHA1 2b281c8ca9e1832394d0561a7cd6217393141545
SHA256 26776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA512 5600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 1929a270733957ae584a4a7a63fa9e75
SHA1 36139a223fac9d250beb8e2af85315e699b2bb9b
SHA256 8d543564f385a4f9231191961b035674b532824a811e7e0692215295351a6f83
SHA512 cc7fe2e257154c44a296f6e3629b29d58ccaf12dd13ccdd0774a1ba107c4e337ed59dbc361909c73cc14f34dac48f5d53fb17fc8b373e699ac095ebc47c71f9f

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 eb32c8f82c5c824c7d4957b1bcf15ac8
SHA1 0134f33db5d93e4daef87f448657ff1efe7b1ccf
SHA256 f3ee1b7b63a673dd00bfc62601dd62d88ff1febb2c840a64554fb31dd3e785c0
SHA512 dd68cc6baac60be139c1ad971e19df2f24725afcbfd9cfa6ebc39b885a0c667bb7269462cc1b968ff3338336f0f282c5d7dbac1e9be110612fd0221a3687f47e

memory/2220-1562-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/2220-1563-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/2220-1565-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/2220-1564-0x00007FF8A0930000-0x00007FF8A0940000-memory.dmp

memory/3840-1572-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 59360a5a8f4f56b8efaf4fcdd1fe02b4
SHA1 7980ec2e6059887d49fff6ae3044602bc249b7bc
SHA256 11474e59e1362a5a22c7bb4c998b74e519f0ac5d4a52af39917d1336748e994b
SHA512 78d85d97e64e1644de9d5f9bec2a060d8d55afb2c564c34504e0c147c4162dcfd7dd92f05011f723df61320cd44983961025b3c1eee254af7174282b793e9695

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 edc5bbd89d21bff468e2b1bc6a6cad11
SHA1 b5a3588cc1c3274357eefae826f9de1876e4def4
SHA256 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA512 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 c388c7b04a4928321a0795658dc9a13e
SHA1 ba8753dea878f5ad9d0d2cf8f3ea91aae5c208ca
SHA256 57281b794fa04f21b269dd6cd4d9fd9b08a96b73253753eb41a9fae33ca6a72c
SHA512 f22a4347df87e3947dacaa668bdbe56d6e855f5f65e0cfadd53ed0d05d0cd3bbde1b2848d5d4c591558b4e5314466a4c78b7c43ad6323cc85bd177013471e96d

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 8665de22b67e46648a5a147c1ed296ca
SHA1 b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256 b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512 bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 f37c7e1c4fd58b8cb24caa9cc8d3ae9c
SHA1 89213a5bc1ffd59fc1cf36beeab5e519f0853257
SHA256 a3ed3e756c659a63de1205293cf82679df3c8503c2d1db4325ca83188e68acd3
SHA512 9444715b9a1c003612c2af34a4e2603409d21f6da8b1f6cb6c0f4bfb57ae3c204ef4597488d9e1246726f56efa5615e1711d012ee198f232a0cef7dc741eba97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 9142027c73e017fad7a6fad08e67d1cc
SHA1 67937e0bc2bf5439e81f233d92e4ba3d2e3c339e
SHA256 a9ed22fdc747fd026d03faec0f64242afca3b924703f2af795345e4ef78aa1a0
SHA512 26f8988b9f9ab86329535ec32bcb8045d6e48db73e94e4ec3d426077428bf9a86d750d7dbf0d703bbe3e2a147c7c895fe3a6efc6347d2aaa64c2615227bcdba5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 7c0f5e7cf26ca45471a398d343a7d76d
SHA1 8e2e28c18a339e3a26690d6a45c4a61557b6ca6b
SHA256 e4fa036d9d87c12664eae55eb020ddb10a17890640d31b15c348453c907a0976
SHA512 4285758035501799ede2a0abfad80b97029e110d6ee1289b7b4844f49715d9ce9f5daf9de2c4853a910876c4abdd6444783ca56aa76c77d1cf09b578709d64c8

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 99d2c8b075404deae8c400fb0b9d67e3
SHA1 bac7dead14958166eb05d1cb922cfc130c27d99d
SHA256 11d85b3e67a0b96cbcfb1cfce2c99baf7a1f58ce2022a0196051c61c320e0366
SHA512 3a5dee4cd0c751bf6d9b47eef656a53079ad9776e689cb13c81f8328f92b2ac5c3db63fd2aa142914b04b63e17c3383b7490e58c8b4bbfd0cc00647a3076d6f1

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 7d992167a78c306d58e70ddd072312b6
SHA1 c5a531ce8fea77855dde97f1a4bbc6211a153d98
SHA256 0b734c26f410c3511d33edaa7deccbf1c7eeff4167a8c94b58046bcf303df7da
SHA512 e4b2a71d80307690f5e7abb86ce107255b7c4ae2663339a370d3d8e0093b97a157c47b36fd5b1bd99573c848e26439c111a3fb4fe80c1a483c7d8c920ec1f291