Malware Analysis Report

2024-10-16 02:53

Sample ID 240627-b51amayfrq
Target 143cb1d36f1f16b09762b6847822d06f_JaffaCakes118
SHA256 e1c6a68a2ed3a1047ea46c2653c60bb1c111c7af5aebb0a67799b0e8b691fc56
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e1c6a68a2ed3a1047ea46c2653c60bb1c111c7af5aebb0a67799b0e8b691fc56

Threat Level: Likely malicious

The file 143cb1d36f1f16b09762b6847822d06f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 01:44

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 01:44

Reported

2024-06-27 01:47

Platform

win7-20240508-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\TypeLib\{308B8D5F-47C5-4C77-AC32-83C75763C213}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{308B8D5F-47C5-4C77-AC32-83C75763C213}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\TypeLib\{308B8D5F-47C5-4C77-AC32-83C75763C213}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2348-0-0x000000002FC41000-0x000000002FC42000-memory.dmp

memory/2348-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2348-2-0x000000007194D000-0x0000000071958000-memory.dmp

memory/2348-11-0x000000007194D000-0x0000000071958000-memory.dmp

memory/2348-61-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-62-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-109-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-136-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-122-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-108-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-107-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-106-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-105-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-104-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-103-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-102-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-101-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-100-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-99-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-98-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-97-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-96-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-95-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-94-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-93-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-85-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2348-76-0x0000000000550000-0x0000000000650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E128520A-CCA1-4DBB-88E1-BDF55C0A3138}

MD5 fcf7923236fc41eaddf0ebb7c4dd62af
SHA1 dfee63f5702e53f96554e13a87970799e4a34f2f
SHA256 7ce23172180a3134447882d35a7a58ce1d545a94277a24f2b02c1478fb16644d
SHA512 e977f2781302c8cc38c853312d7c87cc69723bb17b8ddc96d92d8b6aeb9103c8bf414e00514098b893e91b1de80386dee11eca23bf923890056883c7747fb444

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5DBF7A74-4ABC-4452-BA75-60F9EFC7CEF4}.FSD

MD5 ad5bd71d9c5d2a7c81956db5ba1740c2
SHA1 4ddcfa0a5cb5ead8754faf86c6380bbbc1239cef
SHA256 1d80189b425821d604c1606350005d76bdfa4881e3d782fb5a87acd4bb8b734d
SHA512 ba0c2f0583e9220b0d2ca1462f53e88a00e18db37f49665f2ad85e85e1940f5c5cbf81507e403be959918c52e513e6e3f2e8e56e5980de3cf6f7d68d450dbda6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 bb63b66417ac6da3ba1fdcb80c4a1810
SHA1 12b72795c40d193dce12ae0606cf4464bd5cf51e
SHA256 771988d5d036d8bf06e1ea1383555cb39f1a8a676f593d210771c5f0e632466e
SHA512 8e97cf9cce34eb3fb7559317f3b809ce6aafda5502ca6a4317a4ce22cd4c312a0877e40f31c78cab597d6ad0b8659be85bdd605729179f0e312bf06c8aa7412e

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0FD29B94-A4B4-4A66-ADFF-5ABB35E423FE}.FSD

MD5 7c28ff4013253865ba31242229df47d6
SHA1 a01a9583d29c324a6ea125c15fb7c4d9822aa090
SHA256 f1d0549f4f850ac26b1cb725325c13bb4c0e6bcc853698ecab5eff3c72207be0
SHA512 5da0b29c08f153301a6b24f7950c81ee065439edea8aeced960c441fe6428f91da3ee59d8ae798c859aac0698fc984d402e179a4cd26aa79048c92cb29ae9514

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 fb6edd4dc81c508fe93d43f4a22ab79d
SHA1 d94df24adcb0d31eac87f600c652b000662c5d6f
SHA256 82633d05cba85f8ae06764dbf9244090a93b7c5b95df9ffd3043ab9dd7b406bf
SHA512 4c9f5f117f88065f07703ebf50c5d7149baab7a10aea79ad355db138dd08e10ae8ad980b34b30784b306c81673a4d8ab0b4b0ce0b3ce226dc16622eaf84ed5d0

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 c1447314e13e56b0b74305a3dcb2dfc2
SHA1 24694d50438d55d3a043e951c886217b305e9c9a
SHA256 8527e1def2adad0c9382a863bfc44f8a3bfe54f5053b945d6c889b282e46c4cb
SHA512 8aaced438fe1ea7728873a1b98a8781308622cc8dd53681880d889f9f6e82f7299ce472336f0d54ce10da5d198507d169d7a2983ec69c6ba20cbfb52e3e6ad18

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 779f3675af1b7e2a7d43cbc259adc617
SHA1 ab9841b91e58c1727ea58672175758a58a229c28
SHA256 b3e272e43fec720d468a71146262858a27cda4a1b2d3076693cfd95377dddbd2
SHA512 6d426e7c743e68b0b8d418fc1f12ce400a522f26da29dbb8abc8172a36361c3a9c2d8aba51d02d8a7d61660ae73b5a4745578edeb142530906df2b9394ccba44

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 d847037c6965b3d9fd86b1a1a06be7a9
SHA1 d0f9107da7cfb5ae8b5bd1a8c85cc372d7bfc0fb
SHA256 dea01a7cdb88e6c77b0bd7d2d2b8008dd4890ae7ba551b9d83fc6f4d9955c793
SHA512 24be82b1868a12cbb4b09f217b441c0fc0600e214dd7dbd1e50ef15a0701f8e09c2d8008937d19c9c84cf682ab3bebc9e40ac3bc95dae1d9d54bff1e5f4a473b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 ce9bcaa57c255fca954aa8a875f2e26c
SHA1 48861a9f324c7cdfe81169a3c5eac13bfca19584
SHA256 4ddb10d7ceeabd1eb9b472d59e214e40af3bb59181d6f731614029ad0337dfc7
SHA512 c91f6050a8f1f5587cd36afb79b6331a149bc84a8da992e5196a6aa44d39d77c0d47a954260eda496986158dec084f9f347efa9c3951cd3ad609363c1516a4ca

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5DBF7A74-4ABC-4452-BA75-60F9EFC7CEF4}.FSD

MD5 1cdc94c926e83c7c67e6bbc79dc7d083
SHA1 2e42ab5feb5f7720b1a3f7f418467e8516f1d866
SHA256 db11e23d616dcb8c4bdfc9492a76b5dcdd70f669a0cc1cce252243f86e199def
SHA512 6522622b18883a318110a48c13553e514b9a3aada8f49656b525874dbdb31ba6c0d637c75ba75a3177b46d2f75b51f7e0084c04adc79220716dcac657bfc1f6b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 26e244d48976bbe8ea87e2ef2b0c168f
SHA1 f3c3f03a83f962069d14ee893bad4545f8c5a150
SHA256 b90c599fbfa071d7c5353415aef02bf88cf7d10657bcdebac2776c0ab1cdc63c
SHA512 e275e1d510e7be40eea264ebba68d644fbf3fe3d6612cf8c06873f106915ef2519c03522f479a6fd358c9d65408374a4acd2169cc60b9462d3b686da33b38983

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 289f0086eee08c0d4e8cc092217278c9
SHA1 4c361e71b36596146130b2f1c621a1a1bfd2c0b8
SHA256 fe58e1a8a4308f1d3ab2d8ad67beadb31df9df58f24a6496ff1ccf9aef90f58a
SHA512 73fa6a99b42dcffadc08e9e23a0a85829bbf13685a92dda7844e960a0dd9d4ad02d6e5c4550a895130924dbf8ef6623f335aa2f1cbdd6e15a8a0ebb58c2bf2a6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0FD29B94-A4B4-4A66-ADFF-5ABB35E423FE}.FSD

MD5 d6a4d30f60d39e5b12e830804aa9fdd6
SHA1 a5c8e255ad187dccbb9b85a794ee9d2ccf12e154
SHA256 528010de5f502eae4c1b6c93d4223015e9f6fba8f437997186cb28a51d1aa1a5
SHA512 7f8d08983ba7645e62f978ad771b725ae0fc757c74684dda1aa566ee4d8fb9f1cd332d0d22fe723408971e94d54fa85e1f5f2f59747141799651bbc56480953e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 01:44

Reported

2024-06-27 01:47

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\143cb1d36f1f16b09762b6847822d06f_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 88.221.83.210:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

memory/4760-0-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4760-2-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4760-3-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4760-1-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4760-4-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4760-5-0x00007FF8CDCED000-0x00007FF8CDCEE000-memory.dmp

memory/4760-6-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-7-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-9-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-10-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-13-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-14-0x00007FF88B8D0000-0x00007FF88B8E0000-memory.dmp

memory/4760-12-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-11-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-8-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-15-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-17-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-16-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-18-0x00007FF88B8D0000-0x00007FF88B8E0000-memory.dmp

memory/4760-20-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-21-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-19-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD7814.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4760-515-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

memory/4760-570-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\58C39C7C-B0F8-4FDE-ACF3-56C9B4D274C9

MD5 3240a9d5aadfeb1ee8fc1afc74524c0c
SHA1 b5c7f35ac0db22f705226721b3ca3613edc5ed69
SHA256 baf76b3d065c963c4281b7d634757052afbc0fb627f94b750a2fe10a66d66fa4
SHA512 73b61839d0263b25d1c05b6dbb6e1ca808b766be1dbaff960d75afb0453a1cef424ba04a9cd2fd45a389b7a29d6aeb702716ca97a00e83f6bc179fb53ef409c7

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 7ab75981e00236f89dc9ef842132f0d9
SHA1 0971eb34cdd414a6690f742e99e99523c66f322a
SHA256 33790dd9b05e33b60ac3759c9ea978018e278ef8690a62e0358c2f4c26f963d4
SHA512 998649711c5ac39f33c49bbbddbf7f5e278bf461dffd1356d15ba27ef93ec1178d0cb95e77a00315e7979b9da32027f1962fc55e89c931eb0d9b6cf7f55865f2

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 43c08476973839b184d2060b5a753e27
SHA1 dd1fbfc929d2a98fe2acd5d27267b7fdf0109881
SHA256 ce49dbd8c0afa987d2459b2592a87f8a1f5383528ea663b32341dbdc4e1bdc3c
SHA512 db60644de05701d914e652c444f4dd2ba4ebf5d79cb44367ef18d5554b25f015a8517a4e654479e3c9d1fdedd3c9122981768aca7aebda0a3583c0574a597ba8

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 e7f663ce715a2b74c17a013567b05926
SHA1 2b281c8ca9e1832394d0561a7cd6217393141545
SHA256 26776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA512 5600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 f1efdd9e467bc4147aa82f7f58a9e99c
SHA1 6539184a260def0dc77f011de259ce74c0b28130
SHA256 8580d58f386e9829bbec83a8e79220c4e924bc18790c0047200d17d7ab0fe7d3
SHA512 fa5005fbfeddf0afa43e90a1d65dd64a573ce7c1b6a5e8da0292486120c23838ac6931d5fef609cd05f5a224445471a13023586f49473cea5b7bdb0378036c20

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 a225d425e3eeea21e2d4131de736a344
SHA1 20502242ac43af434a529f0bd4c6e75157771e27
SHA256 fcbbfa369fddf5f17a6652a17ac2b35b44ccff106817ae1f1d7247beb04e5e70
SHA512 6c101067382704cdf810b03a9e8c7de8abc3ae3e04cf77f9677f7e0e99e4ea126f7ff877b8e6f5f334c669c143c6a5dae32fa3f6827cafc73d5a41c0035be009

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 d413407200f7f8a5ab13824f68e9d7a1
SHA1 571ebc55231c1bf3a5718d36717890fb214a4a0a
SHA256 c73133f8d458483e95e84bf92effd8de0e909819c7616699e03603e761f8d1b1
SHA512 68f1fb7058b9239ae6851ec81f883d7df9726c203f5ac3b3391ac068d9eaec3d6ed7b642e8aca01a24140882cc3f576fbfef9abb23833133ff7d8dfa99ff2f20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 3626af421bb1aac0992125926ec9c1c2
SHA1 dac14eae3e3404fb206de0d8bfc08746740947c7
SHA256 b3505578612dade4139bedad8a820bb374c2cea02f880fcaadf5b09ec436b563
SHA512 a13f49f4d46dcce671c23b62fb42af7dd9fdd83ec0be903df30c64bbd5622d78588470dd653405e9f7c50565af135d337c3ec1a84ef933b929e096fa14133e34

memory/4992-1562-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4992-1565-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4992-1564-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4992-1563-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

memory/4760-1572-0x00007FF8CDC50000-0x00007FF8CDE45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 0d7bfd2a2e1d947dfd770a8cf382ea14
SHA1 e5a91a66cd6aec8eb4b89e58383c40216ec875d3
SHA256 098f5a9715bdd0fdfd569611f6d10049d56959d6a3851f5f83e5b878ce723ee8
SHA512 e881af231eef8807d877f82971dea24c06680458f3221bd91ed1364023601970c75b3ffcf2f3b6cdfa0d3487d85ceb4f7c4b094f9dd9f9f4d1e27c707f6f6c49

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 67f36f3c0ac40b3318b0241f929fe06b
SHA1 7b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA256 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512 d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 eb9d64e4c594c186bd8be2eff5fdaf61
SHA1 2632b1a3a7e36bf62eebc805dc6d212469973268
SHA256 bdb225f4b020f49dd52610e1cd0422b7d36cc5376234a24d446fb4f28494db07
SHA512 5e67413b0d2fa5717dd9a3f9d2c6d613279cbaff9c19627be966b565bd61407d068f67171d84fa9b25462ad91f325a161d4484e085dcb4f4c2b1cfd9645a7254

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 8665de22b67e46648a5a147c1ed296ca
SHA1 b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256 b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512 bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 05294968d85a20054e7f20ad6f98e60e
SHA1 c1ace349d500bacc8446602cbd8ec69dc3b8a7ac
SHA256 c6f306d073c032ba7c2faa3acbfea8ea92dd71f1424585df9faa3381b07281a0
SHA512 d816ebd4bb7f99dabb35aabbf3eb47648912929c119e4cb850059a46bd4b4a80806a6944610a4c9a84220aa4fe8d3676234a5009c613e4c87888f810acac9d20

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 3969b9215b5ef4159424c2e806deb71c
SHA1 fcaa482c1ed3049275b17d54447e86841e0e51d0
SHA256 ae3d8e5527ee14cba250cb6361aea334977280f6f671d22591dbf6f55c33f633
SHA512 a9ea299868e08b2b36e5de9abdfed6b0af9fb650fd394135e83499c16abdac47971fce117361d222d5fe55cbf092877ce28498bebf4e9e5ae7eaf5442a58e55b