Malware Analysis Report

2025-01-22 19:16

Sample ID 240722-rdpyksscjm
Target 63767790f09695f28f137a3ee83e398d_JaffaCakes118
SHA256 6472356dc365403e276bf05da4524beee88b67f1095615f04792c8d6d7715f8b
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6472356dc365403e276bf05da4524beee88b67f1095615f04792c8d6d7715f8b

Threat Level: Likely malicious

The file 63767790f09695f28f137a3ee83e398d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 14:04

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 14:04

Reported

2024-07-22 14:17

Platform

win7-20240704-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63767790f09695f28f137a3ee83e398d_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\14.0\Common C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?00p8mUiu2WaxXQwQx9L8FQwRvWrkgqKt:4v385743 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?00p8mUiu2WaxXQwQx9L8FQwRvWrkgqKt:4v385743 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA34110D-C508-42DC-9684-7F8864F837E9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA34110D-C508-42DC-9684-7F8864F837E9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{AA34110D-C508-42DC-9684-7F8864F837E9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63767790f09695f28f137a3ee83e398d_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kholoq.com udp

Files

memory/1996-0-0x000000002F071000-0x000000002F072000-memory.dmp

memory/1996-2-0x00000000715FD000-0x0000000071608000-memory.dmp

memory/1996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1996-11-0x00000000715FD000-0x0000000071608000-memory.dmp

memory/1996-14-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-17-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-13-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-31-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-42-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-51-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-61-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-16-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-49-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-60-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-59-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-58-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-57-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-56-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-55-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-54-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-53-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-52-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-50-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-48-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-47-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-46-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-45-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-44-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-43-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-41-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-40-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-39-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-38-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-37-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-36-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-35-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-34-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-33-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-32-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-30-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-29-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-28-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-27-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-26-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-25-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-24-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-23-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-22-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-21-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-20-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-19-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-18-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-15-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-62-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1996-76-0x0000000000470000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 c819b43aff0183290ae935a4ba5f852e
SHA1 97cef24e66efd0571528437feb85fa3a8c2b9c33
SHA256 9d6a669071428d14f77474a4e1c148744b872807e21ab49fb4e159f9670402e5
SHA512 10fcc2608358b460b8012b2ef7557134fff3ea1591f5a61e05262a3b4fe1ac8b103417d5ee07a85f4ea89f11580c28bf110c74d748b48fcb6882847cf1bbefc0

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 b54c70ef3f71d7a50db2a8a79e649664
SHA1 f16225aa89da53936876952432bfe53e99957580
SHA256 00ab3fa1c3cb3b684b88b13c6c7a6e785c48f7e00ba746b8f2797591641231fd
SHA512 9c97d4e6facb78bbbc3a08042dcdb157f3071773ec46e772fddbfc8b3a20c89e0b26b2367a9d6c2b7e35bf78d4a87cd8efbc34bd8c2ad70ceac05b858644a058

C:\Users\Admin\AppData\Local\Temp\{679605A9-D4C5-4E8D-80D3-8955E45E39B3}

MD5 86e6feb43243589a032e4b9438c0b77e
SHA1 c4b9f1acd533c7bac506e5910bd0f7c387cdd197
SHA256 1c39332bc387a33a6dd6688a098b55a814581dd6a85972491b9ea9948c6db7f6
SHA512 a76ca03ee540dac6193535dfb598b574f89a5d86cd81ec60ff46e8c6412bdccc0475d449930b13ba9fad0dbcba0cc7454e68baeab3a110b55fb8d8d5668c397a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 ec96726c42af4d9a282247b84f9e0668
SHA1 6c5a29ccba6db8436035ff7c827966b70607d0a6
SHA256 98578907df6851e35be7ec50059d4c40a489f675ab88a2c8afc99f40ca58133d
SHA512 e40566f6bd8f5df111f6e1a6702eee2b68ce054f3abf8b9db995e7838ac989a06eb0806abcc22c287b5c3ea91c3c141e1f1c7d77ee5e210d1192f05b064af414

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D8AE804C-F1CA-4483-8AAA-47FB1F175422}.FSD

MD5 a1d731e320bed42e68455e5711b94679
SHA1 40dab106e78ed865a1b30d5161bfaa3e304c4c3f
SHA256 f39fd61e588e60bd4ab188c282a34bc8aec18d9998f0781114082fead2f11c05
SHA512 4baf6268fa528c3518caa7ecbe2684af88f8d22c2d623ba7adca208ac1df9b7c039e01b7284f56803bc657939aabad36de2ab7c0f167910a99ba5d7962393841

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BC561B70-5F07-4B9C-B818-CD43B5B62C7D}.FSD

MD5 724c4d58b914983252d5fdaf8804aa6d
SHA1 ea345a8cceec2d065e5ea37e8b4b9b1ea909de21
SHA256 62e78680b95ef68178b4072cb1ecd8a955166e7d5e40436d16d3ab8e48b00219
SHA512 2b84c70d8991b9255c774a721f8c23c638da2d6e6e0d30dcf3d5fbba24781e9af894452c8578966afb59fb08d2042b634ec74e4dee04e752c0fe4f8a2842509c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 b501aaa7fd0621a6ae2989939399790f
SHA1 0335016a706ac0f52c49f3eb31f4fe39234d6ae0
SHA256 86f9cae7fb3a48cb3f4ed40b10453dd2a4be4efd2c2b450191279115c626f4dc
SHA512 f57b3adf00af2f51c8893d863228a4c760d2116f5327fd82c98ef99a170592722135643a696d8d07aa6a375c3ad591e8f7146e931835bdf5c52fe60a99c1ac06

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D8AE804C-F1CA-4483-8AAA-47FB1F175422}.FSD

MD5 10040ec18d0ad08e1107daf9bf362106
SHA1 34096d3dbf317c45dc9911ca4f105b37a792d6f4
SHA256 e3a022533a4933588dfb23501ade24e67a8cee3a39c125e03419cb69d636bed1
SHA512 086a530b4618a3d2dd551a387e3c71471b616fe324be2fcf6f701c90b5eec2dd8a0b85616d189731c24ad53943ca81071d64ca46680cd4e5a9ed44734ac74f9c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 a9ae9c4b11518f1ec6f01b9a93a5e753
SHA1 4bf76bb1bb314a5eabe27239984cee319919b6a8
SHA256 a0c085c7ace1239b8f4f5cfc1cb3b417b80a45d01e59ed02ff1c10bf8a8c1053
SHA512 e9f83ccbffa5deb600fe64520aabe89a8f0598b6f53683ff6a335157bc5997dc76e7b72d2461eb0dddf89165efd078f747cae6e8db37410c7082f70c67e9bc45

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 8e509f76ee0c8d85a49fac410619ecfd
SHA1 d7488dd6e42fe61653848a27e25e67afc5a59de7
SHA256 68095173a1dc3a8891347de7782bd41b6d1a3675d34b4e7ffbe63ecbf6f2a0eb
SHA512 f90df5859441eb094513da7987c0e31f122c08d006e26f35c73b2c40f4a647127c7f8254c723a9eba9784b6174e685cdda2ecf6cdc68507215e79a3ae12c6da0

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 14:04

Reported

2024-07-22 14:20

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

129s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63767790f09695f28f137a3ee83e398d_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63767790f09695f28f137a3ee83e398d_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.40.43.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 123.43.40.23.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/4588-0-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/4588-2-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/4588-1-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/4588-3-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/4588-4-0x00007FFF20B4D000-0x00007FFF20B4E000-memory.dmp

memory/4588-5-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/4588-6-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-9-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-10-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-8-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-13-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-15-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-14-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-12-0x00007FFEDE5B0000-0x00007FFEDE5C0000-memory.dmp

memory/4588-11-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-16-0x00007FFEDE5B0000-0x00007FFEDE5C0000-memory.dmp

memory/4588-17-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-20-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-21-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-19-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-18-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

memory/4588-7-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8f02fff841dd97eb2cb04ca9a81935ce
SHA1 e9be6008f8f4c36f11ab75559dfbc355e2f0cc4d
SHA256 a827d050ff14ed0d7b2efbe7a2b65adae67256f548faa1fa0be9d11d4402ea5f
SHA512 24ed9c561866f045f08a4231dfd247428e495cbe7405dc50e3158e221f602a8dbde51bc0b790b5770bef7287572a79148207e0da6a7e1737b8f2505cdda7fcaa

memory/4588-41-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD30C5.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4588-213-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DA32CBD4-A620-48E8-A2BB-5BAE1F99D6F9

MD5 eb884efcd3b9881448ddbcd171b0c039
SHA1 846a8c09d0493b46148d43df4891deef7f40de12
SHA256 41d0f9be4ffd446517947d026603b8a140dc547471af99ce6bc96c1fdbe9c644
SHA512 b5853a3b74595bdec2f20ed8e4ae8ccde401980dbba597be48e82dd450dd6052b14973b7774fb57957402ec5870c1035d7b8f0ed82bbdbd1a5cc0c3c7de964f4

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 b912bc6e23c79fb81bd0a3b89694a453
SHA1 96c438c04f7c3a928252f9779b41770d24d0d81e
SHA256 a156877d3d1d5e068434e317ecf661f37f7fda85d52be2af3a5ee1be03011bee
SHA512 225486c0c87004ec2e0d499610249b8a3487cd2a85ad92d24e8ec01dfad73fdbe415d76e7ada3d10052b6df9944e00d5e63053712a6e481eda7dd111ab1f9082

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 836f97e0ff0c2d283c11dd74e97f9e58
SHA1 5329419fce38c7e0c249e025ef8bda6e1b7bd931
SHA256 f7087ef98ed7a4a0e8576dbe652ed170da2efbe79075da4acb8f6df4fc131e80
SHA512 cd44996b6184678f10da0c6b8a0a7f2ee32470decea18734a873a3f5c788f1595891f235ceaf43afa62ff79e02c9f783266e25d54fb43713c3d52642fa9fcbb7

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 874e05073239ce46fb73138f72a0b502
SHA1 6c5cfb40cc141c26048fd1c06986983e21db47b0
SHA256 18200fdb493faadfd4016b59a77bd873212d3a12f6b01d01087c59e78b3ce0ed
SHA512 4650990457be788c226295023f4778a119777ee9716556a09f48f63238dcac72f9501776432cdb94f81de766414252f53c3006aae258e97199577baedbe68a58

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 aa135f23b3d0fefa2a82a84a90742c55
SHA1 8a4d39f195e0386430191103b65a3480c5fc502b
SHA256 dad6576174cc0d0eab2431cb51993bb2c73fb76f13167ae7f1599a75b0e16f01
SHA512 d2309b048a01d72c76f95f6695496aaea85317864704b67c022761e4652f6cf80faba8d34b9cfb8efdb860df451b6c913f1caa41111f76be58daeedd0786df82

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 bfe9997254f350a97066b4ca8410ed97
SHA1 e9ffa63a2e8d5d6d4b693dcbac2048066777bd8a
SHA256 d6932eacbf171ef5e2a4ca9bed906bcb052ffb9702e07d2cc7670ca0884b8d25
SHA512 a0dbe9044443c46527253ca72586d4cb97207feaa6a86ef453fd25e7e1cd328d319e9aa25362a605e1f1778ae0ae086236e39d87ad6ad2a5a62a05faa2528457

memory/3244-1198-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/3244-1199-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/3244-1197-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

memory/3244-1196-0x00007FFEE0B30000-0x00007FFEE0B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 79809cbab2e6f59aa8f15347c6f2ef5c
SHA1 fc4e9ceaff1572cd207850c3d2661bc0be71507e
SHA256 8c99c08c48bcbe6f3104d2fe6f63d35b5f18a7cadfc107c4a8f56345e593dd08
SHA512 e78baaf1923cee57830da15cbf9d8b00003ba754d7cd8cd237c43ac57371af972937adb527c363522e21ee717fdef1c5ec546c5a77638f8bbb24fe821d4ce55c

memory/4588-1500-0x00007FFF20AB0000-0x00007FFF20CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 edc5bbd89d21bff468e2b1bc6a6cad11
SHA1 b5a3588cc1c3274357eefae826f9de1876e4def4
SHA256 7c8ecd6695962fe29434fae9505f932f5f4b94196045cf6535566180ac50e0af
SHA512 57c5fb3a4bfbef6c6a9e2c1a8e3c00debec585c2e86857206c7f3ebd349b2436b9d9d6a6032ee0dc76cee44243766e4399cce9d0884abd2e47efb2b799d415f4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 b0b843bf27a565a77bffbdcd193c5202
SHA1 91dab738dc27e0ed4d2af3c06eae4d9837ff5c0e
SHA256 a3404597a4f22a6818be5bcbfc8d6f8fd60d6b2a181f48d9a3aa0c3f319ab0c7
SHA512 56649930f0745dec8df36eb43ca93d2534504215ee3202c03c21311462646dda976b90be652df8eb233e61c5f7389a09e7390a2f42195b03fb98c27d5466c296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 d82674d99f209b5ccc88fa40cc317a2c
SHA1 7d27234284d3a68f553057ad1fbc7ffd453b87e0
SHA256 22ef35f0ba8f3acae4c713dcd963d0b2d3e49725742a37e8214be6d0605ab34c
SHA512 df1501cbe10be7356ba49a3075e698d84a982267d04439e03b2d83c8888f60e9ccb4faef2508c979afe638381a877aba80971b61d7d0628fd34dfcbae464cf0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 50a1aa5380f11acceec0a93cb58cf815
SHA1 44d64204254467176ee231708bf45b4bf915a097
SHA256 1e024ceced46de62512e56c3a86513a3eb7a224ac55522196068c0a869c9f90e
SHA512 d269d8b7566fa66ace02223b20b661a638adb2250666766f4c42c4ae4aca6472224d29876a8d035f5c838d783d501220e3885a3b5d1b92f51068472672779cde

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 a1b0a542e925b5c2b25e37b124a24290
SHA1 6b4eb5e7bd6c8103cd1dd58b9ba5e7ad3719b75f
SHA256 a9ed276a392d747dc1fec8eebd94ff312c0df100beb59943d0d44df8d2965111
SHA512 c7ac0e394870d2a1fe5f085987bb33e6521ac38b67098d4ff62f6ec3b089b2fd1caaa73e3e2c5f58e68e4f0f533a34eee925d2d54c8f2e4dad24dda2eeb59b8f

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 61ed1095e60a581c944c7bddb59d517d
SHA1 1893a9c37f4b642244c65f942b391659617ec679
SHA256 62b4ed2d48746abf560c0c5fb6087f2948edf9ef0e44288e5c03926284473578
SHA512 83e7717282527da75b818aec3896bb2d6e4ecdd573b0a9714827ac37f08c0b7482beb1c333e1b21719f31dc12361abb84072e517b3ec76160e786cfb27445e57

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 a52b7af6a19ad3bbcbbab067dc440a30
SHA1 573cdb33fb20c2a3709b8dde9494060ee8860e14
SHA256 fed3d15f98818fd9ebc5a83f753b4e3639a256a5138aedd258064222b95c2dec
SHA512 61a20ff05d10450990ff6eb12fe2b6f8a8081a49f110bf5b753cd791c8961969ae0d754490491a9ffcd7e28243f260d6587d9fef03f987a26b0fd32852a8bdad