Malware Analysis Report

2024-10-16 02:53

Sample ID 240626-wx71qayhrk
Target 12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118
SHA256 330145ed03e314fa9939713c886f49ed7670ea82efd3de2c2263f1529736f469
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

330145ed03e314fa9939713c886f49ed7670ea82efd3de2c2263f1529736f469

Threat Level: Likely malicious

The file 12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 18:19

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 18:19

Reported

2024-06-26 18:21

Platform

win7-20240220-en

Max time kernel

124s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?cTe5jaE7x6WR6gVyXYQ2zfpCXxa9nSt7:LO788978 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?cTe5jaE7x6WR6gVyXYQ2zfpCXxa9nSt7:LO788978 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAE2C200-5FA3-4C0F-9531-1955AFF6524F}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAE2C200-5FA3-4C0F-9531-1955AFF6524F}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAE2C200-5FA3-4C0F-9531-1955AFF6524F}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kholoq.com udp

Files

memory/2432-0-0x000000002F0A1000-0x000000002F0A2000-memory.dmp

memory/2432-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2432-2-0x000000007100D000-0x0000000071018000-memory.dmp

memory/2432-11-0x000000007100D000-0x0000000071018000-memory.dmp

memory/2432-61-0x0000000000770000-0x0000000000870000-memory.dmp

memory/2432-62-0x000000000FCE0000-0x000000000FDE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{BF8F7CF4-329B-461F-9C62-03999ED64DA8}

MD5 c9787a24422158a2a13469bfa7549d80
SHA1 c81061afa6220c4b7785d6af9550c145de8f4fd8
SHA256 95161efda3f0ccf8d482675590477b9c181917c83f99e5da69394b4a901c7bc9
SHA512 8df4d92a0aa05c1044d130437b6fd74b027e808b94e838f1898aa32886de969374f77d006b41addd70ba865ed9adae00e49a4e5b0ebf693a20724d8809869a21

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0145E18E-3BF7-4AFD-A2B5-E620020F09B5}.FSD

MD5 83a364b08760da91f4d38cb7357c0254
SHA1 b085be0fae5841afc60bedcc33343ffe47dc5273
SHA256 95709051c5cf67510ebe66fb3f88ddfd7ccb802cfdbe99eb59070d25f86e3631
SHA512 6629800db3cc2a4ff05feae95d14fa15f9b73ccc20463050a464ba05773ac4a8d5f31178063c3da6d1f15d50fcb9c65f55d84295c1d58342a7e03a27709ce235

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 b1911becade22a983b7e5a46f39d3bb8
SHA1 cf2e3e3e5e10722e468b511b563ceb97e431e71f
SHA256 1cc44616247bebb70cc9c1eb592bc8db5191f3c7ffc111281246b336aad1b905
SHA512 7f981d535d67cd684cc994a4d58f4c6450fef8f908875b1c58a2c941c8339ee4d0a58c67ec62b24ba0fd44e1c53d1acbb110ec75af995bb8f5c4e9ce074941dd

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{37FCC202-CD3F-4464-B54E-E8FDD5C1E91B}.FSD

MD5 78c0f69d39e08b86704de036d4310776
SHA1 3305a39316a85279de3db4ac1c1db197bc159eaa
SHA256 0c08ef4e2b11d9ec62b4c74d6d9c1947327d5652586a0756b612f55ff65441a8
SHA512 c2916e40515e9b7f54797262efd405a6ec90aec20594f6ef9f369a358dcdbb553063c5e7eb833b2867a8a98e0b8ff7ebc30ecdaaf5bd9ba02aff05152b486a73

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 65f83ca895707335115aea86826ec197
SHA1 9e2aa75cffe198859c2a57255073404a74908f80
SHA256 b037fb4d8f3e266206e04e43aea18f4568b1f18cfcc5118ff73e78820c7ab9eb
SHA512 1596bb7be6f51b4c3d7e24d14495853b89bc23611457ffa3b06f05afe2e29b02a175e399e0c7275c553bd5baf86ab9a04fd9dc6231018ede390b9da046cf6b8a

memory/1324-1016-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 bbbbc38b2b990731418119e6fc3b3be8
SHA1 1572c14438edb66e691cacb4fc5c013f97d8023b
SHA256 e842d4cf99ea62043189be4a19ce59b258b68abbb2ea86ae67feac42d8d20c49
SHA512 02d8e77406ec697df7f127865bd15fb5b0f68b2b10a2637fb6b0248a8f95f35aa36811297e257597ceaddfe21f391db5fa4ef11413b1f8fb6ca305f3d7abd3cf

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 cff6bcbd8c108eda7a35b38c7d54f171
SHA1 69e5d5db88bb299f7eb787a8a1ad217595220419
SHA256 a02ff216aaf9c0cf65c85c878856e37755c5f377be9711cab2256dc996ef66b8
SHA512 ef9b1ac205d98fc33f993db59ddaee403324da29f45137ca86d26f7bc6d53acf39e02497a2f17d662f4d8cd207ba685205efe362ad62f3dab80a3980b58244aa

memory/692-1065-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1069-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1080-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1079-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1078-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1077-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1076-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1074-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1073-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1072-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1071-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1070-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1068-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1067-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1066-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1064-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1063-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1062-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1061-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1060-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1059-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1058-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1056-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1055-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1054-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1053-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1052-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1051-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1050-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1049-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1048-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1047-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1045-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1044-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1043-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1042-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1041-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1040-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1039-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1038-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1037-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1035-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1033-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1075-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1057-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1046-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1036-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1034-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/692-1032-0x00000000006D0000-0x00000000007D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 59f86316edc0ca681fda0a15b36d468c
SHA1 95f05309d8a0d4ef3fa44a33f52e06f7e7a177ae
SHA256 906fe52e005d9cbb77ec030d2cc2ad68eb30ebb4d22d1e06bf8654224020dea4
SHA512 e013563800e05ce05350101fe718a51536133d25803aa7b468f450052ed2dfe801b5b0b53c9bf22694c2e112215695d99f1eb4d21bdc0cb449dda9ddc809e65c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0145E18E-3BF7-4AFD-A2B5-E620020F09B5}.FSD

MD5 01fe571c7b100d299046aac00c2f61fb
SHA1 e734b94c88ac8e6e99ac5663aacd26bf55f0895b
SHA256 0e0cfe882e2989673c6bf664ad65781163648a7fd0954e9b3cf142b1163cad79
SHA512 88855a7096d50f24b801a3deafdeff62f3f81927f80a32b2d677b744822f96de0e17e9629aa1f4caf5a4a2f95f2b35a7e604af08515cce3b25216153e55197fc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 f854c8e0a2581f482ad3be59990bb2d9
SHA1 9b8f4fadbb12582e6946fecee120d3ef8e3ccfcc
SHA256 155f854568afd226f76b0277267e71ae3f81e6cd736f551d60138fd675e2868a
SHA512 4dadd3aee2ca7b3a7d7c07ce4b2ec9e39977f0fb5c64739629b9bda87c0bbfac64570954f2829b4c2c2e8a8f631a3b96e003186126391d80fff9044dd7c5641d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 620e31db01cf967eae893ac063d0013e
SHA1 21f9a243db6e89f237e896255793123741ede381
SHA256 2e4dae8f73371e534a8c52fdce2ca6502324d7a0526659ef9918227d0cf7b25d
SHA512 93536eb5379a5e4735a526eda15a9bba8cb6f9d693179b88ccde7c47a906f598551de3a368a4ef78278b45454ae7fbef2f6d3164ece36cc3392a1f3b7bdd9bf7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{37FCC202-CD3F-4464-B54E-E8FDD5C1E91B}.FSD

MD5 78113eea24cd557d6a45e39f52f4fb97
SHA1 ea32e9d23dd4c9119cd111a7aad371ac4e21d8fd
SHA256 285f43fb79ff7f3350ab47390c9dde54c2a816f712ec5884683fde4ff8c901a8
SHA512 8f68e2421338df024c415c51d8be3c5729e58edc8fd1c4b1f25e371d2e34f57f715c250351f38e3eeff6a814d602e5639a9c7e9aae1b827a2bac25be1e467ef5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 c0346354fc75ef39f61cf239695c3360
SHA1 36944d2cca7e701f5e6f928f2bcd425e6ffb2c69
SHA256 370b44504054760ad8e7e13dd658317826c3b8c08bab8dd7f6893629ef88c315
SHA512 09f440f88a3e102bdd055287abf071cd40309feed907b9884509126a56b845c56e9b8ddc13fc7c07bb83f46ebeb12fde99f167bde90d48e14dd9aa6a8dff8f49

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 49b09ed076efa2f38c2b3fd2aeb2c925
SHA1 66646e0143266be702e9e31fb7ce6de3f2fc3724
SHA256 b9ce5aa004828447a1b7171017e850d83b4a129d6f3ea51d4ec2debe95aa1862
SHA512 dd4b1639d722eb6bcb28c5c5fdb0d1d5f0f2df4d113b5182e9fb1928368c303a44ac5687ac41e6c07a09e688a16a247dcc68e3ee24a3f83df687c02b0acf6d1c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 18:19

Reported

2024-06-26 18:21

Platform

win10v2004-20240508-en

Max time kernel

115s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp

Files

memory/2468-0-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/2468-2-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/2468-3-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/2468-4-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/2468-1-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/2468-5-0x00007FFADEFCD000-0x00007FFADEFCE000-memory.dmp

memory/2468-7-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-9-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-8-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-6-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-11-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-14-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-13-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-15-0x00007FFA9C890000-0x00007FFA9C8A0000-memory.dmp

memory/2468-12-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-10-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-16-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-18-0x00007FFA9C890000-0x00007FFA9C8A0000-memory.dmp

memory/2468-17-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDA7FF.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/2468-512-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

memory/2468-567-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A1101530-FAC1-451C-8F62-F89212ACB65A

MD5 9e551ee302418e3198a6470c16d03348
SHA1 f6235d8c536fcd1c4445ec023d72937960e9abc3
SHA256 2925b728f99d74179f5d2644060854b3970a92a97f6490dd43190fd0aabf2dd3
SHA512 45a237f7b913e85ed319aeca257a4c6bf762e36799d1557d422c1429b2aca41199e54e30efb262960694aae12fe1847d9b1f28adeaf09451d6d4c29c01dc02ac

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 af8e358a8a6bdd47bb662543fb1f23ad
SHA1 66e0978a0002b5d9504f30dcbccdb9697da784f1
SHA256 41f929e555fcb61cf6caf4e26915d3614675fb52cf694ddadeb06f4c2d08ff5e
SHA512 73d860e124f2621b187fba3d5b8e777b34399f00c16e5a6b5259757e29fd7b759e7ef6438b4ad5d8030e7efdcdd680b5e59752e5c12782dec17eea2266addfd0

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 108da86fa2b58933e996d419bae844ac
SHA1 1d6dd8fd653f00c71d6174823c7ac5f4cf834bd9
SHA256 d1855bf0cb1ff6e683f5602c4efa0d5fe6bc7797b1bb359b18702f36588953f0
SHA512 e0a3898b3c9f5ab047fec111aa44c4bf2779b6da73e3beb601328cf5c24df0b10f3d876b597eaca4ba9aa44908ef2690f50603da2c6c8da951fece449993bd5b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 e7f663ce715a2b74c17a013567b05926
SHA1 2b281c8ca9e1832394d0561a7cd6217393141545
SHA256 26776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA512 5600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 fee3d6ca48b2af45a26c2db88063885a
SHA1 cc2f9cf4438b41c4c7efcf1371067ce207f68623
SHA256 295e2dae526dadd1202f1a703843367e9c9e70b3bad07062c6d19bb539d83cca
SHA512 b42d7f44fdbd7e54518a0e8d3e94946349e74e6857a7c75fcbbf9e49a990b2bbf9882d083fbd602bc6e9274264566d7a8c38cd9a1db5b7ec62acfe06bdbb635b

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 2a8db6d2a279e9b8523fb0cceaee8bd7
SHA1 4687eaf24828cff0059561ccf91d4c1fd50996cb
SHA256 290794cab69c6fc33f24ebced9cf33f59499d59e6955a0f5664ba25c901d0772
SHA512 b860f0358f6b4c904d36de47cf66fc98710a07f076c495cf366668d2279becd1ba3060eb5d438652db8a07dd5c8a77f7098f0486059e7d908ae1fff2a9f107c9

memory/5108-1553-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/5108-1552-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/5108-1551-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/5108-1550-0x00007FFA9EFB0000-0x00007FFA9EFC0000-memory.dmp

memory/2468-1560-0x00007FFADEF30000-0x00007FFADF125000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 88707804e183e1ac235179482e782a51
SHA1 cbf4153d773e3eea8d4b717796d202ec10e30e45
SHA256 1b206f0cd83a02616fd61d834907428374886df0a9e77ebc705f71dfd7be6bef
SHA512 6b83dff768b66a6aae05e9d793259dc04436d2090ed68fbfef8f079b432a2ec0588636d9d29ef245ccaee90c189c358b181b804ad27f541a09b246da3487f753

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 67f36f3c0ac40b3318b0241f929fe06b
SHA1 7b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA256 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512 d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 1c453f03da55413dfe132c321f616997
SHA1 03b9a430ac7288cd55fa816277989c3ea9e1b315
SHA256 7f6af9f2478986f633512bcc73c31b994f47d830130069e353494b06990b94ac
SHA512 e1b2f26fcbc8555dd7a7d19cd935bc80fd8137945c4257608e05bd669622cd0da8934cc3b77b9e2f52084bc6f92b79ccb2a9c5c14d8cc2738d0fd28e0f41f5e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 12bf89a8348413b9714f1fd4600ba482
SHA1 f0184616787b9f41be00128271b85356dfcbb0f8
SHA256 fb240e1c9a1a6cdd988c31b505cd02dcc7b1eb7472ea898d97bd004672576013
SHA512 cbe7f58c191b1e8f6cb8f12b20f9df1e81174dff11c0c54f8df315d2b87b11ec7e1fd163c5e4d27ac34c19617e7091839d54b115720271f202480bd57f7fcb93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8f9842a73d32d2b194917b9a8d818124
SHA1 29c0e6238c79864b4d10f8bb8413e8abdf655051
SHA256 6d276ce5fe6a3975a398e98728ad8cf9736e5de0b8f10d181991700c0bcb6b06
SHA512 b37209807619a9453461b1e2f17313693445de363c943bf6203592db1ea2dafd8482269da2ae8191e1dc699caf00c58fb04da9206a9d843bfc03db168d5725df

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 8665de22b67e46648a5a147c1ed296ca
SHA1 b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256 b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512 bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 94a1348465ccf624494bed5e53c04de2
SHA1 65a1e20ff0f4ea6d11cbcce78cd6aeb54b23eac1
SHA256 aab2b60400e8f7c3c24da01cb84c2e1fc69a0732c8d6baaedeabf18a0469f8f1
SHA512 a8a12c8f8894cf75d53111d0b2cf04835320469f446e042086686cd3fa98f3662be7050aa175051e3f9a18727fb4ed6fb0b4a581e851afb244517b33dcfccc84

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9