Malware Analysis Report

2025-01-22 19:15

Sample ID 240722-q8q9fs1hmj
Target 636f6078a1d2024721adf713f81c52cf_JaffaCakes118
SHA256 3f99c6ee677ffd76fec6a37ab65218f5684aa058ee3967141810ea0f006949c7
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3f99c6ee677ffd76fec6a37ab65218f5684aa058ee3967141810ea0f006949c7

Threat Level: Likely malicious

The file 636f6078a1d2024721adf713f81c52cf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 13:56

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 13:56

Reported

2024-07-22 14:08

Platform

win7-20240708-en

Max time kernel

144s

Max time network

143s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\636f6078a1d2024721adf713f81c52cf_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?Hz1RBopyah7tAQSSGiu3vFp0rCL6E5bw:Zt204092 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?Hz1RBopyah7tAQSSGiu3vFp0rCL6E5bw:Zt204092 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?Hz1RBopyah7tAQSSGiu3vFp0rCL6E5bw:Zt204092 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4D5DF94-1747-487B-815A-1957EA588266}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\TypeLib\{B4D5DF94-1747-487B-815A-1957EA588266}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\636f6078a1d2024721adf713f81c52cf_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kholoq.com udp

Files

memory/1404-0-0x000000002FD41000-0x000000002FD42000-memory.dmp

memory/1404-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1404-2-0x0000000070C1D000-0x0000000070C28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1404-11-0x0000000070C1D000-0x0000000070C28000-memory.dmp

memory/1404-13-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-17-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-27-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-60-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-61-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-59-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-58-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-56-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-55-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-54-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-53-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-52-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-51-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-50-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-49-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-48-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-47-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-46-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-45-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-44-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-43-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-42-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-41-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-40-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-39-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-38-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-37-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-36-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-35-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-76-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-62-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-34-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-33-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-32-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-31-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-30-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-29-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-28-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-57-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-26-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-25-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-24-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-23-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-22-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-21-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-20-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-19-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-18-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-16-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-15-0x0000000000390000-0x0000000000490000-memory.dmp

memory/1404-14-0x0000000000390000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{1B05B5CA-E5B4-4C8A-A410-E7B9C77A83D9}

MD5 ba05e1244e316e3de0b4bc4d7b0cbfcd
SHA1 5826d561e673b59a80869e36c003fea4b23e4b5d
SHA256 d8e5bb554d843a30c25af7927006408206df2357613d529a426dd7f79eb94f96
SHA512 b0e916a419e4e5be075ac7be8d38062bc59908f7ab66b5ecc13c5ed868a02468aae512cfb0ba8482a5ca2fdf8cdc189fef2127d245a9b82d3b6010e43a61cfa8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7D63FDA9-C759-4E25-9F6E-1E58F5FD8CD0}.FSD

MD5 2d9c5e9f77b5773da3ecac4cfcc15e9e
SHA1 18679078e7198678a6678fcdc94d93acd257ad89
SHA256 7ca81d5c9caa128c5f13ee0ad49614b56d8c228ed73712fd63932802f558933d
SHA512 5fc5992802e50e04519368ca56ebbe3ac56bca9d8a9e5dd656ed15e35352beb6021cda8a0ec4f0f7d7d8254262fa195ce33a0970a41745a3d496065f3509d248

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 baf575a0265383293a0d3880a0ea1944
SHA1 f0db8d85f9730d49b8d1e1265ec716b43dc0384d
SHA256 df8b3a563ad518381815025574b5eaecd7f2581aff7e28de4db48e49fdf0cfc3
SHA512 ef1102250ca0dcaafa4c0e640ae469f53f19d75c902db471b576b0a068ac1f7abb37dbfee68537f919bbe5693a79dcbd2d647de23b5c0fdbafbe3d7c6705fa49

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{033E0CAF-486D-424A-8BFA-08E586646913}.FSD

MD5 24e9d2ad92e6ffe11c35188181d7a52b
SHA1 be2383d474e869b974a9862b3464eccb430f9e45
SHA256 a193789f8a766749913e8b9b4b4c026a9c4ffa3574863b9861ae3de62d3e6886
SHA512 b95388c3fe92053b2e21a2a849e1c7e0ed1516a0c6255627d34ca19948a8f1adfd48fb4d69a48e483bfcb53863cc570e40b48fd6dfd3a81ff326eedfa9342126

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 3c20fb8a42a750676e1406361e89e163
SHA1 411c3e7252a321d0218f5ebfbe3ae1343d0b6a96
SHA256 9a58f64dc27720534742277f342598eb9b7595f4b2f9f68823bf722724d0cde8
SHA512 cd96f6ee00ff4229d41fba72b20386a86db2ac5309070a02984cc8e8e6a4b09353ddb4a96b23ba461bfcaf7aa7ac6040ce1c5141dd0f22e88f888c9d6fcc8884

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 b15569c60841828cfadf09d136907277
SHA1 cc539c36227e1f397c8a8240aa0a459846214a42
SHA256 5df1470a6c20ab34a5a8c5e249f9e301bae20dc9fea16aa6699709c01c8fc20b
SHA512 c2afe7c8dc9881e61032977d363683900dae89e200b840d53af7b54cec2c1326f49c3c88eddc7ed1e09770876ed329817dc905a8c660683c0e56b495e93222b0

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 0a71e9f46d0de937534f1ec10fd60b65
SHA1 ff54e965c597388dd48f45c28a043f2c164ee89b
SHA256 67955b5c6351843a3d6ac01d73cfdc96066bcf070e987d416cc275ded216be28
SHA512 c8a1b12e69abbbaf8847095208675d4f2a85dd1e5ae558dd361dc4804f6645f4368d7f025d6e6cfded0f8c391af7325959806d90d564d1146f447c3548c7630a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 909aef1fa6db41749af7dede6275e27a
SHA1 f6df19b9b3731f787ad443b8c32ae0feff2c8e32
SHA256 ac127a1ade30986dd2400402186a44a3db7458f5009f6da7a49f824baad7a218
SHA512 c8e66b451b6adf96ad8d2563c4bfa0a28ceaca24c8005ed0df3b47c67e252ae0f213a7bc88550ac8bd8d4ca1035579a57a425ad4a7e5ff009283d16e3ac15aa7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7D63FDA9-C759-4E25-9F6E-1E58F5FD8CD0}.FSD

MD5 1277b041102cb10c1ece40c6f38b54e7
SHA1 20d8c93e6179d0acd64c5d610ba6d02110d239cb
SHA256 5dadff99253d3c9feddaa2396c44e1ee7ade4ac7b54a2ff06873ec1cec2d4448
SHA512 cb52fac52112e42be9d6b8d89760d9b950da43118a7e737787b9fe184484cad7d31982f069aa43970aa6ea958273cbd0e39d07fce9d502310000c307d4109c8d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 85a46d13128e1c48db84d9a3b32169c6
SHA1 7341ea91fde08aab2f6e9227e0512185999e40f4
SHA256 22b5626375c51be51584d63492c6c31f02e8d6b44b56fc3dd70d7e2880ee8cac
SHA512 8e3ab7a7f6e640c4733314adef3ff9bed7d819567c2ad92a15e5da7d89841ff07a8b1c6c2ee67a079099abea8b108eac98c1c11c989cafbc3043c99200144d21

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{033E0CAF-486D-424A-8BFA-08E586646913}.FSD

MD5 83848ee9fae0e40f5ec8baddd17da6fc
SHA1 657dc1134df92ad953a380104b0501a1819126bd
SHA256 70f6bdfe9f55070c85d460cb90e5f9490375dee5b58e4a32dde861f54da89a14
SHA512 ef39b006941243fb0c3ba9feb9a278aae3bab9d30d659d76e1e22fe36a2c29081d519bf45496f7073f3338b6cef8314275bc02c9a8b4b4b33493ed89559d25e5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 07b02d8313f2e6ad953d24f181d2ca49
SHA1 d19c2b58102069f1c14b9fe84c8acfb79fabce0d
SHA256 435e70f6f1b99fa01d8536b5e47887d651c05e327f996ca22404bb34423193a8
SHA512 165921b17f4bdf51b230fdb3a07787cac71f0a3248332b52fbef5067095a33a0f8015cb330a2accc9acf28c25cd94c7d420f8065fbc3fd9ca4e8402335b52467

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 13:56

Reported

2024-07-22 14:12

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\636f6078a1d2024721adf713f81c52cf_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\636f6078a1d2024721adf713f81c52cf_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.40.43.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 123.43.40.23.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 40.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp

Files

memory/3892-0-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/3892-1-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/3892-2-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/3892-3-0x00007FFF03B8D000-0x00007FFF03B8E000-memory.dmp

memory/3892-4-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/3892-6-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-5-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-10-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-11-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-9-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-8-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-7-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/3892-14-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-13-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-12-0x00007FFEC1B10000-0x00007FFEC1B20000-memory.dmp

memory/3892-18-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-19-0x00007FFEC1B10000-0x00007FFEC1B20000-memory.dmp

memory/3892-17-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-16-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-15-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ab56e2acef13fcbebf9260e1e6b51055
SHA1 0fa357f9a5fdedc7860b5818bd9acbb878d66044
SHA256 920a9f83ff5a0138f39d102bb39d4bf2478716c982b188c4253bbd84c0cf7a1b
SHA512 13f2bf2b1df9f94be91b6679a1e7e1582db908243b1d79cb9bdf0d9b7f08b92a6e789b4af4f7ec09a77309b5c824fa188ac87b6ee452430b4e65bed0db806846

C:\Users\Admin\AppData\Local\Temp\TCDD641.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3892-173-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

memory/3892-228-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5642F61D-C0D7-4CB0-A2FA-DE5D1B17D9B8

MD5 15ecdb85e7a06303b85f300788004863
SHA1 863d52da35e88a1cb4652e0a293c8aed253f6eb9
SHA256 32d4a2222954b5c34d3c204c2f6f3b175627f0479bf6c19b3917ac076ced14ef
SHA512 98e3d609709f57316bfb42745e1cb6bede6d667f1f54a00c95f2fa646940471b2a82d8dac09501bc7250d944ceed5eb144e99d03861a70ba15f41f54cc396e87

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 aa6f702694e416df03ca2ea63c5ac0fd
SHA1 adc5d02683e2f4a80a8d801c51561c0987874ac1
SHA256 e9fc43e949758594a670ee95d36e750869e2794a48378afc6495bfe282ada017
SHA512 6f001e08195a1801aa35c16256666eaf87c396f9e7e57bdd56230f1918830f14e541e4206f2cfb6df5c6ad43d8ce4cb84fd2d3ae389982ffbb0c9a09c49b55de

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 fee381e26ca6b241ee2b27825e602883
SHA1 d59f4a50f23ebf3ee575d298c0d39343c9e6c716
SHA256 2d06c6350614ab6a8aac2441a67e74c17fa296d51d7ca04737ba176e9ef971da
SHA512 967faccfb04bc2a51e79e7e7440e1eece72c9bdea993fc7d49f36ef18312292626002b79dc1d1a3ecb36e7610d80981b3c1d7e44e98077673ae8cc4e46510f3b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 5c6b4b9b9db4de740c8eb5fb54993281
SHA1 ae8a2940529dad4245e985ddbf950e62a30eaf86
SHA256 8dfa5608b5aeefcd75e44bfa2a6d32f69ed12c233733dcef16c80747ac01d8f8
SHA512 d3eb3eb4c9f9dac5aeabdee561243c5ffa2012383f4c35fa52e02f93f8d919a44def7273357b14d16422a50927f53acc18f8e8b988ff0507876f234de49a7184

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 34dfcd0d12bc535b370ab1250d6f438e
SHA1 c1ca475106d50e25290b60146385cb885e594b05
SHA256 5184a08f4f3b23aa153ccbb31cc2d6d14496b89d97124b954dea3549eba7b2cd
SHA512 19e7404d76e188b4560f6361eacf56c172a15718136bfc51f43e5e63b6b3644fa4d30bd97b63467806235361d62b97ca339299e4ce964e248e64e31f43c3b42c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 29490ec23820f0934e3de71017a07731
SHA1 bacbbbb744c015e6f81ff6fd808d9de362528f9e
SHA256 e0ee1c22bb86ebbee136938e1a3a48d52c68b3eab1902e9566fd999c42414c61
SHA512 d9a79cd0148e9256da74e8cc50244dab59f0c3c847827aef888b7397c5bc4c39cb4e9536b0c5692d8cc85155cfcc490716e68622f89dbeef1cbae56484674f8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 a5d6343612912799e60c9e4869afef41
SHA1 ac4e6808d0a2069310dcaa1b647da6d77ab8e34d
SHA256 1961f6883136fe0dde34a8ed4a2b7d979d40598dbf2318cd7a61e4a3cf9bc998
SHA512 98a91c7333d1e072b74bdd0377bdde43472d56d59da040a2e04e1d123aa38fd2b437d8278b13c8aceb008d01e657e3dd73a5b8d57df749205ee9a6abad5a8543

memory/776-1212-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/776-1215-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/776-1214-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

memory/776-1213-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 c5b4306ed360e87bb07fabc6663b8b05
SHA1 8bf1191c5f64ac0bb0fd7b5e541368f68417d689
SHA256 aa4a5afb89c33781267b8abbd57bdceed212a8d58ef0d11ea7a40f02d949a90c
SHA512 67d1d63d368c7c3313675720a1ccea42c78ef1ac62eb14472c65d635b722c30e4fd59ad2d631807a3d0286b03122aecb1dae47cb0087dd3999f3f6de1b115067

memory/3892-1272-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 edc5bbd89d21bff468e2b1bc6a6cad11
SHA1 b5a3588cc1c3274357eefae826f9de1876e4def4
SHA256 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA512 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 fb49ed879c40b87257faaa5fba4af451
SHA1 864fd0857445563a730b5386741f2f5a2cabaf30
SHA256 f5379e53d7cbe58004b75cbe4b5e49b81efd0a294aada222295aa9a122494a85
SHA512 9ddc65624eef2c5dfe51eb982743d190e553bdca1e958529581e92b256f97475988b48e728f56c6dcc3d0f68eab9de515827dc3038c55b72d35def79a8e1c62b

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e