Malware Analysis Report

2025-03-15 07:58

Sample ID 240813-c2aq8sverq
Target 91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118
SHA256 b41bf313007764195fc1c40b55880404052e885cde85005ea53a2ea1ba7a1d82
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b41bf313007764195fc1c40b55880404052e885cde85005ea53a2ea1ba7a1d82

Threat Level: Likely malicious

The file 91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 02:33

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 02:33

Reported

2024-08-13 02:36

Platform

win7-20240704-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?KsOf_6O255664.91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?KsOf_6O255664.91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?KsOf_6O255664.91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{16013987-8B9B-42E6-ADEF-FB7AEADD0CE2}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2812-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

memory/2812-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2812-2-0x000000007320D000-0x0000000073218000-memory.dmp

memory/2812-5-0x000000007320D000-0x0000000073218000-memory.dmp

memory/2812-55-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-56-0x000000000D160000-0x000000000D260000-memory.dmp

memory/2812-57-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-90-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-108-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-104-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-103-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-102-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-101-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-100-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-99-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-98-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-97-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-96-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-95-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-94-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-93-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-92-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-91-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-89-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-88-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-80-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-71-0x0000000000350000-0x0000000000450000-memory.dmp

memory/2812-122-0x0000000000350000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{DF883D7F-6DB9-4CFD-84C0-DB30ECBB1C5F}

MD5 9d6a34d81bddf0fb4714bc2fadee6da2
SHA1 c562f6b062c20225b4b3a849b04260afbf7a7fce
SHA256 484101f7871525f440554047b23f7905034ab10511f7143eac8811e40d082303
SHA512 11e41bb50d7027879253cf31979842e9d1eca767d93c965dd5905fc2e327f056cbc6788569f79db7b2bab42e205d86c2276de2b03d3d172ed9ec6fff33851717

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{45E2A9E9-977D-4663-ABC9-08A70B94F87C}.FSD

MD5 b26e073d8b06245670ba382b42422180
SHA1 0bf85f51967217daee54c6872b7fa38d81f18a4e
SHA256 3a69400ca9b566a5564278dff9555d5e8624c9da99f83affbd22f873bcb1e502
SHA512 a8471d9e07982c824665a04a720fbd69c5165a01d857c39839a4df7ff8338df7bf027d61c5e0809df348d8012d9933fe81b22b47bb23f600f5715a0ce8e9ee90

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{45E2A9E9-977D-4663-ABC9-08A70B94F87C}.FSD

MD5 84bf8d23b8924bea2dbdbed2a663968d
SHA1 b62beaabc0ebb1a288910e2388920c2385983664
SHA256 971c071b1dfbf4614ae8ad30e83b5a5ac5fdfc2d4b8f8eb66a41129f97180216
SHA512 99de4bf56b550662a0c43b93bd19c68b78bc39ef0f2ed31b92057ea92df2f3ec431dd134afec24773756bab2d7db3b750df21a96300b651671ac813089c93da8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 feaff911b43a936ac50070b83cac0276
SHA1 4d3a6304ced3b0cb8aea2452d7952a21f5fcde00
SHA256 7742309815f1bf0bf6b20c9aa1ce7f75f6506243b6091e6d923b5fa4e4c7d44f
SHA512 13b4aa43d8334da2268cc6b7f97a92995e94b440f829ec73734214a59ec32443d244e11c1779ceecc1cb7a82bdfcf76e3d8a4541ae104707b0cbd59e4ba53b3f

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{71739EF2-AB7A-49A0-848A-5A5C7DF8BA1F}.FSD

MD5 41d95a614bc876620fe44dd40c5dbb8d
SHA1 32212a192254f0868cf4bbc53653fa72fdb33464
SHA256 33f3ed5f70dbfd8639ccd91027706e5320b9711744c255fe313d6858f0eb4e24
SHA512 b2518b887f374c41e7f03ba58829a41ba93587dc79f5b21bef910871548d5d321a2bbb5ca85795d3c4d88e2af97d1132c951d643e550a53242c5493fd1f0bd1e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 34af6e422b09376e38312bcfa3963106
SHA1 4910bf9a48ce54a2b8f748160261213cbea74851
SHA256 5617313059ec68fc140946c50ad4f5ac3708214cb98bca24f6d8f969ff0a5f84
SHA512 101b0777f5cac97864375bfd32e2aed24094d35bff9c0a3213b10df95d40090a2dc3b64285b7a5103a7fbff29a1bfbfd980f9849f2ddbda99df6b7f01ac6e2c9

memory/2812-1029-0x0000000000350000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 92356c7001b73e2f819b2cd977f1d862
SHA1 49324b4e4dac58e537fb57064253fb2162120950
SHA256 ba61b85cdf7053a3d6d123baa89b3fe99eb3eeca70b66e46ae6ee2ef93d11c83
SHA512 f45e48f73b2f72ddac746b0399a063d5e97490bce692d4d5e83acf649835e508183943753e105cb0f93083642ee1732789a677d62ff4d73b8ca1526bebe464cc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 af4504605b0c7e3474c638e157cedd10
SHA1 ce2a41d9495798d53c342b1047ccf67d98206298
SHA256 72b6bc2730e7a2f30d48a304958b0cc7355d84352f72b9fa0bf331e0a3659d0c
SHA512 9b2f4dc07a79f02c66dcd18286373d2b3dd958209ac7a45f3f80b5605fc60746f3e311c29674a8ddf13ea9500d3ae8c540180287e21a28ac1aa2ef89967791ba

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{45E2A9E9-977D-4663-ABC9-08A70B94F87C}.FSD

MD5 da973bf33b86a1f4bf6fe0af50173160
SHA1 c0b48eccb6c6bf7f2581168d72e83aae9d91f365
SHA256 4908dd0c57bd2b6361b883fca0e378179437d881b71e04382d0200ac729f50c3
SHA512 b23ad4b8d2d7c9931d4827d8903750171aa9ff2a1893cdf1662cd6d8df59a13beee8c655bf92894f0034d16b206b80e489b9e68860fc4f6e88a2e0d6dc09c90c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 d9b80e4c03b93f7e3b46a4af7ce7e62c
SHA1 0177610caf02d77a8de002494e867165898085ee
SHA256 be600514957edee8d878b0233a0a1c222765aa497141d6c63a0faa7fb96c3f2b
SHA512 0d7deb6439e786fb1030771fd4ea361c4a65a9f292f112658be75a8d0351df95dc740b418faa8db1da7dbbbbcd2d8f3590983c1d590078e62ee76e2ae16fd608

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 e7a2d0331a6c5734bb54c0e9db54b02b
SHA1 134ba82a35e8c6faa0756996c4adc9afb35f2317
SHA256 178c84331f4989ab7696d5493f1dae1b821acf39fdd48288a454a32f966f19b1
SHA512 68148342024c0150cf17e408f51ff2c8438d6e6bab4c14fa288e7a69529cf069ba1f3ee263d0eaa226452488c1c85393f2e1e9a0f98b0f8f54d942cbdc5bbfd1

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 02:33

Reported

2024-08-13 02:36

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\91464e3ec1585b2aa51bde6da5e8e239_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.48.165.161:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 161.165.48.23.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/1420-0-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/1420-2-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/1420-1-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/1420-3-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/1420-4-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/1420-5-0x00007FFBE2A6D000-0x00007FFBE2A6E000-memory.dmp

memory/1420-10-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-9-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-14-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-13-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-15-0x00007FFBA07E0000-0x00007FFBA07F0000-memory.dmp

memory/1420-12-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-17-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-16-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-11-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-8-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-7-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-6-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-18-0x00007FFBA07E0000-0x00007FFBA07F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7697e8e5865d561ff55f426db0f72b25
SHA1 b812a60c650311f397b9927832bf6796ed6b0e27
SHA256 70852a79497063c7f4b5f07b39fbccde53ecc571674aee7fd10075571d1980c0
SHA512 a75493660c53a774ac212a6f9e6868060bc4b6498b012a849e66876158461a6827a119b7b4cbebba355dbd5c8c459e855cbd7123ed7491f4958280a73e06340b

C:\Users\Admin\AppData\Local\Temp\TCDDC37.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/1420-283-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

memory/1420-336-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D659F488-5D12-4140-90BD-D23B1CEEAB03

MD5 5911dac09d893237296c769f5e9f3a1b
SHA1 a6eee6525ee609d5618cedcaae2ecfb3b504e200
SHA256 063db7326fcab30ceb64e9aa5f681b44a79fb467f5f3529f53eb249018c831a1
SHA512 ac76d0d3fd001e8b4f7eacf47566050686d143e60b7e761dd5b383f8fa90c8b76257d3406c9f26c53916c8337418a7b99fe1cf45eed16bb76ebb1c736a12cb40

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 3aa3c3ea447fbd1e32b8daff457849c2
SHA1 fc4e4354d253d86a81ce2f33800498b6c17409ff
SHA256 52720237ebb50c4c3732d0d57bfa46e8f58c2882f8cebeb4127a3056f69b0f83
SHA512 4582c103b441f4dcd011c86878dd6a576caf57a4ad71c5a71b89a2710fd872f187331ced5d33b0a5d4064d2fee081f79f91aca01c058b0e9787be8ed63b327fb

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 6ccae3216cae556f854d6725e345fa90
SHA1 11a2112eb201bb3fc644cb03afa61a7a71b19f21
SHA256 1891d067af7f0d27aa04853877fd92d4473cb3bd51d47fab85cc45c3166b35f3
SHA512 c554944e1b70c0e232f03cfba0076ce6d437d5139ed6f932afdbf0829a26d8b9d5b7e3f5fac8c8c658567a7cfc8e5d0eed86afb567d744793d6b21c96c03b5df

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 de7f3a643f43a00f3c7f8d6eb0d2596d
SHA1 c2592f88bead5bafad5bac37e9a6bf1d64faf4bd
SHA256 86fa2103aad0cebf3bc4f3f3f54174d0dc071ef68604cb16477a346b4c272adc
SHA512 0403a01f4bc80ebd5ab7c126156305227eea1c5dc1478f3b709a5a012fa79918aa18045346790057eacf8e0c470967f019ea389a7bb38e1f61269c4c8a0f9503

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 9c0305a253fbf45dccfe66ec1f6a4209
SHA1 e3688260fd933c2f73cabf60a05852defb79761a
SHA256 2c1a51b6a5c64a018c9774bcffdc25deb5c898af0b79d2078abb92effd7f9b4f
SHA512 96de252d3971de093a0c451deba3b6c86a933599804521a513012cac8eef31396ba87c46a6299d451aeb37e8ab5348a30ffda61d0d8143481ea921dee9d72144

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 c51d7dd1aa7134efffe5e54f7b58bf2e
SHA1 65f43b3bcdfd889a951dda25b3e2e775af8dda86
SHA256 a7f93622391b26bdba43408bd495cf89fa3ee4bd809cecc63dc606737d98c380
SHA512 51da4f4dc67809fae8ef46c011c130e28f08c88778acaa9b60640bfeba169da9936c504c1cf177c1cb14d5dc1606d469632032b6097b9af21c92f07328068139

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 2850752569ce59cddeda1642b3046f96
SHA1 16a6560a84daa9ad8d50e02f4eb2b6e4641f32c2
SHA256 ba73dab873663f0c30d34d6afc0967928ea5867c84a25200945b4ed2dcc0e201
SHA512 e0ad5498e52356f046e02cdca70e5c7981029c2d65cb7470d3cb098fabb50156036821eb8c526fb129d7ec98043783bd8386516a8a62a84068ba0a534913b411

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 19482c74498581ce4d9978f847f170c4
SHA1 f129f3ed91b9029c8041a3081940f3786523c1bf
SHA256 b6aacbce69a941745a837bf268e8ae74f07a6beea9ee2083cca67f15b99a7835
SHA512 ba036e432914bd0c24295706e458e540a6527256cd8f040999f0e2f32dc431784014d6f4a74c1ed65bf5befe724e604f32bd0654224b2f86662aa4a9d8a1a279

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 6f2a4d5ff0d54d7e2f43191e4b1112cf
SHA1 25d67c7394d73a147171c73dcfd0aae01923da34
SHA256 c6c5f8016af4a5b07cf8acd457a60d8fddc09c6cf510abe9e4761b00b917b264
SHA512 47b3721012b124819bbadb282ce1d1a83a0ffb1d0ee87cd96c974add80526f9d66766b9479285af5e985c832729cb2f3e8a576c9cf2452395247c6685060aa1a

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 bb97ab5350ef263853ae7d90fd3ea6de
SHA1 076ea1224dd33178df9be9d4cf46d85265c2fac8
SHA256 a3ce2aacc13e8159464f7690393a52c210b266a51f1eedb66427dfd25c4d5b9c
SHA512 969e100de969d76f4a4b2efc252bdd7c52aa8e5fccdf98cf71fc80f37d652fb62aeffca61e651b53093cb8b00a061cc31ab73ed3f6ad6ed9cc404cf6fbce1483

memory/856-1676-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/856-1675-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/856-1674-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

memory/856-1673-0x00007FFBA2A50000-0x00007FFBA2A60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 c72730e6cdf9ae512c91ebd7cd455b24
SHA1 bb80d564d151b3ba9d59c1554a96164ea6342238
SHA256 cd0c97741ba1b43ff1ff8c3e277a32419bbc1d68994d840d630df1f62cb4124a
SHA512 43303ff22227b0ab93f21f7b335f7891a73cfe28961082b59f181189d721b7fdf5a83974ab38200afe3e160555a023a715d5a49f0792cf412e6b7d1a5805d952

memory/1420-2043-0x00007FFBE29D0000-0x00007FFBE2BC5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 509a79a0f70d0d4080e134eddee963a3
SHA1 4f33982d4fbcbd4c72abeb92d8e49b6d19bcbc1f
SHA256 7c7ea7bef3ef4fe8f7f8b09f8b219e8a319d999b38f27b14d6e2efb8c3891a04
SHA512 6c94c298a7ba69a70c802372edb00e5e9a694f24096be3e6dee544adf7742909613b498c97a04ae7e7d69bfa4ccdedae2e9bbe71b402d19f2dd150e03c7acd42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 2880ac73a8b13a49db4a540c4421f0b2
SHA1 9c4bf6f49560ea2384d9a5c6073a34a8d3deb33c
SHA256 bc99e5e9e2e8d55ac421505a8cf2752bd3f09c8a46b1a58f6aebd3d3652c7d24
SHA512 cad5aa9a2aae37735af450b9b682aa40ece4fd27be8c289a707cae44eeb4140856f3217a5c2203e1441767bd0a93f3e7ee72e5be9c6afc5203275eb548c4ca63