Malware Analysis Report

2025-03-15 07:57

Sample ID 240811-wdlndazflr
Target 8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118
SHA256 f6e3758487363d149bf82825ecd2f4ece282862718bfc2192ab96eb0a57a2813
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f6e3758487363d149bf82825ecd2f4ece282862718bfc2192ab96eb0a57a2813

Threat Level: Likely malicious

The file 8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 17:48

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 17:48

Reported

2024-08-11 17:51

Platform

win7-20240708-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E24CE648-8BD1-42DF-80B0-F1471186605A}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E24CE648-8BD1-42DF-80B0-F1471186605A}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E24CE648-8BD1-42DF-80B0-F1471186605A}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E24CE648-8BD1-42DF-80B0-F1471186605A}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{E24CE648-8BD1-42DF-80B0-F1471186605A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2096-0-0x000000002FA51000-0x000000002FA52000-memory.dmp

memory/2096-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2096-2-0x000000007196D000-0x0000000071978000-memory.dmp

memory/2096-9-0x000000007196D000-0x0000000071978000-memory.dmp

memory/2096-16-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-15-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-14-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-13-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-12-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-11-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-59-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-272-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-224-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-176-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-119-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-322-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-467-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-419-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2096-369-0x00000000005D0000-0x00000000006D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{7DEBFF11-2B8A-49B7-A3E5-2E552B2B7D59}

MD5 86021e004713a1e29f450576bd2abfed
SHA1 77c8b9377d106da972f5a591e015c751e29320b0
SHA256 3aeeff5aff0c3ecd75a9bd5e0efc094b5c1f0ca0750fdbaf6d0099e325172406
SHA512 fa3cd415d8979db350eb81ece6b4b0849b84ede9957eb3ece0832959e4c58df4d5ab0bf80c8d356f6c6eda3d3793f0f7c089583b6262418e9c9063dc84f0d7c4

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0857B1E2-82A3-46F8-822B-FA94A8652B5A}.FSD

MD5 a4379f22d7af21efb17bd8273042d012
SHA1 e7aabfb655a6656e902a34c09bbca11d3576eada
SHA256 8aca3d96e84e76cea648b0386e79dffd370d13d2c829484b1152a0cb34781127
SHA512 9649f1e7794b3af41d0b135e435c55eee54b3e5a550a3cf43fdcbd15f6659f6fe850e1377767cd7296c7a1ff9f80cee5fda93cd9d8e22f7d5ad89f7af6bfa2df

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 627fec0982a2c485b5e2edc7a34921f5
SHA1 4a372963d7f06c18c75f8ff6868dc79aa2ffe86a
SHA256 29434a402707127b7b675fce4f24404133a718d7fe3ebd50621f9d137e3e41f3
SHA512 91fb0d5bca9226b4506579fede3e9da0ae217a3390cc6291c5763e28dae411598941363679a50070a72cf7ae8dc546352628142a8ee5f80ce959f98182ea747f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B90053E5-129F-4F2C-B932-31624CC75B07}.FSD

MD5 283933064b4db5313be5c268aaf65aa0
SHA1 890b2d06bece0a5dcb865124be13eefc1c24b25c
SHA256 8bf3f71d694784a00df4f441e885f0a7d33ea463d79533b8d851a51045ad8626
SHA512 b39255de6095a71ffa47c6c2903731e6dde5858858ce7ddc7ae1ff5ab5869ccf3020d75742b53416ca7363726717a99e789ff775bf6e7951827982f41b133449

memory/2096-576-0x00000000005D0000-0x00000000006D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 2f80b5eb88e9a8c6a396a907881e7f72
SHA1 353c5668bf6cf5e030a4185e231904fdba335f50
SHA256 585d3a6eba56e8a806b2ddb0714904cd5de587573c974f36ad2bd9ed65b0dbcb
SHA512 d7739cc4863941dc33456dc7b0c5367670c5359a6aa23a81bd0d5b6b214fda14b6d2ec564693748cb8d4be32e4e3595cbba0893f02ee05ab560d5fbcc6508e32

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 bb1184034bf34e3d6a400ad99748058e
SHA1 e0fb145c6d30822a9dcc3a507e5ddaa34556c3e4
SHA256 78d0293022373756b2beebbe6e47dca4082679f4ad3a0220deac0bb0feb0dced
SHA512 f2432397d2cc56842597c26acbc19b25044f8130347629e3b876d570a773ffd936aa787c94d22a121800d62515d04eb96e5048cda0c50ffbfeb7af7e29e5ba78

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 f68ab76c02e9dbcf72b84babbf4eb2dc
SHA1 d7922b6c713ae12a76b0030a8635a78b47d6a8ce
SHA256 231322b074020a638d0f363ca3d63b3669848fda2f8e03395cdba1f3cd8ef136
SHA512 3b5ed69d4cd836c0c0bbcc8b5249267308709d2c902523bc3b8df4a45f68b01c8f556e5731aeeeb55f101d87d01b1e40a47916d0a0331341129d1a29e5d6e5a7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B90053E5-129F-4F2C-B932-31624CC75B07}.FSD

MD5 1afa16dc18b55e6ef1361eaed22ee2d9
SHA1 8176927baf73b0e0c243e277b66a1b765988be3b
SHA256 0dbb6c5c45416addd1afa5388a93b2f759ad52162ceafb5fe54d4143e6c244dc
SHA512 5f2a9a742a2dd722516c230cc210da58cd58ec477a177928c8fc0956d5eeb334b027c3a571335d4be97d04a6c5497768ee01e719b57743af1e9eb52687f8ea98

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 4b0fbbf1f9b196f09be89440bd44f968
SHA1 0d6a0fee00e28a1f5e555caa0050b66205505b36
SHA256 4f5884076deb59acfcd66bf9e1d9c2b4b870b2f22db0a472d280ebdc900a2970
SHA512 86daeadb44e615457fdaa04d054b21ae27b30f9ec6eff2f6f0750db4a458f9e8186784b2f3aba3e995b9cb22d5d8daba51c3949c20daef398a34b97b4f6f40fc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 545869a50d43e6caaa793b1bf5c1a33a
SHA1 e3a90bcffda9076acddb88d1a4ac17500a1815ea
SHA256 3047bbc417070a494517625db7a34dc3be0afca296dad4eae4dc973f5cacc2c6
SHA512 c6e373754d3efcf44e209940bb6fa5b625280cad7cb17c9b59656474d815b3e466b9a236ed5d08761ba489bf24dacf706b9db7df0ba34927b28ddf72c102da49

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0857B1E2-82A3-46F8-822B-FA94A8652B5A}.FSD

MD5 69b8a8fb4108a612ecc95106ab58ce7a
SHA1 3baf4610e8a4f088a3abaa4e5a01c9f29dc1e0de
SHA256 a35a1a25cdc1098169d75e00aa9bf73d68312cecb163e5d7adf02ac9f6e430db
SHA512 7d02f9436365a740f01b2f6732831f56a48140b7a0817f71977a044b1a1aa198d3039b5ed89b5903b8938406aa564246012b6626a4aba9f790758d752a06a2ab

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 41b512b49dd55e8921204d92d4c7649d
SHA1 460b607a3ae76999b08d1da515670f63a080a9db
SHA256 9ac4e35cd385f3b6ce949599c82a9e21f429a3bc7859aa029c713c299944de5c
SHA512 49ff1779d027539630de53412a4978e51a9d04461a2cca15946792a3bebc0fdfbbd000511a1d338e1560b8848c7e715f79ef4af0d262bddcd8a845b7426d901e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 17:48

Reported

2024-08-11 17:50

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8b5be1ba4331130b67eebbb0d2a4d9fb_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.16.167.138:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 138.167.16.2.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/3704-1-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/3704-3-0x00007FFD7C22D000-0x00007FFD7C22E000-memory.dmp

memory/3704-0-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/3704-2-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/3704-4-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/3704-6-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-5-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-8-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-7-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/3704-12-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-14-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-15-0x00007FFD398B0000-0x00007FFD398C0000-memory.dmp

memory/3704-13-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-11-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-10-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-9-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-16-0x00007FFD398B0000-0x00007FFD398C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b992261c608d36179a18f6856b1aae41
SHA1 6fd03a780fa17ef576178063706acdcafccab4da
SHA256 27edf63233477d36c047cdfa96f55d740803351dd6c2eadbb31b92220c7be5c1
SHA512 94dc1911c94512abd55839d478cccaced17507c3b0012cd6a18dcd8547786cf4afc9662decaa0f03e3ad47dc9f07d263c1dc7802f49d1a9af1a3dc080ef95a38

C:\Users\Admin\AppData\Local\Temp\TCDF7E6.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3704-153-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

memory/3704-208-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C015CBAA-CCFD-42E3-A4EB-4E1683EE0F7A

MD5 2432071f2127befee1b622c871e3a06d
SHA1 e7c4bac90b30afdee1e27289f69b1a8aba09e914
SHA256 2c2a75448b248487630f0f14c42963bc7773ca0eae3453be9b79b254e1e9e7d6
SHA512 cc3102aeed96dc15bbd56c40c028c22e99780ee63bd549b61733127c48a7d6e05a1cef086c835e53b14755a141019b98859b6c3792925b75e2c56fe5bfbe0a44

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 551f756d17f0ecf8f136dd2269cf91d1
SHA1 d9fa79a31b8f74fc5f183a97654a499fa25d0adf
SHA256 f0bb39a8154c26e17ba8292cd1a52f4b3aad432b4d7c5d02beabdbc80799b3bb
SHA512 8ce56ee8934f4f40cdd919fcba601b4c447233e14b1ca3514cc294bb90da47a66aa80363ee7e9a82d49bb41703a50422af3442e932835ee5fe5af49428a95714

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 0bd9725638a66ab1b1fbea2a061666c5
SHA1 e84200c9a880bbe67438048a5875dde5dbff803b
SHA256 c61147941f61cd874458e696b170798861db6231ba182875f21f0060480e7c68
SHA512 71a275ad8bab91c5f201d91156b8fbf20323dade1f9724a767634cd1f75052dceaf783a5bbd841f6877df0f2d717f0525cbf51e5252ea11d9754f9a0718a9e28

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 299790eb4da891c0cad926473bdea5f7
SHA1 dacbd07b42d91a20ba9bfcdee5cdd75ce15644da
SHA256 6fac6770bea97503592e79ac1d458450afd373eb2fa1accf4218d5ee447d52d9
SHA512 3ab4b0d6b5c1eecc6b3fb37ffdf061713906c92b6c2e15f7f869f7b6a8b45a6dd069743080f3fe57f9726770f49a8826b07f50987fa148b882593481bb3670be

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 7078fec6b436d3a311d5d43c17a08607
SHA1 d9e6c24fdcd534cde9b0407eacb54b5f9a9bcfcf
SHA256 c0910a22d435e6b0a41e7b72499cb65bfcb289b32cd5bd6554bec4f68f3010d8
SHA512 663619d782a9ccbbb82c70efb4c5253c96308a479d9fbe4380e2a9ab0ce79c9f8bcceb3fcd8a9411be560a574d21a34f9ccdd1d3600a6fb2377fe68f5fbd2a1a

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 8e3568b8b28452572eabbdc95e581d7e
SHA1 4e4b1b34c5c811efbad6a28602448d125ad3e4cf
SHA256 6c7b3e8833264998d3e8ce1a02211166bbf8413733b711b65318886395bc3855
SHA512 4553b411cb15f996d505c5049897cb2672e9c242d3907a0ad0a43babdd1fb59dd50121feef11fcce199e538600c6d0de94b473b765d38e8be1566e269c28dd6a

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 11a5a7d86abe51b6a040eeaf6f9e58a5
SHA1 db3e10002749730432984b0e5a0761df8c99ff55
SHA256 1dd115e493e47f22bab300bd30cd6f08471cc87ef9f827472a4ce037f016e8d3
SHA512 de663b5ca0f6e44a50f6714fc1df61f40985e2e9dc6d2a98623e196e98bf56ffae05e3411407b0f352d738c0b49db38b7169295beec3fa0bfc0c89eb0be45cc7

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1c0d4e4f1d82d7bce8f78e553f41a509
SHA1 f5c1be3c36837f9dd46696d9c834e6e2988bc049
SHA256 fe33502989999d737a66c400e3fccd19795a9a7592726c0a60ff83e6dfaa607d
SHA512 8d1cab2e17eac006126c354d16d386a4704dac1a47022bfddad2d4d6316b4fa9c7c0449af2d9acddce5766f57504ea0ccd30b0cc59c5a4d6a186ec422d32bd19

memory/2088-1548-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/2088-1549-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/2088-1547-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

memory/2088-1546-0x00007FFD3C210000-0x00007FFD3C220000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 2b1c3b96d43e18bb5de074c223ab8752
SHA1 553688aa53185a121d7556ea0d85d407912fb36d
SHA256 8b0d9fd2388c7dfc06a5fb9ab7af876990483ed0f94caef82929c8bdbfc7720f
SHA512 ce18de63149b46c24ea9980a59825d1958bf6f6910ae87bd7f386f6a2b8a4243580b22ca94d46ff0b7f75ba8ea6364c0f5c40cf33d20391bceba90a48f347822

memory/3704-1780-0x00007FFD7C190000-0x00007FFD7C385000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 bc82a9809da735ba4cb7d0f9bb55f463
SHA1 89d6d48b45c57b3c2f20f133fbec424f962bc626
SHA256 97da1ea359aedbd377ea173818042bbbccf964a2674611c5906fe1dacf0762da
SHA512 d1af034ecd1548dd0b8e7bb4a4817b6861c09f8f958db972f15e170661a1bd6743b00aec35280b532a142f9ef72474a86db27b2a3309beb299d3be6461cf023b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 62ee941fe49da484ab90c9e417a57fed
SHA1 3db3d2e6e378f07a65cb0c3f65c3426b28886854
SHA256 d1d6ca401d776a305f8098eec95619347342793eb2a09ffc0be7ab6781f47471
SHA512 d40099edc653fa3b7efb79c8080c6dc7d5145fc51487320e062db7a96d659821e848f19cec5e10af8105bdf57d9fe650a08073b02c8ecdd1e27282572e1693b1