Malware Analysis Report

2025-01-22 19:12

Sample ID 240721-pht2zssfmr
Target 6090ceb96f089edc6bc5111a5559befa_JaffaCakes118
SHA256 fd2b37a0e8c81dc41571e7ddd41d9a5cb5febdc537c4b04c0bc062e54d589cdc
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fd2b37a0e8c81dc41571e7ddd41d9a5cb5febdc537c4b04c0bc062e54d589cdc

Threat Level: Likely malicious

The file 6090ceb96f089edc6bc5111a5559befa_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 12:20

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 12:20

Reported

2024-07-21 12:22

Platform

win7-20240704-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6090ceb96f089edc6bc5111a5559befa_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?KWusr7DMjhSjanVR6tYTAhmZP5dAwHPH:ne222780 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?KWusr7DMjhSjanVR6tYTAhmZP5dAwHPH:ne222780 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?KWusr7DMjhSjanVR6tYTAhmZP5dAwHPH:ne222780 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C84A51DD-3519-4D6B-B493-F64F43B8103D}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C84A51DD-3519-4D6B-B493-F64F43B8103D}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{C84A51DD-3519-4D6B-B493-F64F43B8103D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{C84A51DD-3519-4D6B-B493-F64F43B8103D}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6090ceb96f089edc6bc5111a5559befa_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp

Files

memory/3008-0-0x000000002FE01000-0x000000002FE02000-memory.dmp

memory/3008-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3008-2-0x000000007327D000-0x0000000073288000-memory.dmp

memory/3008-5-0x000000007327D000-0x0000000073288000-memory.dmp

memory/3008-56-0x000000000F8E0000-0x000000000F9E0000-memory.dmp

memory/3008-55-0x0000000000570000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{33491AD7-49BD-4AC8-8B40-79718BB391A7}

MD5 384b32ebf54e56c4bf4379a7ee64575e
SHA1 7777d302ccbce5ebc96344604974313bed20133d
SHA256 7a1848e42d4c0647ef57542530482146018aea7bb08c167c4623c9a088c31e8c
SHA512 7ab504731f8429afea5a7c676f106757d8460c83867e7a49cdf8a0981c5f908e3abfa97146d714929ee74908ca88ef2afd6caf8af3e43694256db882da6a0c80

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 eb6d29a89cb58da80abd2b7865c7af92
SHA1 96154de8c7307797d49e0d301dcf323d92e31f83
SHA256 c35e593b49586b81a495720f0a2bc5a5a9e086124bdf0d0ddf6e83a54960eb38
SHA512 8a50e738a77debec2e2050203000a50da2815face2083dc763c7aad497b298d60b7c2a25fde067d51db8f7c6b44fb80f0503eae1c4921cdd710dd1f42ca0cc27

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 30cc129600a9a60366a9f1789f2e9959
SHA1 cafb1327894e2133133261e60bd2b6ea8a7a0a29
SHA256 8f33bf8b12507191fc6c316f4901ef57f1fbb561fa7bcafa8401436e457812f5
SHA512 880d301a87dc1352ad20a836cc18c1b24f311579ef42df440b233acdfe3bd6b35b15147736a2a88ba75a0dfa166d12f7ee610cd614b4a63d8fb14c295c6565fd

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{909A6783-C7F7-4A6F-B373-171B141F8FC8}.FSD

MD5 9f13c2d3c6bc1bee45c89486b2ceac3b
SHA1 99634b9412da608081d62e895dfb11894eeed54b
SHA256 b083aa87bc42d888584ac5186fb712400df86e8a6cf1eab97d8c6e3a0b1b7c1a
SHA512 09ce0eed28f8fcd4eea6d4737cf03120845d61cd0187c63fd0c9317e434cb59e4203ced3e09078c2b22ae915ae4f09063881fb87886808c221859453ec04f265

memory/2620-1009-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 be1b55aef7b358bd54532991030d79da
SHA1 946858d80c53854951aa9e141e8175b0766e7d77
SHA256 20650ab02b0406f41289b7a095ee668ed8852f47d76e9f00496f198f2e7ef395
SHA512 a83e83dc017e743594657067299e9272d4a4e10faec18a6ebccb56552e81a06aa7fd7445cf4ca9433ef798e517bbc551a1fdd4853d5a2a38c0a9a49e7419ff08

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 811261c41623e0cd2bd2e6c4641f3172
SHA1 5bb02ca85fcbd53eeec8930b818ca57dc681fa5d
SHA256 c08badd53800038d0167aac947f6507e6ccfef09e5d0b72ef30e4e9511116110
SHA512 5e862120efee0692ebb62bd3e0d9a4a3efb8d8f6f046952b3fb33dd51d0665a7405e13c5f10c1644728e58bc22f994660430c93813821c62722c12505443ef18

memory/1988-1036-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1041-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1067-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1071-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1072-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1070-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1069-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1068-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1066-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1064-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1063-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1062-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1061-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1060-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1059-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1058-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1057-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1056-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1055-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1054-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1053-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1052-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1051-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1050-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1049-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1045-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1044-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1043-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1065-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1048-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1047-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1046-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1042-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1040-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1039-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1038-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1037-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1035-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1033-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1032-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1031-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1030-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1029-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1028-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1027-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1026-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1025-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1034-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1988-1024-0x00000000006F0000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 47b903a0026e4134cf8a3bcaf51e3c1d
SHA1 dfa1475da6d1783850ef50a13f9fddaddbaead43
SHA256 6cb44f552c4adcbd38a4e7bd07af8972f901ced8e87dea00f4762447b80ff490
SHA512 82ce85c5167b1235b38106c242370433b8c91f8533385e5129e59d1c58a31224e1961760a1adbeb17a48d5c5ec2ef27dc9de006d2d5a46a8f5fb1e9f7eeb7b6d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7B98F4A2-BBEC-4039-BFFC-6AB9A422D18A}.FSD

MD5 930920fffb00bc508c8f3a45d6a14059
SHA1 5fc9b4eeff85e29a32401a3134ca3f9890481894
SHA256 37255dc3c600730d2c2aac1e60d3ac24cbd5cc93264c03482aaf1595d8cb42c2
SHA512 7ccc40cb3b14c8bdb4c003f488828fc13f9d64a12001e1fe2603348a6ff83336b9d072548a4084ce58fc7e0be553e9bb5c22bf024909f0c861675b76d2b1f632

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 5043e3ee86f1f277ca8f26417fb0cdd6
SHA1 7e96567c7faca17580bd64536255229ac55873be
SHA256 f133bf32a6239a0ab3050be8cbc3206d464058f761bc392d9372ece3710fcc15
SHA512 b246be0f284a9800ba328a319e06f9cfe00c0e4a149a25d63ee73eb561413df79fe4443eaddf2dafebe325516036f55b431bc01da30ed93ea3d38f72775aec41

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 788727e07c253740f71c17b198e4f2c0
SHA1 f3f16488b5c65a0ca790d0f972402d14fb8bebc7
SHA256 3ba45a1945622a860de1648e81c48feda74ee543e3bd5afe9751716d48512a01
SHA512 497db0a722c4e6230f20a4d5614b630c13fb6b411489720521f3ea8cae57c93541b5476b33718d835b41994a2e853b5d02edd316b851163a57abce49889bd763

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 12:20

Reported

2024-07-21 12:22

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6090ceb96f089edc6bc5111a5559befa_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6090ceb96f089edc6bc5111a5559befa_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 16.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
GB 95.101.28.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 123.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp

Files

memory/2676-0-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/2676-3-0x00007FF9DD40D000-0x00007FF9DD40E000-memory.dmp

memory/2676-2-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/2676-1-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/2676-5-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-6-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-4-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/2676-7-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/2676-8-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-9-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-11-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-10-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-12-0x00007FF99ACF0000-0x00007FF99AD00000-memory.dmp

memory/2676-13-0x00007FF99ACF0000-0x00007FF99AD00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f6f801e5b0502f5e803ed826dd37ae44
SHA1 273e87aa518397186653443c0c3e81d574361708
SHA256 e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1
SHA512 8fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584

C:\Users\Admin\AppData\Local\Temp\TCD1862.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/2676-519-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

memory/2676-574-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D2C1615-CBEA-44BB-BE7C-2F0487EE15E8

MD5 42c38198463c43eb71568ca6b5269656
SHA1 c2faac21b4837d51d492d24ab3ff0981e6488731
SHA256 8a220ed36b6e74177c03eeb89f0e9fca2c22fa808363b7dedc99830ed7f1dc1a
SHA512 80c3bf4963b7c73857392983dcd0e0febd8dcca3cccd117b67444335535683b37b0fae48e5e8dd0e1d55727cf3609d104d0101729675d1cdda8ed311fcdb2a8a

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 d79e5e340f8c58ea0b005d2500925f2b
SHA1 ca9e8fbec083fdeb4ea52d39667b86e91967a179
SHA256 72a64e16e4f85ed968cddba204f1c7c5abf5369b02603a787f23874b243ce668
SHA512 455ae9fc3ba462a7f111aa8e905370bb0c667fd9112d85aaef69ef27e52052120daddec2a37eaf0dbf5092343046f46308765acdf3549a2b0424e157d5073706

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 9cb3d579e290f2d8030dd4787045dce2
SHA1 b7d631a7153e07ef95cf247c380c19af4bbefcbd
SHA256 a96276a9270c8e03dc9d9e6e2a59f9afacab37eb4cb02b1840c6766abd0ab955
SHA512 2022d01aa11f3a208f08c3e930e8f20ad8bac176e161609b987ac711c6aeaed6eab266213a644d3b22f733ef9991f062b937bded359c2f57b23927fec1bae34d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 bd8d120637ac592c2f3b490aadd36418
SHA1 02cf6d25e9e316201e4521c017d422e58048ccdc
SHA256 d0114e405fe3505f1c00f2f8f9de67f84017dc5582351cabfba1bd02fc786c94
SHA512 6bbc6db7f3d49666ab4c579107c232ea0abe5ac427fcbfd458e194ced0d18447b521fdbc967a8e753845d92995fd8d89e75d8e294602d5b2ccb2ea702c910de7

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 b628ff83f2080f3291bd3b1b2d3b81d8
SHA1 0a44a9f69d6b2bc5aff3fe5db2a48485646e2a20
SHA256 62585b07dc3d45e6afbd52d375ad212140801454d4a40432b47b0af1e79f3e5b
SHA512 2b958674fcf99d0a3940ac9a6d9834aeaf45b8d0b3057fa908b369510c467487eb45c899884c1b4f0ed28fd2308a299db8f554bf83b1d3ec3bfab6909b70a77a

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 c3e44e7f8586c3c5853a38e77387226e
SHA1 ac04a83b9a56b25767ee167290b7557a43fd62a2
SHA256 9fd1c8886204b3b75c24ed131ce0ae03a66fac8ef627b23e80ad7380db8ad270
SHA512 389cd8f15b4163bc77f065598ce74cafb3291ee6979e024ef7709c4dee5ae09ad672c816a535b4cf85b7c8a9b1ca574768899bed319268d2f1a608ee081b756b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 ac43fd206dfd058ff72913f3af3fe078
SHA1 79d560caa50d457f17c881cd450e9a2e7260adf6
SHA256 23fa92bc75fcc56cdc38834666b13d5de6392519c44befe50cb53d24a42ba1c9
SHA512 a30856bff2cd5644485f9225afb7f3fd58c9d77aaafe6b79bcfd6e1ad89a010d2ddd5149e39ff3740ad375d4085b4e0f4cf6a93294e670608bd07b15f123a5d8

memory/1912-1559-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/1912-1558-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/1912-1561-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

memory/1912-1560-0x00007FF99D3F0000-0x00007FF99D400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 bf34be9394fc8350df5d1a99ba014f7d
SHA1 621e62b79055f3098433f9bc71ef4cd7b8585cf7
SHA256 3ca9b8e1cf1a0f806c63db26397aa40360dafab4e69b30971d46efb86daec51c
SHA512 57324f7309b2423c7ab5ca21efd4ec8dec5c898c863aca4a011fee7d88144814d1636b6334434e8786963817149b055af42d35936c2bfeb1d9d1fada6cc3193a

memory/2676-1638-0x00007FF9DD370000-0x00007FF9DD565000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 67f36f3c0ac40b3318b0241f929fe06b
SHA1 7b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA256 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512 d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 0ac09eb8a2dc49332509005cad4d6fe8
SHA1 3f948eff3de63b39e1cb24d49b7688d429d955ec
SHA256 0cbfa0620bdd1d0b64da45f08abe9d4ce7d90e1e14c4689defa7a8901082ed11
SHA512 8acecd4b03361ec9a63c2fc0fd74fee5339895e940a5c6120f5de20b087af2733422512257ed960e4d1e8901a4f695efdcd124762ed810f8bf95067e0541df6e

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 3f687ca6d271fb07fce1eff195023c30
SHA1 c441c8dc0b40642a505f9de4cf0734f51f53db97
SHA256 8c0842157cb5a40a400eb2b9b586aa2706e97b8e6928c3ff550d8b1ed6800708
SHA512 0af4b3214c9fc58a58bff76bc42f37641afa7f91d9c6c99f2ed2c2f9c90df06633de620c6db29f76ae1789a38dcbd9f40805dd79967e450f7e42fd665a022b71

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 6bc605170bff9f537c7e0c288454cff6
SHA1 0fc17250ddd1da7e7eb1c6b61293912cae1de294
SHA256 36f8f6bf1b77601532d94dc6684ed109a0b2f76c3540b2ab366f3523fe9721b9
SHA512 abcb8d738643fdcdd4cfc7fa8ed8af1b7aab316417ce7231412fa521e09bab8b260d631bf8490b6306bf7367567a1fc018f22e28ab59e478766ef5d4410e759a

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9