Malware Analysis Report

2025-03-15 07:56

Sample ID 240809-z9jqfateke
Target 8399e08136df96746755d74b69a06ab5_JaffaCakes118
SHA256 33bd02324ce55f7de9bef28ad9fac4c1a35d2cfc21798d09db15926e9880b988
Tags
discovery macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

33bd02324ce55f7de9bef28ad9fac4c1a35d2cfc21798d09db15926e9880b988

Threat Level: Likely malicious

The file 8399e08136df96746755d74b69a06ab5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 21:24

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 21:24

Reported

2024-08-09 21:27

Platform

win7-20240705-en

Max time kernel

144s

Max time network

137s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8399e08136df96746755d74b69a06ab5_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?fIExJIhmcZDRIZDy6VZf9VzDVE6L42h5:Gd691170 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?fIExJIhmcZDRIZDy6VZf9VzDVE6L42h5:Gd691170 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?fIExJIhmcZDRIZDy6VZf9VzDVE6L42h5:Gd691170 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\TypeLib\{269224D0-0F84-438C-9CB9-B4F8BA3919AE}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{269224D0-0F84-438C-9CB9-B4F8BA3919AE}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\TypeLib\{269224D0-0F84-438C-9CB9-B4F8BA3919AE}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{269224D0-0F84-438C-9CB9-B4F8BA3919AE}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8399e08136df96746755d74b69a06ab5_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kholoq.com udp

Files

memory/1708-0-0x000000002FC01000-0x000000002FC02000-memory.dmp

memory/1708-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1708-2-0x0000000070ABD000-0x0000000070AC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1708-11-0x0000000070ABD000-0x0000000070AC8000-memory.dmp

memory/1708-62-0x0000000010590000-0x0000000010690000-memory.dmp

memory/1708-61-0x0000000000720000-0x0000000000820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{0DE5C960-BEB2-4040-BC35-3B88E83F1BCC}

MD5 08797360c54c6f6a8116eb179c6256fc
SHA1 bacb83f4cf327644374f2b4cc9ad33ddfecb014f
SHA256 b2bc0c5bf388707203480fe2644f6ca9929cb60050453bfec01865153af2ed4a
SHA512 9cc639f596a539bdee81bfafb8a6e93a85e4c06d3bb3cf5e2d7f90a0b58ae68f31c26c1c88d33835aaca03a66b9b31916ba2a06c97e48921e170d81e66e73dd9

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{84B4E9B3-FB67-4A36-893B-FE198F2A68F5}.FSD

MD5 5483cea2db901ed396404b6980705265
SHA1 a8ce16f846933266e021706074aa96ef1e369e1e
SHA256 ac5338656eb6601f62a2830ed81c165ab61f2d5f0074c19fbdf3a5c7bad2c3a7
SHA512 e99f75fc477e2641dcb5597ca77fde7752754014b8dde257363e25b34bb80873496524e996a9589cf4b65e02e4dc19bf629ea26115e75a5517a7af18fbfd0e1c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 e87ac555046b842c352647470963417c
SHA1 18455358f9a4548ca879199b62e0ca0f96dcfc8b
SHA256 205e080b57b6de78f4b4f64dd01a57b04c63283572b280e083cbaff1fda6b736
SHA512 4d33274a3ebe50ddc3f4438300520fb653215de204fa4258e3611dba0ffeaaac5f08b18402ce5ebb3185969d5adbc2f8a4776922caddd55aa370ddc658d01b28

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9A9965BF-1D2A-49B9-85C1-EFC1FDD5892E}.FSD

MD5 67ae38bd8fc6f911522b63d9b885e4bb
SHA1 e4286a2b687548b596374c9f8c74ce7c20dba69f
SHA256 f0dc3211a9ec7642b8c40abdec9c3792807019c404970c64a2c8ff6a22c24456
SHA512 fb9150552d4c4c872d8bd9e4b54388646983a7593e1761d3fdf9e40addf842882196aafc1684a5f533e3b7aae176215f2c9089fb5697c8aed8cf6deaf4d57c96

memory/1952-1015-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 cf7dc81a4ed5dc696b54852f363d9cfd
SHA1 6065fe643a9cd4b088d14000759522cd52705356
SHA256 b86e42aa8f470684705192b7f9058d04c173267c1a5f68f3c90e510cd015f989
SHA512 4ddd1a6acf0773735d931bd09e9c96b9a3b74e18fdd9e7058980db46eb675a91fc858eac45b881bc710c94bde0a7e850089ddf024b3186d71d54857969201979

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 aaeb054d8e5a696b781e0931b2bae627
SHA1 5eb983fcfd619c9049744ef84f5f3bdc93c1693a
SHA256 342906e763cb758b5e3ee5efe79c438f0a90529ea65668c858f6f6997ec3585d
SHA512 6f4b06347f3aace5812c3f28cd4ce1e2ab82e996ed5a3c0ea720ed6539ba647d76e9717947615d1e7fb63d06c261420718fe9b231489b13c33c508d17ab7ade7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 07822fb9ff03a077fd721b1aef95c6f3
SHA1 6e0c7246d52ac015b67c656d96404ae6027e5ef5
SHA256 6f748407177ea3b4e2bbd30b089f0fe4b8dd10d97cc4500e3fb7d3cab9d79f4d
SHA512 e46215c5e9da8e2bc744262f7c1516e2f66b628e90753ff03576295f06eb3bdfa40540833351f5c53ca405ba5a20bc414ce94ba83059d092174e7678114dc801

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{84B4E9B3-FB67-4A36-893B-FE198F2A68F5}.FSD

MD5 7806b264614144d12e1f835673ae8628
SHA1 02716bed592fd36cde1e59db7476aa6ef2a3df47
SHA256 1aaae1ccf4cace0466262b6ab449e917835beb2cbeb87188d53d177516257e0d
SHA512 fe8950f93614caea9c1581199e7ff6080f99a05c2f1babe58c74f4514f17d0ea9ca13f6313269e6c1d732a8701b8c8db7f2681b176a16e6b146e7e79cc894b64

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 44b815fb67ed9a59ac1a4164005df7ee
SHA1 71f7e4cf391090c1606d481e887e391c27aeb06a
SHA256 464178602c68d98c23f86100962d51868f6cda641346c65b36d6484d9e582a8e
SHA512 74ea3bed93383aa4129a1267b0a512ee110162ffeecb6fca325bb04c6efd265ff0afdcd0477371c324ade7caac74b6285aa42d8d2ed33e58021c37b3845cee2b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 a039024b4e618b34e6b566b5784dcf5f
SHA1 cfe2c82f4a72b27aa75be47d20be9ac6dcd50556
SHA256 0b2e9034a46ead152f35bd51beffd4e71675ee4bd94cdb539c47c71bbd67df38
SHA512 194c338436653cf97dcb3c3384d6868bb238523b6b9965c1dec7662ff0c4c6ba481e79146decbcfd6cb66bfbffbf2337f9521f3698bf9f235c06dc227525818b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 5a69a36548c12222b93547d967a38651
SHA1 e2662a9affb84ceab31b7aa7f990cd7e9d0962fc
SHA256 cb18f0ff56a55a1c22442255a45da4c0b9bc8e9f7b7f75861caceaec1bb20ce6
SHA512 ccdbdcd493cdb08f51e25d45b0a12b9a0bc35517666b6398eb31b360a9047597b8ba1628629b08cc54cf39d80112d45e65efba752f6d9fb628dc2eb1ff78fec8

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 21:24

Reported

2024-08-09 21:27

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8399e08136df96746755d74b69a06ab5_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8399e08136df96746755d74b69a06ab5_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 39.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 173.222.211.224:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 224.211.222.173.in-addr.arpa udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/2912-1-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/2912-3-0x00007FFCEF9CD000-0x00007FFCEF9CE000-memory.dmp

memory/2912-2-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/2912-4-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/2912-5-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/2912-9-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-8-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-7-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-6-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-0-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/2912-12-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-11-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-10-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-14-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-15-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-16-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-13-0x00007FFCAD370000-0x00007FFCAD380000-memory.dmp

memory/2912-19-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-18-0x00007FFCAD370000-0x00007FFCAD380000-memory.dmp

memory/2912-20-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-22-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-23-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-21-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-17-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/2912-55-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-56-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

memory/2912-57-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/2912-589-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3F9277E0-1349-4BD1-A198-129BFCDB3586

MD5 fbd31a3939421fbfc64ac7c69a8c17e7
SHA1 60b2bdb12813428fc0d978a16b0fc274928360c4
SHA256 22fc486c1565b2cecfe4345a7da4d444158754f6fc020e74892c42190d681b8a
SHA512 3b0df2e7e516e3cedf5a35cf48439655d31bcedc7aabf744b74d552b73d4bc39800cf19e4f94bfc0bb98da1e2dff2091bf63b4eebcbe9c2446fd3578407f8fab

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 0d9d86a417ddd4093a85cc01a5972830
SHA1 e10265420d66bd667d5e30c62ce147fe41b41d07
SHA256 1054f9fff70fa8d90639bd8a7aa868e96663a7b25382d31161807bd0cf0f40a2
SHA512 af7a098a2f508f6f8e3c7bb41eed7300a5414b04c66ae04778b8160b22045479b7e7d6715bdf4d6d4955cbe2e65a38bec148abd57ebd59d6c3d544515e94f15c

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 e564792776d3ad4e979bb6495bb6aa57
SHA1 1b34015c4de4b14f6bac75ec79cf643979a5dd4e
SHA256 891a2fe6dd8f2aba543789baa477639e3ec06fcf2ab342fe8728c0879d7bf2f7
SHA512 440377be55d69247f713487fb94dcc9b9db3154b7f3169ed4c4e26dfd54903f0e41aacb31cf3c71e48fd472ffbc11708e15b3919393f00dbe6a0d8ba5e7e8817

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 299790eb4da891c0cad926473bdea5f7
SHA1 dacbd07b42d91a20ba9bfcdee5cdd75ce15644da
SHA256 6fac6770bea97503592e79ac1d458450afd373eb2fa1accf4218d5ee447d52d9
SHA512 3ab4b0d6b5c1eecc6b3fb37ffdf061713906c92b6c2e15f7f869f7b6a8b45a6dd069743080f3fe57f9726770f49a8826b07f50987fa148b882593481bb3670be

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 0ea61b058a5ac289ee1c3c6cf3562d3b
SHA1 5ec334d927aba3a213f8a6c8ffdc2b32b1fb3c70
SHA256 b2498d2019cb254e4ee5b0f7e48c505d51c02764718e8517e1aac411c51e2060
SHA512 e391f2c7414bca982bc47f882622fe7969d75ed42117055550c8b9f2fad5fdf2ede5066cb45c1c82ebb321f787cf0ae9bab4c6573778d90642e3aa03ed6cb092

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 2d43ff6f63be131eb306f7643669ee18
SHA1 dd4348404926c4900571071fa9cd5ab9526bee6b
SHA256 5ecc687ee5bef9dc40643f6e392946e4d3b27380b3b61686a841e6ad238a7ea5
SHA512 dfc290b2df90efe16ec279f28223ed8e53fc4648b226a4a6fffd2444802c839ac81e66f48341f60141cacb94be1148a46facf06507729acb4e9366d05613df67

memory/4728-1573-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/4728-1572-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/4728-1575-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

memory/4728-1574-0x00007FFCAF9B0000-0x00007FFCAF9C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2912-1584-0x00007FFCEF930000-0x00007FFCEFB25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 e7cb2975fd2ea6b63146845e6ba9ff70
SHA1 c980e3a799174bf4e328c7c672fad5de4438ff8b
SHA256 4dd2cb36bf22fc462100b7718aca63c56b08d09cfe96bc5589a0a981edcbbf88
SHA512 7838d81ee27c407d5f152a242a64b6525b880b1c081ee45ad0c25a14d6be6b88096d0df16a5fabd5987b79605c391221b4238409608f7d04755e571d4adf04da

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1c0d4e4f1d82d7bce8f78e553f41a509
SHA1 f5c1be3c36837f9dd46696d9c834e6e2988bc049
SHA256 fe33502989999d737a66c400e3fccd19795a9a7592726c0a60ff83e6dfaa607d
SHA512 8d1cab2e17eac006126c354d16d386a4704dac1a47022bfddad2d4d6316b4fa9c7c0449af2d9acddce5766f57504ea0ccd30b0cc59c5a4d6a186ec422d32bd19

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 76d9f778ec5c773b83f6182dd60c70de
SHA1 c53f91a1b632d09a2adedc710bc1695141d4d05c
SHA256 2bd7b69ce7f521a2428c71d30cfdde17cd1676291c448994e3e73d39aa2cfa9e
SHA512 3429f42eebae57e11139c3ddf41956bccdf80b98987fd83de8aadf773c7223a697c961046421f50d541744d8b515939c70596d41c97d323b9eeac927da870fc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 e531567acf604fa1e9d9b8667a8f74c8
SHA1 4188dd9336616e684c107a8efcb19774a2a88943
SHA256 543665a0e6ef9c6fc073139cf7ef2e7e27b0cd4590cf5bdd41ff6f6307675e77
SHA512 58cc26e79eacc74a44d43efd04f00d85610a1cf66af7b11b72b55a474ec2c4149b64d30e03c5505b48fa9d45fc81968344077963bca4d631a70e7f089de9f04c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 aac530e96069d808cdf09f37b2e3dcff
SHA1 c7f542d3e3ad9f6aa3b533e0969a507fc180b7ea
SHA256 b1d2ba6b373e71d095cf4418a3d2a27cf453e3a865aa28802fdf4ba265208c2b
SHA512 b5f1b848e92987b4b19efe8674eee12367a16da3fab89a6d8d26b1434bde5bfd9452e70a52739a655769e5f3967dc5c71b669d042f97229bd43816398931bef7

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 941b9f2fcb286a3c3c04b894baac15ab
SHA1 56470866e6e84b5adc21414f8e4e011c85380530
SHA256 f9cb9dc8bc940987fb200b42cc6a13e04ea921720ce61e83cce8e243dd281438
SHA512 ef1a51001d59b32129f3331a3734e8bed4cc32a00d39bf0dfdc6643d4dd05bb628956128fc6e9112eea5e6a98dd690f6987f2043c8903866db26bd675efca7df

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4