Malware Analysis Report

2025-03-15 07:59

Sample ID 240813-1ngvdssdpr
Target 94ddadeb5eed0703f42f5e20fa601a8d_JaffaCakes118
SHA256 24f1bfa795be98c5260ff25f42f62c37aac79c49dd23e94138e2ca961d49a10a
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

24f1bfa795be98c5260ff25f42f62c37aac79c49dd23e94138e2ca961d49a10a

Threat Level: Likely malicious

The file 94ddadeb5eed0703f42f5e20fa601a8d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 21:47

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 21:47

Reported

2024-08-13 21:50

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94ddadeb5eed0703f42f5e20fa601a8d_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?W8Pu3DcXDYLg7smKpbA7crVkx6haQpwO:g7277569 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?W8Pu3DcXDYLg7smKpbA7crVkx6haQpwO:g7277569 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?W8Pu3DcXDYLg7smKpbA7crVkx6haQpwO:g7277569 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?W8Pu3DcXDYLg7smKpbA7crVkx6haQpwO:g7277569 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2536EEF7-B020-4679-87A4-247618B8C92F}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib\{2536EEF7-B020-4679-87A4-247618B8C92F}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2536EEF7-B020-4679-87A4-247618B8C92F}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2536EEF7-B020-4679-87A4-247618B8C92F}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2536EEF7-B020-4679-87A4-247618B8C92F}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94ddadeb5eed0703f42f5e20fa601a8d_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kholoq.com udp

Files

memory/2560-0-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

memory/2560-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2560-2-0x000000007171D000-0x0000000071728000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2560-18-0x000000007171D000-0x0000000071728000-memory.dmp

memory/2560-68-0x0000000004800000-0x0000000004900000-memory.dmp

memory/2560-69-0x000000000F250000-0x000000000F350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{77678F54-F8CC-43BC-A6B1-634D08C7B4B3}

MD5 768474dcf294d5a876a7f955b03e73d6
SHA1 f43b7d53dcb9e06660436b791a16163f78aceec5
SHA256 0605b0950eebfd6bd60a24bb1f6c5a20256bb84d71d91ecad3b6dd6b78de6923
SHA512 fa61ad245cf6d465a3eecc4810e0ec3990c499d979322ca2cdc6921325133a766b9fe8c31809031708bf3507ad3eb2e0509b6cdbdb7e55710bfcceeec5eba14e

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 38a6232a59e797dbfb95f92f7a8bdc75
SHA1 4a32ab341df2528a335947d1fb2c67e654b1da13
SHA256 a259481818c0b87621434bdb9b3c03ba39aaefa56bb1beb5215287596ad24a4b
SHA512 256ed7962290d0108eeabd4add5d1fe17a51b71785ea3b9de2cdca014f0afc6d003cc1cbf06205449f64ca9f56ae6f154f3e6ead0153d0b643c0ab2c6cb3f64f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{009872BF-F4BA-4917-BB0C-2E87FB311D70}.FSD

MD5 2821fe411563b4dc1c2a108e748179dc
SHA1 914ccfaf798632fc58631e3730f6a05606e7b51a
SHA256 55221600df34c7eee2cf71549e360c78da5d49c65030f99f3763006d501c6bec
SHA512 53bd9996cd31945df5a0596007b60373273086f33ad5ca3f31762d39073a767540e1287e573e693271cd0eb28052529ca17f50d5727a4dcb91918e2b651e8cdc

memory/3048-1023-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 a8a03273f808357e164ba368fb459d08
SHA1 04a2465632f5abc9a581ec09d71015a80e0e59a2
SHA256 839e308026324c9d80f42a93984864791a2c837c0ba5d997b4805fc591580b76
SHA512 337e3b2577ef624a24ff48a42eacd2ae4557922f356d86dcb4c05c692f0172f829b24ce435f322f8ae39b211b2e576b4519e583f66ac7e59e08b35301d28da1b

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 3f57f0c340b814857d6cdb44c0eb06f0
SHA1 a76c3f185b3efbb1714ee5bd2d122ee91dade6d4
SHA256 9d91a6fe00453ee5e48f8ca737724f118e3e91f2c4072c2d05a8d0b090980070
SHA512 b952b86f3fe3a9cc306d5b6402d101eaae89ebf8ced65333cc2c12cd89c4e348e6ea4d929fcc386970184eaf7845d36dd5f5cf0a40877e10d691b8997cedb392

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 ccba7a595329fff6884270e644666229
SHA1 efc3da0ad0e7c37a5363bbd47124aac2ea80a895
SHA256 0c368fba18e6630c774e1d04a2152a4b1eff6452d7eca4faac0548d0abf90526
SHA512 f3029d30e6706ed26f0fd5b418881a4298c2601dd7599600a6929198fec2fa0fe84aa2b2d2ec76277943f8fb24e5c1690f858a4481af7c04668719039c4744d8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 7c8bee264bfe3d6b05f493fe525e7e45
SHA1 3726fbe3c1daab5e0ba202809e0bf547dc3aabb9
SHA256 3d036a9b05851caf99c078b964e85ab31653e6eb363da32b51e9954f5f8b9607
SHA512 d42841cc53c03a3c310af436d03e5fbb146371097442a45f995f86edcb6c12377e85f8593890841158d42bea2bdf3c93a13276c287f1546f87c33470316cb4fb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F423684A-079E-4930-9246-A1C86423F315}.FSD

MD5 96c80c9bcefa7b066fdb4c5cb46097da
SHA1 e095548307abafe06050d718d73cacc7fb2b4fa5
SHA256 69f08c9df50572eccc26bed7eb72322d589094763bc41a9ec720bfc32f7c7511
SHA512 329ef82177b47c6fa97da3e06899670252c3b01cf0564468f8b4183605b6ca78130510d44210ee2a52f4bde6d1351b4ba79ba1530df5a5948cba8e6dcd7e16b6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 53a650910f07237b7c1e46de235e085c
SHA1 43aaa2b80b620774088419b36071b2e1397ea1f3
SHA256 0003a316056e5cf83f2c13f986c671e20a9779904e42bc75535fab4e641c34e3
SHA512 36bc5860af2bbe3dac89a4c87aa915039ce6687b86edc46780f2f2f021d1f9f0ab9ba4971423171cc7e5da91b5d9476b87dc06193263ae96f8a056a548077203

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{009872BF-F4BA-4917-BB0C-2E87FB311D70}.FSD

MD5 9b42bf92a3314fc54971d294a6f909f9
SHA1 ad6d09d59f8fd56777332ea3bd154b8826966057
SHA256 348ca82480a18968c81204157f5841cd618845ab9795d8982f9e9b4324c24237
SHA512 2e3c85a70813085c5a53a34cf7bde464077fe8b9a618958f8e05ce2fd3eec2f157c5cc3ee3dc578372bb0259362ff965300f264f3982384f9ec62f4e7695a1c6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 0aa21a676aeca47f83962245ac49775a
SHA1 b8242c6b08a0db636cf74416f8a93237f73f787c
SHA256 e2f00f857b9cabc7486bcbdd522544f441fe990daad74c81651bdffb7a523107
SHA512 290e38bf6b7b73f4e93f2d83f47017a4ca18257a7bdf46f0782a79a09b480c2cb3d48fc45f49e05aff70aaf7333744168bedc8c92a0471031b2cff221a15d0c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 21:47

Reported

2024-08-13 21:50

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94ddadeb5eed0703f42f5e20fa601a8d_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94ddadeb5eed0703f42f5e20fa601a8d_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.217:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 217.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 kholoq.com udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4532-0-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/4532-1-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/4532-3-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/4532-4-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/4532-2-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/4532-5-0x00007FF978A4D000-0x00007FF978A4E000-memory.dmp

memory/4532-9-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-10-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-8-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-12-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-13-0x00007FF936670000-0x00007FF936680000-memory.dmp

memory/4532-11-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-7-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-6-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-17-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-18-0x00007FF936670000-0x00007FF936680000-memory.dmp

memory/4532-16-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-15-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-14-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TCD9FEA.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/4532-527-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

memory/4532-582-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\56E86412-1C57-4C5D-BDC7-BF2A60A52285

MD5 6d5c38b3467d57a1e0dbb406ddccb7c1
SHA1 79eed76ad1e175a54b808fb14e8147f3bc72140d
SHA256 463019243c78babf854300805e7b7d2b50eaba888c83e949c14c50c8130ac7b8
SHA512 fa8ccc53c56a1d59af4aee2a151593a3256f63305b9274f55a7329181f6cd6cd3cdd92f861d65613777d918dd40575d012b10d65a39c9c5a27c7f11364c53efd

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 d104d73bfe17577162381f2f0fad7111
SHA1 19f95c3c47931c5dccdbea47a79420e8008dafa7
SHA256 605023b5f86b848b27a9435bb088ef4e8480b5f0ebfaa7a3e5d3a3bb0470a916
SHA512 583abcc67003c80b58bd730149488f67821ccda6ab3ed77eed96fcd019b10aacc3d07114f2763d316377fac310a36feb0419d19bc81cde59267b835c8c903714

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 ed765441ff1d95f95e4dab84f171dcd4
SHA1 6d19231620d8951dc2527b13aeb9c77c1d849280
SHA256 96ff6f97af212113c926f2f90236682fd6a7a6479642063f998a5feba5f80984
SHA512 1c3c503c7338647a8422450449c1ab3b845f6c61ccd8b5528e1152cc202cb8ce023898b140f51167385349a5f5c00cdbb5485a8aafcad2bda3fdc1914d548c12

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 de7f3a643f43a00f3c7f8d6eb0d2596d
SHA1 c2592f88bead5bafad5bac37e9a6bf1d64faf4bd
SHA256 86fa2103aad0cebf3bc4f3f3f54174d0dc071ef68604cb16477a346b4c272adc
SHA512 0403a01f4bc80ebd5ab7c126156305227eea1c5dc1478f3b709a5a012fa79918aa18045346790057eacf8e0c470967f019ea389a7bb38e1f61269c4c8a0f9503

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 31ea66d317b93783b413918649979d84
SHA1 dfea2909924b6f11b4b2ae6c06236d8a7efef9a6
SHA256 2b0de68ee830c4a4bdd49273898d0eb3c8f96914f839f63a5b139484d5780e46
SHA512 943965c0fd95d59029a0e8646283c52b1f629564eb6d25e5bb49acb1b00e847d2bd225b431ba66ac10c24292260f5222d4d7f35a4719c698e84393b54d8ff894

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 e45feedaaba408b5a4ea37c0d976210d
SHA1 b1fad014b8ebcf4d309c731197c54171379843a1
SHA256 99f3f45ce530b72c445eda8044d1ede9c20f1eb513b39ecfa77c31858717e206
SHA512 8de7f197575737589a697544892d066384d6cbe0c4350294a2382a175bfa4b965b544ca5b92635cde23529755727bc19e6b4e27261df8cac54b02ed8ed565939

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 3915165be241aec9bab930e2a3c76254
SHA1 14a5310a690d8be6c30a1f29321c5055f7cc46dd
SHA256 720820665b0bf51355299e4728c46c72469c88e864ac2a5765bfbe12c8e05455
SHA512 3a8a6ba84fc834caefc2d57fca51d8ab39ce853281b3cd7b00b93f6bf89332bf6ef6726cb7171d6670aced0eab62133d7b89ae4f7dd976f16dd9f32216bbff42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 6252b788c7b442873b6b61ad50295845
SHA1 60c700c1d48b69b869c03b5ddf0c6747fbc1da25
SHA256 58c3fe6b1c7e59113ae51c8e038363ebeeed749bf5832644d268ccb9d05bfb9b
SHA512 450e9b363c8101dc15a0a2e43310e0ceb52c2e49b9d34f765db0fda8a66af308959ac94d878f1f274576a5973a6839ca8c72d35983e24f970bc2bf3d2025df4e

memory/3488-1566-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/3488-1569-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/3488-1568-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/3488-1567-0x00007FF938A30000-0x00007FF938A40000-memory.dmp

memory/4532-1576-0x00007FF9789B0000-0x00007FF978BA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 26c29a47cc31a6ed17cdc71b9e8788fb
SHA1 66ab3253bfafaae9972da46c7773a70a1261ecad
SHA256 c4ef3323bae4d3c5f1bdc61e9aa211237faa519e2d1172108c2263446424e4aa
SHA512 fd416b0b949995421321066ab1d071167609c8319336ca0d9f25ff49c2b75070689bdfc29b97ee5521d7309d31263d5139226dc46637d946972f47fd6451368e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1c0d4e4f1d82d7bce8f78e553f41a509
SHA1 f5c1be3c36837f9dd46696d9c834e6e2988bc049
SHA256 fe33502989999d737a66c400e3fccd19795a9a7592726c0a60ff83e6dfaa607d
SHA512 8d1cab2e17eac006126c354d16d386a4704dac1a47022bfddad2d4d6316b4fa9c7c0449af2d9acddce5766f57504ea0ccd30b0cc59c5a4d6a186ec422d32bd19

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 aca36dea281e664e18aac6ec48cb8c3f
SHA1 21a4f1c802e16c8f41b588ee5320262ec4e8fcf2
SHA256 6e963607ee8d50a2a60ebe7cb5d1c9483bc8f9505913a0500afbb9d811890650
SHA512 380035e7d551f9510e53cc417be2d769041c713e67d740a60f09af0822143f32cc202d0e33c4683098326b491fb71983332e7949c1b6c98ef7380f920c03b727

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 1a4bd91a5bb892684912659706e1e61c
SHA1 470791cb18964759396930b83586e021aa916397
SHA256 8c7e4bfd0a6d668da08b9b3717caddfb838bb8e87bdcbc1806b98420dce4ca98
SHA512 3387f95b5913e97fa24b63424dfd6f3ed367cad49d9e0118ff4b1660d9071825f2d08ac1833d2725782723f95f744ccfdb546181133fa2eb6c3a22cf1f4ee337

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 44141eb7e4b95a331d43683de2e0e053
SHA1 2c1aecf69ade2e2e47322cf4863788eb5bffbed3
SHA256 09bee75f2a5ecc6178979a6644c1c5f6603a84997218839caaea3c808ee2661b
SHA512 3681d51aa9655fa3c07e507a6a850be866967e1054a981aa1584c7b087e292e28af25fd6039f0624074ac752d1b4556eb630cd5730f38d604f8b170f1024655e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 42fb97c861fb0400877cf26cb6fb41f2
SHA1 4b858f26fa4e35e65509a25bee693eef5ea411a7
SHA256 b030f6da934b9ea1c5829c326e4991f7183c550263b3722ff9b61cfa238e8772
SHA512 2ccac738a44967413c4a0ad53fee4b6faffdcccf6091661fd9e0fb76c0500e24eccacd8d5d3ad26476bdbf6ee5be53f59d0949d282417dd21429a023ad05bbf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 cc5e8690467bac1c74031d9ea22f9b21
SHA1 8913466be87ba9b2c9ffd5c3a4a884f9be695064
SHA256 65ccead2d5e05fe0bfb126768056e978224757eaf8ecec01bf4e6e0bc6e8bed2
SHA512 70d35225f495072e086d60e4c1c0ae162a43d798d38dbf602a68c17df77c601ace2916e16804edefed584aa28b71c39a2e7bbf44d85cd2b63dd14fb5c222c817