Malware Analysis Report

2025-01-22 19:14

Sample ID 240720-c2rpraserj
Target 5eb3980d9d0200b15cb17c7ddfb84c24_JaffaCakes118
SHA256 9d6d4e372548b2cbe262d846573ae87e853294ba248f4527ba83bdc5c0c340e9
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9d6d4e372548b2cbe262d846573ae87e853294ba248f4527ba83bdc5c0c340e9

Threat Level: Likely malicious

The file 5eb3980d9d0200b15cb17c7ddfb84c24_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 02:34

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 02:34

Reported

2024-07-20 02:37

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5eb3980d9d0200b15cb17c7ddfb84c24_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Ip0SUU0CcpF6RN2S4a1sAq5pb7o3cOib:QX951464 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Ip0SUU0CcpF6RN2S4a1sAq5pb7o3cOib:QX951464 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Ip0SUU0CcpF6RN2S4a1sAq5pb7o3cOib:QX951464 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Ip0SUU0CcpF6RN2S4a1sAq5pb7o3cOib:QX951464 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{8294D257-585E-458F-BF14-8E8A2F97241C}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{8294D257-585E-458F-BF14-8E8A2F97241C}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{8294D257-585E-458F-BF14-8E8A2F97241C}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8294D257-585E-458F-BF14-8E8A2F97241C}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5eb3980d9d0200b15cb17c7ddfb84c24_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp

Files

memory/2152-0-0x000000002F791000-0x000000002F792000-memory.dmp

memory/2152-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2152-2-0x000000007122D000-0x0000000071238000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2152-18-0x000000007122D000-0x0000000071238000-memory.dmp

memory/2152-68-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/2152-69-0x000000000FC80000-0x000000000FD80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{4B814856-4F18-4EFC-9802-1B81D694FB96}

MD5 80a4e37aee27c73a19f46a2c5dfd2527
SHA1 476fe297aff2f5e7b299f782a501dbade1b33083
SHA256 100920a6503e415fa727994b1eef0b2b9ebe2915423d69763675b96a86ebd75e
SHA512 072b9435550b5d78f3edf88ec54738fa7fdf222d8eaed1194aca572d10786cc73eb11489ee1023487248d6d4877ef3e6a667a2478853860ce13aed3a876c64f2

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 da6591b362f55d5cf69545203f5baedd
SHA1 ce82ff572bc09158be9c727b67c10528fd77969b
SHA256 b98e76e7b80242a9660cf71c5b407b4744713801e266190d2584ef8b6800da6d
SHA512 d3b0297b46e109f02a634b8bd0888fa34412324cee72e552342266af8d855ef61fbcf4f8260de632789454ec3b951d9c2b5ad1deca1cb427a056745042d3e3c7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{39E1A2C9-5414-4574-B090-41B2027A602F}.FSD

MD5 14db386e858bc07eb41f06b1c50f506d
SHA1 6fdbfefc6a8f4ddf96069622b7bab49b1a7f3f34
SHA256 92f2085b611de57084e3a498694339386d79aa56b4884a289facebdd75faa179
SHA512 fd14abe053c4615dc79009a2127acf6cf9a63e196a02035d85e4137d7b68eb01711d740912b5ee1849cbda1ea46febf05424eebbe49276207da6d38fad94f5f6

memory/2124-1032-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 d2b4e7cf3c58e0621995ed008b22df3b
SHA1 48ba87a81fcf95b65406e95493cec4bbc0226011
SHA256 79c5ee899ed4bbe16708777fd6c7d4328840b137c72b1142c28dfbc60b19f4dc
SHA512 77fd27a33c353f663df6fc7660e326d983431549fda0f3b6fb588efc5fa332c7da8bd062357476b3b5fc3f84dbfe1e05307809ff2def6a5fd03e3eacf6301444

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 bc32ffdbfdb313a129be6a1ba8f1bf5f
SHA1 ad6ba816380ae22f1e79b620bb5b520d269ff2d7
SHA256 0d97e05630e0cd12dde34ee4d4365f1b2b6c1d9cd8bbd2997fcf31c2bcbde1d6
SHA512 8d2e5056aed01813b6ac142a71f25c11661bf47088151a121ced279670a3d094aa037cc2424b9f09a671140c3d9eaafe28e1aca7d89f6e54885b5fdae63cdba0

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 a2b800b1c7fc06992ac077a06355a5a4
SHA1 93060dd063cc5d3f235d17d9abb686d17f246a3f
SHA256 bc1e0b7f3794b1d811e8a0b43b46cf1cf296920fdb2e93dc6c08e68b9f45b9c1
SHA512 69a9380bb4885216dc0c9693ab8b86a9503d71c0f7676bb2c835edbfbeef7bf0cac85ed3074e038308c9c88dd776bfafcb8f3dd3a96026eb92e0e9beb24bdf8f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8F01BF05-2B09-4334-9B3F-93AD87A213AF}.FSD

MD5 45dfe2de665b857763226394985a6937
SHA1 934cfae7a1d512be3d72064107e57290bfd541aa
SHA256 efc093653006e5d171b20d47b0cf02c61e769aa9753ca9752bd4b451cc11d939
SHA512 b95f328201a18dcb39f1c03810a2641a9d33f30c1907c005a80e222c93736efd097f1820ff1f0e10a5cb9f65c3f0217bbf837eba6c524f8239e2983304cd983b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 f2bd28a45aef96c17aa0105ae90c723e
SHA1 17e534014b3e21dff9d32c3f249d58a0febaa31b
SHA256 3ecc84a14923f4d33923cf719cf3646f1c43942e40f8829c764d276ee0e15f14
SHA512 0ca9083fb967d2d56027cd329a32749e82ecffd323315d3f926980fa48e5a86a3912d240e5543a9af5c26e82a6bca1b1d1577e3c3f28b3223fbf0d23caaa27fd

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{39E1A2C9-5414-4574-B090-41B2027A602F}.FSD

MD5 a9e0b3c826552bfa4cccf34b77f651eb
SHA1 664558b3395cb59a62a14c02f482fc124454feb6
SHA256 6346dd5c5ea4322892df358eb4c1a34b1414eaaa6a8cbe8911ef83d346d41095
SHA512 0a2d74141a90d8c179940ed26ca0ed895d8ed42cecf710027e9480e63ed351e801092339d36652d9de2a91e519d4542a6e1d2830cd1bfdb73036a442538598eb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 66fcec3b10457f5018d152361ba3ef7c
SHA1 52faa59c778c75e809576d698513a56796fd6341
SHA256 37ac033c7b5b163e981a4475b43d9c3c9e453c5818253c361e3883a281beb154
SHA512 5d5a56cc74d89b0b59efef0e291d3d13da4d5db97ad866fc5ca8df07a571954165152f6401266fb7ec2657750cca5540b068abbe6c1e261277b3b4d44dbfff49

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 02:34

Reported

2024-07-20 02:37

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5eb3980d9d0200b15cb17c7ddfb84c24_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5eb3980d9d0200b15cb17c7ddfb84c24_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.140:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 140.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4400-2-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-3-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-1-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-4-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-0-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-5-0x00007FFD6D0ED000-0x00007FFD6D0EE000-memory.dmp

memory/4400-9-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-8-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-7-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-6-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-13-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-12-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-16-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-15-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-18-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-19-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-20-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-21-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-22-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-17-0x00007FFD2A770000-0x00007FFD2A780000-memory.dmp

memory/4400-14-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-11-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-10-0x00007FFD2A770000-0x00007FFD2A780000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 bd6b3e61976fa4f245019e16ff2254cb
SHA1 7ff53350a0fdf1a1e25ca53bec2421afa1ccbff2
SHA256 2b90a296a11eab02017d79abfcfd70786df6c1fd57d18f3ee4d4a65963bdab9e
SHA512 ce125da0ea31d0b73b2cee93ce641f0faf94fcd118dcf4aea69baf91322a0d687a548ad383e807a3f3d79e29c32761797fb110a902685189b85aaddc30faa274

C:\Users\Admin\AppData\Local\Temp\TCDFB10.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4400-161-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

memory/4400-214-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E4DB1D5B-A1C1-41A5-880F-D4DAFCF453E6

MD5 0057d0dc8ac55512d52c42b555bdb1ce
SHA1 89646206feff645be5ba6e65e874bff87132a1aa
SHA256 6fbf63f2a01dd6e2eb8c6a22c8e0acd7405cc0e038c7e2098f0d7c8dc5d16c52
SHA512 6ff43dded1e9bda2fac5d8c13f6918a4383a9996659a6a5f5a7486be94f59f84afcd3a98c5cd19bbd08f8836d5d360206e7f1982ba4489fb9e4d1f4f9911769a

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 de19e0568b81384a631bc6f0ff101044
SHA1 e06e3e330d39339478b1f6874b60401e359a6029
SHA256 e4370b069e150b275d6d042812c9947d17834ecf5cf93bf8b86f4b0ea4665d3f
SHA512 66ba838e9a6b102a78267ea396d8e07f11c53f58bd03f802310ea709d5cb10f4634c29a6f85ce148700e08b8cea4d1c42fcb7e5cf3c482b7f30fbb3532120e5b

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 3037561142bd37879275d5739d5bd909
SHA1 ccb9696985fdf5b418852c9fda1de12426f7c005
SHA256 1b78c3ea17e81db6d5ad1338a017b9ece6d0c38777ec867e6181bbcfd647a3c1
SHA512 a9975f1a885bc16635be168e2460a86dd2d35490a68e9860fd0f9169bd67267c72f8b8e49792e06a07b56f7ed4b2ab6a111c92b146baccecae97ffacc5d7b95f

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 ea2be298214ddefd5ed6fc468a1213b9
SHA1 99ad73eb2af433bce7624401d1c3a35f1e0dd71a
SHA256 fe5a4361f79770b5a472b0a3c9c3e082f7ed396525258289620a84b349a7841d
SHA512 a8276ecbb23497181e98866238891cba933700c029c17d4550a9c5325a9281a24aba094b7d45e85aee21739df10baf1cfb5b958e34ec934977a8d00554efe43d

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 25335c650e3698219c2940d4a9ceed44
SHA1 b30a84b4956ad8fef6a74502c754c59ef0ee5495
SHA256 cd2eff31fe681feef827de714e166379afa2a0ed1ef799265dae596a10d2647c
SHA512 4d8bedf35295a9c2eefad8118487c76cc56d84c669a6572d7c435d0fc77082f06160edc96adeb00ea62adbab4133f193b1e9f6195dc909b148124ba78149606c

memory/4400-1196-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-1199-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-1198-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-1197-0x00007FFD2D0D0000-0x00007FFD2D0E0000-memory.dmp

memory/4400-1200-0x00007FFD6D050000-0x00007FFD6D245000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 923ebd24bbc488231dbd9d695ab37f8a
SHA1 336184a81d2161854b0f20e067c63aebb77539e9
SHA256 5c4b914c4a97f2abe61df473d11eded140290cc6956007b22db9bf76c8d4e2d6
SHA512 edafe39eb142803acc5782e181c32c4735c0a6eb31aa7e3f68b572c581f8bbf57b847e726524e09615f9ae7d3d0b527d6c3f89c2617cac12c7b4c7e5e0942580

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 134b5d4a84513e5eeb66a38d4d3f82a9
SHA1 2ec0f004224095eaf70c72840c6355b518ec4f63
SHA256 f955542de1f4e77a0035c3d55f923ea3005c677f968b93268c4387aa9f5a38bb
SHA512 b47f7e97b53dfe56852d0889dc0f18542f47f69b1009b78d69ab8c512b79ec25b01fd01cdd22279c2ec54267156bb99417b3bb2a26bed0b4935260a625d8aabb

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 a5dfe4fe446d78ae81e5e82169fca0bd
SHA1 d7a9e1cdbac8ab5b596cac0682f1bb7a085ded34
SHA256 dbfa03eb3c0e3a44d6dd79da5504ba2219b53555bdf706c479e64512504d21e5
SHA512 70c3063f30699be6a10630890f3b98579ed4e4c903298ff95aa77d1348eaf2c3e07a42d3da424c20d26974eeec5937c7a5b01854ea80140c7f3663b2a7950fbf

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 9f030479321eb81614aff365dfaec382
SHA1 e0dcc7b7f6ea69a6e299d8812ba3f10ac626719b
SHA256 457369f1adbc437cc9f45a0345618c68ed13d1153065facc9b64f1e13c11f0d5
SHA512 a682aea4277b7f95a5b7ae117b15e4f5d52017d834598b3f47cf547ee577423574ec558ec2e95d0e5c781f56cca46f55923851a6ab7f50a54a0b40f1a447e55b

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 94ce54516562039fdabc7f76a2556c40
SHA1 cdaed9f9b032939c7e235039a8cbe0f745a7f787
SHA256 4933bb799c6f7603eaef5e939fbb7b3ca5b261f48f9765b2f5b9d5f22ff22d94
SHA512 da87b921414da23ebc7a58387f5e88457dfab143abf31a4432a24b0054d77e4a95e8f9ef3654e5f04e6112c6e6f97a4360ba69f2813dc628566f53eb1e94bbd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 44d8e9a2a41e84fb14357c1c071e336f
SHA1 8dfa9c2b8c0c7c269a1c3057c7d5e5028143ebc0
SHA256 cc25bc4b5f7fbfa3208a47ae6c430b03cab6c69ef9b25898d10c635b31bb9d4e
SHA512 c25f28fdea65b837038b5d402c5cacb4eb68784b28dc1e17b1fa061f98f4d3389fafbcfb677ac004b52fb75323d475d95f64060e870753ef06f8119f55f1e7da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8255fd3bb06e2a508b446ad8c8ee8fff
SHA1 b308bf70aae7703ee9dd0927a2a3686010054a30
SHA256 3874bcba92b60a47d5738864d76d22b877b9bf3f46dd862f95db1f0fbe816b1b
SHA512 86053ce0432df960c7b8ed7f67f6dd2c86eb5c23007c833bbf352cee0d3ff65154e872068fe824538564d4beeec603d6a48d8beae6561364777322aac5451670

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9