Malware Analysis Report

2025-01-22 19:13

Sample ID 240720-d2zwssvanl
Target 5ede685836aa2a4396814c2a0b6ac4ae_JaffaCakes118
SHA256 109203053483af3098e14e8c3b9b67d6e6adee8f0cbb3c3b74fcf22be0fc2a7e
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

109203053483af3098e14e8c3b9b67d6e6adee8f0cbb3c3b74fcf22be0fc2a7e

Threat Level: Likely malicious

The file 5ede685836aa2a4396814c2a0b6ac4ae_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 03:30

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 03:30

Reported

2024-07-20 03:33

Platform

win7-20240704-en

Max time kernel

144s

Max time network

137s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ede685836aa2a4396814c2a0b6ac4ae_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?TBvsTLT5UK4QLr3WuLr0V97HQmpfvg6U:lc94460 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?TBvsTLT5UK4QLr3WuLr0V97HQmpfvg6U:lc94460 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?TBvsTLT5UK4QLr3WuLr0V97HQmpfvg6U:lc94460 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{F1A96537-4BB6-4A9C-A702-A556F1A58C21}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1A96537-4BB6-4A9C-A702-A556F1A58C21}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ede685836aa2a4396814c2a0b6ac4ae_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2152-2-0x000000007122D000-0x0000000071238000-memory.dmp

memory/2152-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2152-0-0x000000002FD01000-0x000000002FD02000-memory.dmp

memory/2152-18-0x000000007122D000-0x0000000071238000-memory.dmp

memory/2152-24-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-49-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-23-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-22-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-21-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-20-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-66-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-84-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-70-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-69-0x000000000FF50000-0x0000000010050000-memory.dmp

memory/2152-68-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-67-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-65-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-64-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-63-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-62-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-61-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-60-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-59-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-58-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-57-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-56-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-55-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-54-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-53-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-52-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-51-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-50-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-48-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-47-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-46-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-45-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-44-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-43-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-42-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-41-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-40-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-39-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-38-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-37-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-36-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-35-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-34-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-33-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-32-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-31-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-30-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-29-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-28-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-27-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-26-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2152-25-0x0000000000650000-0x0000000000750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{13427FA2-7A98-4C77-9609-792CD9EDDAB9}

MD5 82e631b8ed6af6b58ffb5cc307f403b2
SHA1 a4a17e09401acd6ee430b9b8b0d5a8b1fb39aff9
SHA256 27f0fdb29e3a2cd9873f56cca25ed7b6c7ec04a346ac51603ea5365d23c64a68
SHA512 d9472023ff06db644f6f046cd8ac4abedfdfd9919c844dc01277dbefa505b317223b9478f90d35da7d0a503d3a1d07134b71d8277993be7e286a9fa3d7275415

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BC6A9D64-DAF6-43CE-9520-834EF31E3E99}.FSD

MD5 8a686c81a76cf205a2f9fac1070cf430
SHA1 fd5d7e97056569d82803ab14466743e541d3fd67
SHA256 505a01b49ba22287af9dc9fee7ff05465ca9e0f21933f6c4e704169fee50c45f
SHA512 6f140a6d026f48a7e33d3b7efc917fee5508f9a3b079c97c5e4868190cb6edef0c4ca6cf58b8ae62474f44cae406ef8761f4b9adbcd8e4ab06ab5d0650bd1d02

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 f36789726461e69dea73959799fec99b
SHA1 8cfa0d7182ca4021a770289b0db37c391cf80be7
SHA256 f3f14850141c5be9df0a868014b3667477929ef2acebaf7f8613b8c00976ad03
SHA512 4d936056523e66a33c736c41075d3e5a7dd5fe51d22275ad76b48e542543fe51ef47cdb37d4c6cd42cfb3ea4b09c2522f50f869d3c29a6fce355d0c432029e4f

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e4cd4e1e0d9d83c5c2ce57ba25abf464
SHA1 4a61dc1e86238610ff97247c1fd443b47b028e72
SHA256 481688aaa9ed51dc9d9f520223cd529fd9f2ddc4cbac51ac9bf942080c341e14
SHA512 43f055f29310c41936c6338b61249926347ad6b3ab92c3f4ed6ee25b767bf3f8d9c3817fcd7340edeb5cad873f55fbd2c16dc1890e88671b5f32cf7ad6382f17

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 b245d83f6d22332e4ce5f453536378a2
SHA1 4a0fa6832de859f522ba858d8df7a2db52ebbd6e
SHA256 f400c34d60c2b0e5f7018f75b28e4d3eab3c545df7e183f90647ccd78991fd55
SHA512 306f171e180a65b3e8e0cd679f9c901482429f3444f00fe2f5e36a902ea192fe7d56009c55930a617600748eb8c6bdaa17effe438b384e2b88e9c23f0278277a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BC6A9D64-DAF6-43CE-9520-834EF31E3E99}.FSD

MD5 9a83b4e616041d7766b8709fcf1f5089
SHA1 a33b221fa459563e4b50414f66b8de081e84405c
SHA256 524088311140f51d428871f0c9528edcb46aac3ba718bde3a5149c0b27328437
SHA512 927031e2d7d3126e430b27c803adba8dd46bd63c50fc0bbf16ab233aa627fd320df84c1ec520a3f75be2ab8f60f772474820d4b74277fd9244e915628501debb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 7cf7495ec236c0b9d36c54f12d6dade4
SHA1 4a5eeb0c8172cb0c387e2386cb2ffff4fc942e20
SHA256 30bac3c1b36e24ad4bb5e50707b82c622ddfdf393b2bc643b6769fada569c943
SHA512 3b2b613d1126643e0362b0170fa7610605a0a3d5ea3977991825f0ea3f55c5f0022d8f7b821a073aa42180cbeb9ddb1b3acafa5be20553d53aa5f9e496ab8dac

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 cf344ed05ebbf38ac5aaaf0be051373b
SHA1 083a4ce84fa62b9f7d0645335c6b8caf9ba73aec
SHA256 0bc49e9fefe5300f7edc30ceead264f88673eb4f8d4282d25891ec9b71581a98
SHA512 ae5eee38436cca52f1c4df1f85869fa5a0e622b395f59f8399977906559b0890dd207126d6e4d2046684a73040ac25d18f1083fef073463351626ff222b56e0a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{18926F0E-286F-4D5F-9F89-1F11B3C8E764}.FSD

MD5 dd2f2af8b473cff2e6023d22a5ec1457
SHA1 c73973ce334475688bf09094c204bd1f91eb9078
SHA256 ac58f4478c48c46a646e908c49c9d7abb0b2e91f349386792147d021f67a2e84
SHA512 f63f17d85133e3b9b93131cfdf2675dbac78ec02e4962b919e162151e22409232b336af90e31fe07ff01630c2136d11ab37b96f3be4081b8f863d180916a06d7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 fd1fc69b717f9a274ae4f99f4b6e83e7
SHA1 a0acbcd4091a0b43b2796633b6f49fc954327e66
SHA256 02ca6c7e98836776c66fa90e2bae4d184963fb537c3e523f20d190df5c7b0207
SHA512 a483b9fa82ad183d54c8537505910eca8cc10362c3bd999c785caa4d8689ef034891d99c2ad5ce5801735f2f3a90f40e62ffb9302c5628ccce1f19780c34dd28

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 37a947936d2c8de749d927a1b8b2fa29
SHA1 61e473612f1022a7b5ee5f14e6a7829701960773
SHA256 cccf78c47aa57a9449d0b02b7bf9fd050826070839eb022d89664d12fae4ceb8
SHA512 e7ef57714c0a06097a4b3e32f85b46aed6731f3a61f62fe46a552a5e865b4b153f1f54e77091610c1c54bf7d0480c983944edc01b8ab30fcd3afa5b7bcea81b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 03:30

Reported

2024-07-20 03:33

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ede685836aa2a4396814c2a0b6ac4ae_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ede685836aa2a4396814c2a0b6ac4ae_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 123.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2500-0-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/2500-1-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/2500-2-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/2500-3-0x00007FF98AB8D000-0x00007FF98AB8E000-memory.dmp

memory/2500-4-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/2500-8-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-7-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-11-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-10-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-12-0x00007FF948890000-0x00007FF9488A0000-memory.dmp

memory/2500-15-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-14-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-16-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-13-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-9-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-6-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-5-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/2500-17-0x00007FF948890000-0x00007FF9488A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TCDDFD7.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/2500-526-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

memory/2500-581-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2C0C88F8-0D6D-4082-9A71-F64858E7FB4C

MD5 21028af0ce1da82f12773966a0a897b5
SHA1 42ea2bd6d38cbcd30ebc8ff6653fc887b211250b
SHA256 3cba19b575b3cb767b6cff379067df75dca88b305e72e1287461927a5175b219
SHA512 c166606a18bc169204f33f2d1272542edf205388da1476be9bc78c754571db8747257e8cc0c53bfc82b13c32907384263a4c1ceacf1b943c6fd0f9376276f839

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 f52e586f9fb71a0f674a57c875f3580a
SHA1 b631c02d1d307181c355fdb5b33d9d5d7663ccd3
SHA256 dcee358156d0ee705266666f294a4507c3349966fb2251a002d3c7c436648d6b
SHA512 c2e0f8ea19ad40d9e2f3e919038a31af9dada6d45ff99aec29553c96e5636abe95938139e6e0040cce47a67448ebd706c7ae818007166778a42c628faf326f74

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 2badc178f1e01ed59f8dc093f42201e4
SHA1 15584fc11b24dd464a0e606440e54a7ceda5aace
SHA256 cd04a37b30903075234a88e243f416fb6dffb893ec7339a664c1b59e62060c3a
SHA512 9f6cc685380dc318e00cf6df0ccd2c834eed082e9adc6dfcca6e44f51ef5847ae832e2229d357726ec85cfc8e8e26d23188d7e751fab6eb0eb66a43d31718035

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 edc5bbd89d21bff468e2b1bc6a6cad11
SHA1 b5a3588cc1c3274357eefae826f9de1876e4def4
SHA256 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA512 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 93a08a35ad5c3199948291bb48a8491b
SHA1 e80301a6ff34aab8b59f04179a1ba9e3b94fed1e
SHA256 028dab339921a5c80fb7a3fdf3b7f6fdd2bf6db76493a95a12912868ac7d1f52
SHA512 8e9a6fc3eb5bd0913b073267afb07cc4f0b199390c02e2aae9a7ad51e29e7348df096d961592c65cb6cc6636895ae3ecc8f127f61e4eb3b382bd34296bb75e0e

memory/1560-1561-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/1560-1560-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/1560-1559-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

memory/1560-1558-0x00007FF94AB70000-0x00007FF94AB80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8255fd3bb06e2a508b446ad8c8ee8fff
SHA1 b308bf70aae7703ee9dd0927a2a3686010054a30
SHA256 3874bcba92b60a47d5738864d76d22b877b9bf3f46dd862f95db1f0fbe816b1b
SHA512 86053ce0432df960c7b8ed7f67f6dd2c86eb5c23007c833bbf352cee0d3ff65154e872068fe824538564d4beeec603d6a48d8beae6561364777322aac5451670

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 9c1e11bc00bcdef7cbc254f4ccd486db
SHA1 01d1a52a223c615407c9f318088fa4274d20cdf3
SHA256 66b930c3bada51e0003e655c70b56b171cdb0f288c581a0e032a4448dd70fe1c
SHA512 ba8e2d7b855088f68df74345a26f68b4453f7abe502b72116aad7061db420c54e2214b15b772942e86264a92165cb7b97d3170b5b0832f781640038b72d9343a

memory/2500-1585-0x00007FF98AAF0000-0x00007FF98ACE5000-memory.dmp