Malware Analysis Report

2025-01-22 19:14

Sample ID 240720-cmz3kssanm
Target 5ea3fff3efdbfb8f0e89ccffcd4476d9_JaffaCakes118
SHA256 9a5cd220bc500c3f057874d4bb6458c6ea1bac973b1c54c022b3eaff523cfa51
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9a5cd220bc500c3f057874d4bb6458c6ea1bac973b1c54c022b3eaff523cfa51

Threat Level: Likely malicious

The file 5ea3fff3efdbfb8f0e89ccffcd4476d9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 02:12

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 02:12

Reported

2024-07-20 02:14

Platform

win7-20240704-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ea3fff3efdbfb8f0e89ccffcd4476d9_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?EW5jrXS3BvznoBUnXP5fU15gLkFoIdfc:ga651977 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?EW5jrXS3BvznoBUnXP5fU15gLkFoIdfc:ga651977 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?EW5jrXS3BvznoBUnXP5fU15gLkFoIdfc:ga651977 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1BD311E7-90CD-4459-88DF-09FAB5F77AFC}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{1BD311E7-90CD-4459-88DF-09FAB5F77AFC}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1BD311E7-90CD-4459-88DF-09FAB5F77AFC}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1BD311E7-90CD-4459-88DF-09FAB5F77AFC}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ea3fff3efdbfb8f0e89ccffcd4476d9_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp

Files

memory/2956-0-0x000000002F611000-0x000000002F612000-memory.dmp

memory/2956-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2956-2-0x000000007197D000-0x0000000071988000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2956-11-0x000000007197D000-0x0000000071988000-memory.dmp

memory/2956-14-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-15-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-60-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-77-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-63-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-62-0x000000000FEA0000-0x000000000FFA0000-memory.dmp

memory/2956-61-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-58-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-57-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-55-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-53-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-52-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-50-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-49-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-47-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-46-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-44-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-43-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-32-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-27-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-22-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-21-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-20-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-19-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-18-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-17-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-16-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-59-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-56-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-54-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-51-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-48-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-45-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-42-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-41-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-40-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-39-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-38-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-37-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-36-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-35-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-34-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-33-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-31-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-30-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-29-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-28-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-26-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-24-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-25-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-23-0x0000000000330000-0x0000000000430000-memory.dmp

memory/2956-13-0x0000000000330000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 1f343268c9ac08bcf3f4b5b946d3d73e
SHA1 8875b17898878dd42dfd229732af6ace4aa46670
SHA256 e26f101ccb082e17b2e0183e5fe65764efafe14500a16e0e3a34d4168a365b4c
SHA512 11c3797cd0f26af17a8e4b4c3f938ba96c8910205b55b6e8426cdac48247f05087a35c876798926af08124b8f87921ec1e9b6ca3f7f40658644fa8b79eef973e

C:\Users\Admin\AppData\Local\Temp\{A8340934-1E5A-44A9-8515-8C1C33EC0BA9}

MD5 32fbc15a5bcfb5e60caa4dc8852b6008
SHA1 369402424da4e44674c9864595848a640caca77e
SHA256 06a45cbe0285b532d2a94f0c84581bd6b25c33f13e3acbc3ae0bccab8247a096
SHA512 1cf65ccfd2a4a0c8908e5bd92282ff32b3b7026956fa69f57cb5e319e769da931fe1ff4ed414c8eda781dd0d616be75d50c49e85adcbc03116656aa69aa45128

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BB84E471-37FF-42CD-AB50-98A05074D3BA}.FSD

MD5 c701d438bf86499e717a57a38bcab106
SHA1 8197a263b03b93336f80fb1a1b4e99d1f2509032
SHA256 a01ce5d8b9c59aa60bc4f3147cfcf1947c2966c0c84df8847c19d78cc35aeac9
SHA512 f88a2a92da419349205bc628191ff6fedb9c6fd65ef4be11b7cd0c33b741a488879dd100a173025ffe9390d6a748d5fb77297f6640050688e3cab2eb6030cb58

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 53034690656ed06e11d2250ce92f8b17
SHA1 27f26c3f4f5aa9d70b66aad22c77ab5db51d9f60
SHA256 b9d06a01b32b6d9f74758ddab7d6fcb2873919e3d7c26a3a92f5ed48d107c792
SHA512 45a7755805c31443034ccba43003ee51560c27945300d7f4753f0af6fdd3072f693d91169a7a28a94903b7053730eb68a5e7e5345f87ee62ccace25456dbd5d6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{524F01B0-35D9-4319-A0F7-F4D8365A1AD6}.FSD

MD5 ef616aae19577db6b59356a71f23f919
SHA1 e0e8932f37b98ce2c3076d03c87103f20d2dcd54
SHA256 23d8819f7b2a99c5131b3ef26c8ce7fd42fd4e3a00e69a5d669c2e8ce9c31a16
SHA512 31b0a639f530eb6574e5c1dc4d119a7465215df65a0084ea51eabb668e6adc0c35014dc5a4bfb6d0f75bd7795110dd965cb43d7321b8fafd266661e1f91742cf

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 6011f5937b782f8741e54f21f2bcfcdf
SHA1 502fd9535ea679ad20ac6a524a481d39bea676d4
SHA256 3c1ee09c9816a8a0ef7df31d831aa9c74cc585af026dc708167c3e789684356e
SHA512 df9b2cad17bb89d79f419eb6f1d4ac57baaf4564a689663698019c9c5f237f75ad1c1c307fbeaf674389b4c70877bee5809ffaec225a9d68a3e6baefc02f685f

memory/2956-1029-0x0000000000330000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 500ebd89b8d33d6d3cf905ebf7179fa2
SHA1 0eb4e13c9063a9697101747f0020c22fddf867de
SHA256 157b93bcdb4dab9b84f4191b31d786c01647c6b7241356208a97994666838a51
SHA512 fe65592834e1209e6631b65acd90f015c84c74d0e47fb21e154bccc0b13510a5f6725c62e76136db6b62650a73da733b3e111bc683a073a5dd811e61b6cf6694

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BB84E471-37FF-42CD-AB50-98A05074D3BA}.FSD

MD5 5846bd148c023de67f9792ed5aa175d8
SHA1 d5917e71518aa645a3327ea1501d0d3429d0bb96
SHA256 5b3c28afd4e5efa7d1b32cfaa1216f10d186646396b80b5a156b48cfdbe91543
SHA512 1a52318cb4dcf9e7fdf22ec014ee257435e8fd547f3315f444c62617140d267188332889d89ba35325e57705f018ea5b6792f03ba16e515b9650f3b65a3d9d58

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 6eb10c1a9db7e032aae293966db279c1
SHA1 f7db515eb171b42344713ad02da794cecfd28086
SHA256 ffbc520b52ff3811310f97e2be7573ae52a49da50d09f8d82a914bf352ee26c9
SHA512 eba424f68df5827bb7a115af041961a4b13d03a58a9eadb957bb337f437439080fbdb16d13222db8328c9e1897c1d129e8c352e857cb5dabbb97b9c8d7dc46d8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 7a44b22a65a0492a1c4818ad17ad99b8
SHA1 08a037fc41e6f025e8c75eb1b9dfae4339f5e16e
SHA256 179bb66f8a9b9e897828fccea1d240ca97d5098939ce49eefa24bfd6e6909904
SHA512 3024b38f2f2f4a3fa47746c484b2784d6e8b178a8da07c73490d3b97058edc3ae72b26edb9ccdfaac90dcbbaa7c0d53df8a73b93f6f368e1f5eaedba3d295ed7

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 02:12

Reported

2024-07-20 02:14

Platform

win10v2004-20240709-en

Max time kernel

136s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ea3fff3efdbfb8f0e89ccffcd4476d9_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ea3fff3efdbfb8f0e89ccffcd4476d9_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.217:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1652-0-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/1652-1-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/1652-2-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/1652-3-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/1652-4-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/1652-5-0x00007FF90B54D000-0x00007FF90B54E000-memory.dmp

memory/1652-10-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-9-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-8-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-7-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-6-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-12-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-13-0x00007FF8C8BD0000-0x00007FF8C8BE0000-memory.dmp

memory/1652-11-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-15-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-14-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-17-0x00007FF8C8BD0000-0x00007FF8C8BE0000-memory.dmp

memory/1652-18-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-20-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-19-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-16-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6af616e0879094d4eb021794d5828f30
SHA1 22d7864780115c9725a2badbff3a007608bf6a41
SHA256 6a78354d356aa335853565d11dc67f4be4e6fde674a6c618a1d9cdc11b5eac0c
SHA512 a4a991df34bdaf6eb222bf7a625e3b62c5ba688a928e309b25f08cf7772b3777c75a21dd4cf25df437653b240821b41fb103e35898fa2d1d89d8e497e4f32c77

C:\Users\Admin\AppData\Local\Temp\TCDE7F8.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/1652-186-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

memory/1652-241-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B2705572-3FB9-405D-8B65-F29415493D11

MD5 e8d7b260c9be95ed0078dbbb6cb4388f
SHA1 d692b01c9f9202cdc75340622f686c48a4a6d212
SHA256 e8e50f480a8f16c4e7021d2f7171b2c2a4bca956952dc7bba52781633531e596
SHA512 da8305029f3f9032eb5fae677d082d4468b59e2c0f3729ffe736dbd59fc07704f3c50dc9d1f89fb8192c71a50d4271582066af3ec25a4e619c0b6b59a33d05e0

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 b4e1494dbf5feaf21318a2594664b6e1
SHA1 8c6f22a7e8a83cc3987873a4d4636bacc91eac29
SHA256 f39d834ba280744c4fb23130b1c73ee0228319fcc6d8b4c82656e7430d435e7f
SHA512 bc388b934141b4f26e7b55b4ba656ba49c16ce0ad339bffee339ec139dcc15e4b4afc6fe3f4b5fe0c9012b428016e460d3537631294417d1611010858d6a4fd8

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 60d35bea928326691970be421b2fe49a
SHA1 94d756edd8c406bbf8e4c87adef4742f71053d78
SHA256 5235ef5b907f88a4b560af3a2b3f6255ee16d4c51b9d7b0f1e101c91f53af89c
SHA512 3dd99e24860b5fd68a479dac37c0dcbc87771cdbd7833325420941a55d8e2cb73ce1c094f658a2ea481c4578a8e9229dfe810de3dfc2cd6b74dd7c09fa5fca99

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 c12768b1be2ae648e8efabd7add51305
SHA1 03dbca94c5f5ce254e97605b50e9b0b9b7a5bf57
SHA256 3d97860c1905ee8dbb9cbe9870f4bcc11b8b7fd82ea87260a596781acded416a
SHA512 f84c254810cedcba570d8adaff1a5e608205e9a2b59efde468b79a488313ed3cc00b8938a082b272db751437ef7dee397dcf93632721506a69f53093c0d752b8

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 d4f2592f27783af026b37557e0ac38fe
SHA1 1fb5437369793c81419104a1ac4cd669c6ae5f83
SHA256 39e5efa1c0a673894948a2f3c247416ac33d646443e4124504896d6e35b4474a
SHA512 5e2963ea08e89c88588d74b42f1f7152ab50ea233ef89edd25fd975316a5b8970dd6b1ce7ec5b8966f978d1ba6ebeba9345760179c77b5c2d84645f802fe3b42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8255fd3bb06e2a508b446ad8c8ee8fff
SHA1 b308bf70aae7703ee9dd0927a2a3686010054a30
SHA256 3874bcba92b60a47d5738864d76d22b877b9bf3f46dd862f95db1f0fbe816b1b
SHA512 86053ce0432df960c7b8ed7f67f6dd2c86eb5c23007c833bbf352cee0d3ff65154e872068fe824538564d4beeec603d6a48d8beae6561364777322aac5451670

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 44ffcb43eab764b729456f24884c06d8
SHA1 e299afed127c1705116f94d618f850ebfe8b5183
SHA256 85a579fc19b98a8ab3d8f48f37d5baf0b6111a96ce24354898a2f2e472debe91
SHA512 9e1dbc58f0038ec5512d5e61251fb7a6c839798bd272b2792ef504fb75fde5d5b2b295a4ededd192bd6523bf18d4fabecd8667c423f1523242cb4a9ad778165b

memory/996-1223-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/996-1224-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/996-1226-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/996-1225-0x00007FF8CB530000-0x00007FF8CB540000-memory.dmp

memory/1652-1233-0x00007FF90B4B0000-0x00007FF90B6A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 c389c8641ca2928f292ff7d91ca7d48b
SHA1 8529d4e680e6205c2d58981a25b825f249e317b1
SHA256 b0f5ff1ea9d8a48e1a117c5d4244d2b618522787373c79a1c6731ab84100723d
SHA512 8f0f4464833e8e6320515fda59e75d5a929e0db03dc19d86e88051c2416139da34f9383b5b9d20f6107c433efcbed2e12e3b9af7df6e4d52e2a6ffa2bcb8995d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 67f36f3c0ac40b3318b0241f929fe06b
SHA1 7b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA256 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512 d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 7538b69d2f87a70ff5808b9d3562765c
SHA1 14c1112e76855035dda7eacb25b15e49aa5acc0e
SHA256 5778b7e22ddb9b57477e72728d4d71ad7910fc06c28425d893fb2a0d3b4cde8c
SHA512 2a196b7c481f8f1f95a92fd78cef3069a74bd0e75c6e4e9278f9cc0d139af81be965f14ade9d8f7996bff6e1f84c4f906f8242e77ad7e8b6e61f85a36efa60bb

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 5a8c17ac4c2c755ee6a2b7d795f85a93
SHA1 30e7e2a08876b7bed384499fc4aacef8861b2004
SHA256 e0c71ae8e8e51b03f5f58b35a0dfe78985bc3a212eeee122caca278c2b427503
SHA512 c82a5c579f7fbfd499db84541294f1dfb254250176978c9d349cf294bbb234edc926a551cbdb99e0943d5c8cb76ca2767c412cda5c3bd27a762408bca142db40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 620fc0dc450746babe32bfa9ce1bbd73
SHA1 cb8ecc4886d181b4a8f633742d02801e90736c3f
SHA256 bb2c39fa92f6b55791fb33bcc0b1fc1994d9d4184e2a9eb4311950b528a799ca
SHA512 1a7593cdf2471beb62655bb31c760422e3bd47dee49c33678b0b8393995a7eae40d923f9f79f02736a321548f202d2839cb3d5b57d4a3ad488953c96b8f52cb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 676e57e8ca5070f9ff2b5aa34d0a13a9
SHA1 533e71e9cc432f0cd2dc3d97eb4a378815aa23e6
SHA256 cac699bdfed22b4d50861c83b8087f8eaeecd2b987be5bd848b1e0adc6f090ef
SHA512 3135b96a41a4b0b319d43f8e3387910908c61fd0b88a1890d5fc3de8a0af92df1bce4d675fa213d49a41d8f3799d5d40d39dba067effb29833d9307dea63fe78

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 8db2e01268aa9802e1b2c9bbc3086f47
SHA1 d3306cd9e7af97ecd759c2e9904c3b48d862ef6b
SHA256 f7e57a05ce1711192eeea0e148a5f9bbb36237289b9231d26b95e33bb09b1fb8
SHA512 63aa7704a1b0a79353bf9b741933dcc2e821f481941f5819eb5ea45b40f5c1332b9fa5da3f9de4fe92dc2885746a77afe364b9188f5968deeaa37f145e0ee812

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 68c70ef9216f3765947c9443e270663e
SHA1 2b844e322b8f1545b7f145e8b0177afe5a12f8bf
SHA256 905d854ff92228739a362f6e1b1d3f56fb03073d6e9afc96a83b0221c3242a9e
SHA512 46c4742293e7f88fb2f4b4d35750199793faf1e745f4269142597834343e232eee5b7aef71edd009381774aa7fb0a0dd4d347975f39baed28b8bc189edf7457b