Malware Analysis Report

2025-03-15 07:56

Sample ID 240810-dzmhpaxgjc
Target 84a217edd62c5e446b60c033a2cc1daf_JaffaCakes118
SHA256 34bcd6a66c63bf63f3d08da5b998c26ad107a3874694283d9ef548e3d554c2e7
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

34bcd6a66c63bf63f3d08da5b998c26ad107a3874694283d9ef548e3d554c2e7

Threat Level: Likely malicious

The file 84a217edd62c5e446b60c033a2cc1daf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 03:26

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 03:26

Reported

2024-08-10 03:29

Platform

win7-20240708-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84a217edd62c5e446b60c033a2cc1daf_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?GpUxpK03G7G3QolzXDL7I0SnyCe0EBmC:rh885004 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?GpUxpK03G7G3QolzXDL7I0SnyCe0EBmC:rh885004 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?GpUxpK03G7G3QolzXDL7I0SnyCe0EBmC:rh885004 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F58E4B6-6B05-4A04-9AF6-7FE22010605B}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F58E4B6-6B05-4A04-9AF6-7FE22010605B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{9F58E4B6-6B05-4A04-9AF6-7FE22010605B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84a217edd62c5e446b60c033a2cc1daf_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kholoq.com udp

Files

memory/2180-0-0x000000002F721000-0x000000002F722000-memory.dmp

memory/2180-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2180-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

memory/2180-9-0x0000000071A7D000-0x0000000071A88000-memory.dmp

memory/2180-59-0x0000000004DB0000-0x0000000004EB0000-memory.dmp

memory/2180-60-0x000000000EF90000-0x000000000F090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{6376431A-6611-47D9-A98F-A2D1A6C86D32}

MD5 bee8568afb25d37086d754e9b1ad77a9
SHA1 6de27659da4ffe75b3ac39c3f59371805613752c
SHA256 b7711ab985dfcc7bc1ec0e998543ff1f2b9180f24c2871e2ab79821278aeb9e7
SHA512 52f4e160fa872a61c65a6a8f998ddbb40a5a16241f402ea082fef592be2e1fdbf39fb8a30e4fc276e6336555ea47c9c6e74b247e9192d7d2149d13bbe217da3b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DCD085D3-9E4E-4901-A2A2-8EF39F068ECB}.FSD

MD5 d51d3119c6484400b7bd460dd40afd97
SHA1 8adb0cb7e2ae367eb4fb8d7fc9a1fde2f7a543f0
SHA256 79a37806bd0a74d49e21ce746cf4ac988985347e6345ed674d0eef051c02140b
SHA512 9c6b33dfbb42b966f0c308acf706816807db8a873a1d62c0ca9e69b4930703f49ec09591f05b15739374f00ea89642081160c25a042371f72ca737f5bdd2a5a3

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 0be17d90d1ca6acf6533fb0b8e73c555
SHA1 9c8e66f47fb82a833539e74a192c8e21250b52be
SHA256 1a222971dbe8ed2865f7a658e3a757e42a44a281ad2c28b9c316498eb642d431
SHA512 e10d77cb8f46a4213ca8ebad2d552cba100e29748362232a424d66dedd7d1d6bb1bca035530d21e797f8bb1aa616db3f316d265cf44d27682022a6ff195a691f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{827F8EF6-760A-4E9C-9419-2CF851C77037}.FSD

MD5 a394a380f1bd9ac8e7b44d91a0ba7708
SHA1 00668c9e5c68667b28e867f6aa8d84b865a1934d
SHA256 5be13edecaf346702821768371208f57b0ea7c7166e028377bdda89d343f665d
SHA512 f56fcae6abee8962e880f0d591186ec4f739b3c0d63a98d15366d50e4835a3a87f271aca53a15d27ef0b7cc4f4320aa49ed36ebfdaabd9925fd783d80fd912ef

memory/2496-1013-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 5f2d37a69e2851949874fb3c0aada110
SHA1 87497c0df14a9112c676ecd76eae2e69e5747c78
SHA256 2d764b46c78a275748bb02c138acce0a011e855d94a8bc3f127a8181a7d3bc7d
SHA512 84be03d7e6446d4f5a1a24f9a49cd79c7af21ad1c144d46df20874edadddbbc733a6783adc70cc675ae8e45003043bc165fcc2d14b9dfc4c0db4981e4d13d7ec

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1292-1035-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1041-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1076-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1075-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1073-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1072-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1071-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1070-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1069-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1068-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1067-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1066-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1065-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1064-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1063-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1077-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1062-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1061-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1060-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1058-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1056-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1055-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1054-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1053-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1052-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1051-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1050-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1049-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1047-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1046-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1045-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1044-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1043-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1042-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1040-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1039-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1038-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1037-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1036-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1034-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1033-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1032-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1031-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1030-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1074-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1059-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1057-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1048-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1292-1029-0x0000000000510000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 8d05e1b0e4361fb5ee2d16648dc9f489
SHA1 d82a3f91522b3d948d256bd08e574c7c5f88df4e
SHA256 eab195a6542a664c921384ab28c4d0882b1745d57372d58ac4e134e5e9be9923
SHA512 fa467436cfdb0ba4438278a2bb43439c7c13a96bd58325b00f7fa9fbb473284476fe9733594a9b859f4aabd35a590895f03754d2826456a9284e64609075dfca

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 cc279aaee84e6c122618e718f6e72192
SHA1 3628d5c1146e2d8dd8a828f39735a21e1ef98e30
SHA256 713bdf237ce4bbc5dd0a3d19d6376b20b78cf5aac275e784117d368ff30614e4
SHA512 45f7341b3f93938e953e685a104ee834d81f85da355e09f03d3c477eee9fc7097bc0015a31c09ef8fb0a72ee0d3969ce56740166cf4ea2448f16dcc6a5267ee4

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 6e111d1a22718e82c6afd533936c7b55
SHA1 1bc33dcfc4695e37ccc90b028e8921e9b2c5d891
SHA256 cc049c44883b338f5df9e07221ef61c97031a97bddbc2dd22dd9564c9db0e760
SHA512 fe551913753c9e194072c542bbb08b47e0dee09d93b6124ec8f420281a0b74bd4ed1b466488a082a53fdea3f0c81003d733428fb8d5056114151716ad9bcb01a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DCD085D3-9E4E-4901-A2A2-8EF39F068ECB}.FSD

MD5 485dc5192a3e5a15c5b2794c276daad6
SHA1 169b6a43cc8503974dcf8d14accb9b523c39f83f
SHA256 4d37e8c0f8724b1402b95d78fbe989b4ca2589c4c0d48707fdc7d2cadf952c5f
SHA512 e2ddab43132336fabf5711074b56f77b885ce366c695f6946b34bbf99777eed0ccb4ca0b27ed7ab20d082e3e064c068a2a4f5b4a6053119afeea6dd5d80bcddf

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 70fccec141c711ee26a7b7b3d422a505
SHA1 0c6a061f860d299b80bc509013f6510e956b8ef8
SHA256 424300a7bc60a325327087c31fd9d9701c5ffc6a2a5a58f703374b688b0ad823
SHA512 048c838046eaf9158cd01d4c50bddaaf1189f583c8a1fb5fa89540308f9c2e6aac7d3dcb3f2779adb8cdc04917c57139e740f4b4bace2d65fcb61073f802a851

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 03:26

Reported

2024-08-10 03:29

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

124s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84a217edd62c5e446b60c033a2cc1daf_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84a217edd62c5e446b60c033a2cc1daf_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 173.222.211.224:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 224.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4780-0-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-2-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-1-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-4-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-3-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-5-0x00007FFC7AF8D000-0x00007FFC7AF8E000-memory.dmp

memory/4780-10-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-9-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-13-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-12-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-11-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-14-0x00007FFC38900000-0x00007FFC38910000-memory.dmp

memory/4780-8-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-15-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-19-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-20-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-21-0x00007FFC38900000-0x00007FFC38910000-memory.dmp

memory/4780-18-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-17-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-16-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-7-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-6-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TCDD9AA.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4780-521-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

memory/4780-576-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\386EA5D5-B24D-4B90-826A-78EF2EA4F28E

MD5 d636eb5a9c12814452a4070bfdda4c45
SHA1 a86206c8cb9a7b3966539ed5d6bc65fecc10b9b6
SHA256 60b1bfdcca7117fc3ddf17421e3b651119a632c56ea1c05f20020c2a9f54fc2a
SHA512 ce889a6b6cfa0ba1301931422192af038c02efb37f7f9f22dcca804fac8bebe95e0e4746fbbe1a715d0c8626b2a157939715d96f622bfb3e72969b8f37d0e686

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 b6a62bbcc0cdcfa8e6f521051b9c28e8
SHA1 aff7ee6156cefb992cbdbb5b5cdb46724835939b
SHA256 001513887e02468018f3d02645de209374b62350560f3ca1a4c03eaf6abea0af
SHA512 fc365f12392f73f9351bfaae4057d52997d0268b34c0e77d10e00636796176e455395d9d7fb3423825f3ee24db1eda4fd8c5174a78d7576333f504eb4bb98997

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 a7d886d97cffa3a52f7e6ffae0b34678
SHA1 6dc90e0606ddbaa74dd1b5bd82eca57f7dac2d4a
SHA256 a702e03d622c0103326190b87c0dbc83f6d7c4a2f9b6b72432922c8e4b70b3b8
SHA512 e86c37c2dfca7cd40deb190faa81c0167f3661d0d71e82db36fe51f826f57d16fc4adcd839c40167f37bf97617676390808fcb1faf904c8f3b3aa5e8dc472593

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 de7f3a643f43a00f3c7f8d6eb0d2596d
SHA1 c2592f88bead5bafad5bac37e9a6bf1d64faf4bd
SHA256 86fa2103aad0cebf3bc4f3f3f54174d0dc071ef68604cb16477a346b4c272adc
SHA512 0403a01f4bc80ebd5ab7c126156305227eea1c5dc1478f3b709a5a012fa79918aa18045346790057eacf8e0c470967f019ea389a7bb38e1f61269c4c8a0f9503

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 7e071f07c18397cdadbc3e14f6630e2b
SHA1 46864482cfb97de104c05d5fb03d7545d322aa47
SHA256 7674a12af03a0c746d884eb0a29915c0ef40fcf9c21f1ee9dc8f39d7e5cd3510
SHA512 3a55cc1eb81e23b2ba1832cbc318c6d8ec2990955b9651c0e582c1423d50f3e69d7c6863ae963763588a35f21c8be126dcaea5abcaf963ab4100369818c5c4e3

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 62b1a5208985e837e15e0253a6e1aaa0
SHA1 55993ae5ccc4f28c99f38ce6e08de4ec4982f8ff
SHA256 5fc9b1c80e283b43e0763d2d4409217ab19295d30b882dcd63d9a466a72eaa77
SHA512 7dc3899f44db0009b92a33f4cc56a16f58047fac867f1baf821f8d2ea5a337462c0963af33a84db87e106f95bccbbfbad16262eb317b854046727f67cea2e987

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 e531567acf604fa1e9d9b8667a8f74c8
SHA1 4188dd9336616e684c107a8efcb19774a2a88943
SHA256 543665a0e6ef9c6fc073139cf7ef2e7e27b0cd4590cf5bdd41ff6f6307675e77
SHA512 58cc26e79eacc74a44d43efd04f00d85610a1cf66af7b11b72b55a474ec2c4149b64d30e03c5505b48fa9d45fc81968344077963bca4d631a70e7f089de9f04c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 fcc0ff6ffa99d49c8b3aff89f5a41080
SHA1 744e46a725bb33e529a4c239fb35b52afbb3e6b2
SHA256 65876a38373db349ebcb6dcd3c84b37788dcce63346dee562bfa0588d57bd6a1
SHA512 93b1efd56afdc153ddf2de125821dd3e2be15f9a4b84c0922961fc13445cb4c08815e9da362d75cee5d2e407b247876c765b1e464ad02fb9ba7b3fb69a30c111

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/4780-1560-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-1561-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-1559-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-1558-0x00007FFC3AF70000-0x00007FFC3AF80000-memory.dmp

memory/4780-1562-0x00007FFC7AEF0000-0x00007FFC7B0E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 9fab83592441c0ef2a51f172b3970e9f
SHA1 607e148440378977f2267c6a6650c8309a9daea2
SHA256 977b4eb259dcfbe3e7d21cfd726baf0aa8697225e589103f99ac2797ca4e356b
SHA512 676a76a67bf3a837fe5fbb4aa7c70fd2f0656e471489c960109dbc71eb9e007685ca497e1975834d7bb5ffa3ec183d39cf9d73d2857234167cf56f760eabbd7c

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 5b4ea7676f0e3aa19f87eaf81cacfc69
SHA1 a776b52f53b1002255d87b4ced9f0d385d4f17ed
SHA256 7e04d3b29ddaa7b7480f081db4d4f3b881e5945b40cd9a7582986603f8ceadaf
SHA512 0a5cbf228584dd5b31b8d640f498ca1003683c571c5f77963b56dc7de6de3e8f5b161781f6d8344e2029816da2909cab293161265eac390646420def640c612b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 c29bb23b123b3955d105eec3a6a46c01
SHA1 5819b279abb161e75bb9df78f087f001b38f2fe2
SHA256 573c65f8b0ee381e8a8b329ded93478fa2a7a7925b5b6f9cb8073c823e245d40
SHA512 974e2d7851880a5f874acc97881af77a27d714176b958e4d2ce6e1d37a1b0a7ed2686ae05e0b0ac77e500850de89131c30a9006e45de0ec8e494cdda37818a6c

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 ad9319e4379defa2971c15df75c8dce8
SHA1 49ec30a9a457fd75d758b8fc92a69967a101254b
SHA256 4cd7cc1c9341d3784c14a88f250cc710be00f65dfd8bdec05d2df3f620ae0938
SHA512 9d55a642b8a746ed21cff14cf5ded2c51e6a02a8e9546d286f48b85e2dbe082002dcf1d6251d607d8e35c0aedd86513da6347032a248390c69e336273be25523

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 47a4d4636fd6102007db6919a670c222
SHA1 1399912d395ad5936d96e835b040f2972afa5845
SHA256 bafe3f9e5174f6dc4abc78a448e5f07cd57c74ed417200fc79554a4c958a8846
SHA512 b9195f5bb520177e092fc615601c8d1b1a85216522f355786d8889eb6e4ef6ac08373a37b55d7692e85bc5d23ecc1905fcc2486309dd7b00bb64d3040762e0b5

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 b0eeb78af762a8b950c5b32d52e9c48e
SHA1 35d163dbb77b8e122881067f1094142375e37a98
SHA256 59df83610b5b5fc3f5c4e0a66ae3fd555a4b98865c30ef884c2136af9f2674f8
SHA512 706da27b8995a8868cc5d539901cea51dac29be7c27fe8a1b3deb4a70c324fb7d2b93e67b9624cb621cc6cbb1a12f5c832b3e57bbf736fd825e614cfef5a9c2d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4