Malware Analysis Report

2025-03-15 07:58

Sample ID 240815-253nvs1alc
Target 9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118
SHA256 7af2939fc061dcfdfcc640f224a4f1f73efa5b49113f0900324def05c0ec84d3
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7af2939fc061dcfdfcc640f224a4f1f73efa5b49113f0900324def05c0ec84d3

Threat Level: Likely malicious

The file 9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 23:10

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 23:10

Reported

2024-08-15 23:13

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 intellimagi.com udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3380-0-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-1-0x00007FFACB20D000-0x00007FFACB20E000-memory.dmp

memory/3380-4-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-3-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-2-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-5-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-7-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-11-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-10-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-13-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-12-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-14-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-9-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-8-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-6-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-15-0x00007FFA89100000-0x00007FFA89110000-memory.dmp

memory/3380-16-0x00007FFA89100000-0x00007FFA89110000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3380-36-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-37-0x00007FFACB20D000-0x00007FFACB20E000-memory.dmp

memory/3380-38-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

memory/3380-39-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1ae37bd6ffaa0248ff050991d66053d4
SHA1 11691ef63e5f1ad3551840f0acadcaf76052e73b
SHA256 e63b5d718dc49ef94715ac1e1908332b3fc7cda877679eeadc9760bbd72a75ff
SHA512 ad94e68d712f9ec454d050df322575528f5c966e4c695c9308b61614f726ce6b869393602035f09c1bd88a8368efdea8f1c82c3cd719d4631a85e7a9bb069a94

C:\Users\Admin\AppData\Local\Temp\TCD6A7.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3380-216-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\909D7E49-A275-4871-88EF-849635690598

MD5 d2fd93db6e8fdcde232c5f57a96b9cd0
SHA1 a7322f5b83f91acb832ae021dc0d7bc4d612d7a2
SHA256 3867bdfe9d367fdb809e79867168ca58272b0613ad710758c5deadab8e67adba
SHA512 2c6837df22fcb7f7d67d622c97d9b38c0f91c54ec2cc5dc198c10b1b6bf150aacffc59e6dbf51046151385a87b6f723a558dc67ad132e3bb3246379e38b1dfa7

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 1d58141a4845812f80f7eecfc59a3921
SHA1 98df47df400e7dbbc1a7e624465ca677ad270da2
SHA256 0c4e1f8c0919b167d2c9415c7c8912a5d5fde44d846cf48689e3c2f754cb32c3
SHA512 3b6c1823b45f57e8efe66538031a80ab550725ff00a79e00114d20515776b19308a951adc53b402eb213a483703bd5b9038adcb310adc257e34e63ef4f596207

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 d23099b642d99651898cf9b3edb05000
SHA1 4701fcc984d7633ae9d57f6c4adf54a055a18141
SHA256 572034594c7e5fc494ac8c975965e072215896fea3f89f10281e30746e53e1a2
SHA512 022453dd3cb654814501f3b453b6336745278d60e5b5194fa04ecf4708fa6e3130a0d41f94232e59c93c10001a026a3852226297eee8790fed149a0bdf41dee2

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 5f68d72f3803dc30a565994a9ac24774
SHA1 dbfbc685a61df1cf2a8f338e61a8d9358b0b41a9
SHA256 e836daa9209f5558fbd01d5e744a5a733a0c583ff630080ee4a15bf5723ad91b
SHA512 4b72e2350ec6484e77e2102e8aa23c78dc314ec8d26c215d028d72f68a184fa6065053737dff375466674e6f510d96d7a04a46076ba386508b1584ce6e2b584f

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 070bfe8987e02e99ea805335674587f7
SHA1 483eb5b20246a6dab5a56802a5acbf832a70423d
SHA256 930cf92f11888f66574128eaf427427270992bbe5d5e350fec69a053493bbb9c
SHA512 c8b5efed97cbb09c864bad9ba552191d1db645165d79c43d7dcabc1c2a075050d2b6b956cea0438fad913dd24a49f77ae595dab1a50a878903fe3fca8e6d239b

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 99dfe8f131d2e3ea3848b0b0c403da41
SHA1 86d4f4bfc77af452e64d0d472bdfa8ca1dcf626d
SHA256 bf090d65fa2982e7b16b3224dd76ac8a26d8660953421873d331188bca8ddb67
SHA512 cb547d9baafc82e378cc729530c87bc9c0250e935bd0fe142a5920bd8e60ab8767ac854e81a3a4fc03302b4e05c5b6d19597e22ccbc0f653a044de5d160a5d62

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 c73600c10c664c198b2bdabc77141877
SHA1 2073348fa5657d745c371399ef27f6e7ca223d94
SHA256 38a0d78fd0dc5194f40c4c048a021f408ec104a5b0218ab95378579abdbdab3d
SHA512 afe9523cf74317a1f517d2aed1ec61b619a6dad9ca134488d8ba9abb21c3b13773082bb67d63fb68acb90f92b60ed7d6558c0212ff47b6cc438a1ed39e5c4297

memory/3380-1441-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-1444-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-1442-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-1440-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

memory/3380-1459-0x00007FFACB170000-0x00007FFACB365000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1860cdd48aea9511bbd598c3d6e80ec2
SHA1 4d80fb389297d1b42330fc9cc043890b7de843ef
SHA256 c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035
SHA512 64718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 e52708a5296d226b2c7dd321d977edfb
SHA1 76a5656bc39a8dab8507006c6b33366d3c832411
SHA256 ff2c1a5eea246d73a2d9ebafd8fd75e0ba10c7a452e1aced087988e1df072056
SHA512 9d42ca5a29d2d9da755447b6b728e036e194929216fcd997bc54e44f27e81c72f27c009859ddfd389e4ade8f5aad9e41029d98a1c2cfb4e765df9e313a82e4dc

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 f5620c92cbdc293c3ae3aae31aef598b
SHA1 1f2b47a9ddcf2e644eb45eba39cdbf02ab292bda
SHA256 a31cb1fb5b8ae640c14a44be54ba89c30034b42c9638b264583e38924e787f12
SHA512 6009ec07f3853df80436f80e3d81a5d95d0d2ff2d501d46b6854438bfa16447e6a787f6610556b957e0e950087109145b6f94de08232d4a085035427e8db7c24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 5610d6280e914ecd9b9592b024ce1f7c
SHA1 17bd33ed229304dd640723a658f693ba76ce43b2
SHA256 589ec3cfd7a9da8d3bca1fe02f2c2b20b3337282a88629586a2c7cec801f7189
SHA512 bc735521cd7fb7a95956284628ae13d2b821a3067c9e4bef3d0ce2e9c453a17297a357fd3a9d522b60a9f915fd9b2147f788425237004b88d27d2fdb6256fd11

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 23:10

Reported

2024-08-15 23:13

Platform

win7-20240708-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{D52A72E7-B9A2-4FB9-928F-DDE8BD83BDFB}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{D52A72E7-B9A2-4FB9-928F-DDE8BD83BDFB}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 intellimagi.com udp

Files

memory/2308-0-0x000000002F381000-0x000000002F382000-memory.dmp

memory/2308-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2308-2-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

memory/2308-9-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

memory/2308-11-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-35-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-38-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-57-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-60-0x000000000F1D0000-0x000000000F2D0000-memory.dmp

memory/2308-59-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-58-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-56-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-55-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-54-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-53-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-52-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-51-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-49-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-48-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-47-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-46-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-45-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-44-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-43-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-42-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-41-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-40-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-39-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-37-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-36-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-34-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-33-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-32-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-31-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-30-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-29-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-28-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-27-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-26-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-25-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-24-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-23-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-22-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-21-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-20-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-19-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-18-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-17-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-16-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-15-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-14-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-13-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-12-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-50-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-75-0x0000000000710000-0x0000000000810000-memory.dmp

memory/2308-61-0x0000000000710000-0x0000000000810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{C077EC55-D48E-41C9-A22D-FC041D783642}

MD5 524ebbc9e961ac36c6c3ea3c90c88cd9
SHA1 b5198e00fac9384a4121e59e4694d35ad6889067
SHA256 24961422305ecfefd26e5e430c27442ce7a525dc4bc7fd49dc6e4ec89dac2044
SHA512 d5c91415b88f375f3bdef1dfb55d30f8954e4910f3a1e78ad96f102161f353590a4d7c6933493b0b60f7e27b959dd36d2ff0fdffef066f980e9d592ecbf54152

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{974C491D-3C34-4ADA-88C9-DD560DF621AC}.FSD

MD5 acb2dc9d1d60d4be52b34a01105e33d4
SHA1 2977a8e254de0fe91731c3c5555ae1dc51b6a0b0
SHA256 cab03330db0ce720331bbe997efb37ca5d3bb5183748f3977f9693fdb1245508
SHA512 e750891a8b70af849f157713df7b887175b582633b05d1e45907e410e24f3d9407dbd55436ba5dcab018f54504d4c7914cb1c5c70a32667d4a7b2563118a22cb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 0c7bafa3d83761b5c2ba870cfb0d4b00
SHA1 79496b6c2591ce83ea62167232b45e7817b20a1a
SHA256 3c3a28ede599c11e1b7d697d8a6ebcb32232f88d08698b8a0065577725eabd42
SHA512 45fdc6e937077a4b1d8685fd4260dc705ce402c2a5c0972c7a0cce2d2b5e002726f28b685258e3f37f4a0f5c2e7999cb762e201da0d546ccb9378b9bbfeaa002

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C2706DC5-E199-4FCC-AB94-56588839A3C0}.FSD

MD5 c588226cfff4e080029eacaed537deb8
SHA1 2686f5d06f8ecb34ba1f8e8589c0b06fb757ac24
SHA256 3862734e0442b5eda9d47d4118b8dbb3fd8d84157c53ea6b9f16b98ba054316d
SHA512 e54468646eb90f660724a9f08aa12ef3bdcc67b79099b932e3a0fd462fc441dcf6d3fe1cf1bd07cce9ac6ffb8e16a406f4669bd057e02640525243f1dcad05a1

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 16813db43aa061d5ab7e426a218e1a2c
SHA1 3aede5b75652f018c56588c12a7852ae4870fd75
SHA256 85589d05630af3ebcb16724c8814c09c43b7e38ea3b71ae5006feede59e2f8c9
SHA512 55c1d31f57a530c3663bcf30d767988b3f239a522d7ffe9f8b31637421e1eca0c8eed448ebdb2e434b0912b3908049df5300b54a531527efc91848d762a685f8

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 ef52b10af51f5821457dee22b583ed36
SHA1 be0223f91758f86fee3d093efa5f44eb6bce7458
SHA256 b0ec45f16c8fa8887992418b72f2d162c82a82824ab2b323e1b6b05d6b17c8cb
SHA512 ca8000b90f0f9564c3641ed71ab8c4e0ab854edbd701ecee99593b41331b54de2bd4827ca16d6cd2ac0e5e2140f73945ba0bb670cac7fafb8d32b6728516154e

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 979da8e51b79a1d7b3a5f422cb9a08e3
SHA1 078b63ce6b7a279129e3665bea0feff3205f9aab
SHA256 422a5541c6ed465b9084ea1f8c3b4a61f2f9e1723d0bb401a3a37d4af2192b9f
SHA512 ed68e06533c66a5b73c9eaee3dee6a4ccaab4df9f3e432f3f7bbd3e6025e71fc3385a0c7118179f55931e63a57d6d079c7c5d91d9bfb9218e912e26d4deb1f85

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C2706DC5-E199-4FCC-AB94-56588839A3C0}.FSD

MD5 5cb7d1ee95b713b55e804e56f067b0d1
SHA1 4632fe9c05d64fff635998ae1b7da26fb8bf1ba4
SHA256 d6fbcfd817c92420bb1d5878a4f53e1f1425b22d337565b5039d0885cc96ddc6
SHA512 24067b4989b439c563af5341e5b65be4394afc6dee0e2562e846268d58395cecce198a9b415668e8079d0a51a9098d6d79bb9d6351050c3b5e7b5cce1549c03e

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 2463b70ae81dde2232078bbd32e4c620
SHA1 6ac326eb9ef865647e798ad890e8f094f6f0a531
SHA256 bd66ff8f468e97e519ecbd6ecf78d61a6a9bf831099bef53363bce8e234c3ee8
SHA512 710f73a2f8337590caa81b9489e802d8fe63a9d283e02542cf3de7d73a610a2bd907d67c2081d69024e73f69cc09d3e9893bd8e43b2334f6d542b344f6a0f5e8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 8ad597caee326e32ef7f66586f74b05c
SHA1 413308abc84d8126a29f3c3e15b2d37ac9df4137
SHA256 3afebf6e75b0f119b62a9e48a8eb02b2bff8a79c227def46bc45d6702e60a5d5
SHA512 5ea0c45b9fd21732bb949fd2f945d472f65d0f5f12151cd61e00f478f6444e9255bc2606c9b502aba40306a5d6fbff2a5be049953178cc6e175c79a104715830

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{974C491D-3C34-4ADA-88C9-DD560DF621AC}.FSD

MD5 46c84d332708de5898f1118027ed9022
SHA1 a8c0a371260482c9049996cf44a90706699d9b72
SHA256 d37fcc39381c27dfa43bb2d9788e1e9ff7923996f174b55ad8bfa44d1d38e8e2
SHA512 0c006212ca20e60d8de90cb92b0ff817d088d271722a51d3ca994bae31e67e82c76aa7d743a33e7489e862ee3254f019d8b2d6bcf821e6baa80465e4527290d4

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 09f7dfa9087bfb4b4ecbc8b2bab40f14
SHA1 74e95353545c43304af23e36d5f74c25bc7d3eb8
SHA256 39cc0e9bac70124e22a1bc5fb093baf9f7c0542d379c577c3f911a0ea0ed5dda
SHA512 2eb717dbefee23c2e858f5cb9511df31d2b09c5d3a5eb5cdfbac4cb550912e212a06f11f131327ec65aa62da96d36ac5eef8b5734fbceed642a1b8797c7dba2c