Malware Analysis Report

2025-03-15 07:55

Sample ID 240815-bdv7la1dnj
Target 985b1fff593020af8a5dab1b9a431863_JaffaCakes118
SHA256 15dd0ac560d8c37a7b49998aef5111f5615cbd1c3ff7e570e387684ffde709af
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

15dd0ac560d8c37a7b49998aef5111f5615cbd1c3ff7e570e387684ffde709af

Threat Level: Likely malicious

The file 985b1fff593020af8a5dab1b9a431863_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 01:02

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 01:02

Reported

2024-08-15 01:05

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bRBo_Ao596114.985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bRBo_Ao596114.985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bRBo_Ao596114.985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bRBo_Ao596114.985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib\{A3DB333A-F5FE-4A3C-B679-5AE0A8324459}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib\{A3DB333A-F5FE-4A3C-B679-5AE0A8324459}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A3DB333A-F5FE-4A3C-B679-5AE0A8324459}\2.0\HELPDIR C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A3DB333A-F5FE-4A3C-B679-5AE0A8324459}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A3DB333A-F5FE-4A3C-B679-5AE0A8324459}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2368-0-0x000000002F991000-0x000000002F992000-memory.dmp

memory/2368-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2368-2-0x00000000717FD000-0x0000000071808000-memory.dmp

memory/2368-5-0x00000000717FD000-0x0000000071808000-memory.dmp

memory/2368-55-0x0000000004D30000-0x0000000004E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5639E7B1-8E06-4A69-99A5-1992C6853266}

MD5 fec7f22f9168935f75a2605d2e9caaab
SHA1 e592df17edba3af1a7530f769cc2dd902ff889c2
SHA256 70a211d05ad59520cfad5651a071b5616dff720c3cb1a167508523aa879b6cea
SHA512 2ad025e945586782227a7fc13504f14816d35a17d218e7e4023a991c29225e697d31c08f6547ebf772ac05cb37c414dae072cc3607abb36e64ec837fabe399bb

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4EBC3FF6-3874-44BB-B795-2EDBE190D48C}.FSD

MD5 37d1b12e109404ee2a5eb275201e8751
SHA1 215de708019cd620ef6051dd70f99f10fee93d73
SHA256 7e861fc9ca466f14482da988fc42ee256cc8727eba68a06759d39b3f6c549194
SHA512 c69ae0e1dd659c7d96dd86dddafa753be10d013c4946a653c521b62d39ef99cd24f1ed1e940b3c88a834d7a3bf76546f6a7e8c43168d12cda106bb7641d4c537

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 303f1e42012341ff8d81d3a7a8f6a530
SHA1 14c04b0c1c6d93fc619053751604eae0b8f42e26
SHA256 70be1be1f2c2bdeec2256197025d4a9dcf22be8ff0b3f92b261bd8d6805a9890
SHA512 a2cc91f0bb94741fccfca58cbca6e10108b35cd41c32282b312973875bfe6a0bf06ac04302ea3ddfb6bd82d15e830bd6b2346dd9d84ba65bed7d2a4853b288e0

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4353EB84-202E-4476-A9C7-47E014AAD3DB}.FSD

MD5 1647641da8580f1a6a53b83c2820b7fa
SHA1 2ffd2f769a144bfaba7619583e8f4cba07f7e0bd
SHA256 cbf75d702b65f06f7ae5c007d12037217e3f83de7cc5864ac2361cf710f6b2f5
SHA512 5b5e5c7875c0755be6fc29fbcd35316f85ab5a2a895dbc773dd75ce06f9393f44c787b6fd07cae1f5e2d0c01bc28fd5a06e1264fd47afdd4755a38e3e9bb9ba2

memory/3044-1014-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 27508a364854ac2dd6ea56b63d92b19e
SHA1 0d1df62a2a646dc80fa60eb0591f8230439d54ec
SHA256 2e672559864a437e943d55cbeeacf35fe37088b51f2250e588e9e0ca4a03a980
SHA512 64df4e63f381c7f100c67bb87b26fa9a27fb45e17ab4f7617c3331825bc2637ae7f5658ea1460beac0f44f44353c17e7fcbdf1aff3b9cea619c0d7281aa489aa

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 a6f367f5200ee24fd797862a0250adab
SHA1 e7142823350c42942c5b2de902cfc4ccc19e6e7d
SHA256 a7903858455d3e4dafc50450a6ccc6137b95e846458fa9518473504958d4d83e
SHA512 7bfc5212b78557713dad9a4eeb20ad5c981e966efa799e486248681bee28de0a5f389056a5a2dadd1c6386d8e78bc63bf0d84adc3df876f6d8454cc5a5233134

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 7b9b5f7d2eec531785a425ece63ed525
SHA1 a37e0897603ab10fc636af83010cc6b45bd0becb
SHA256 0e697356402470a26b76c0b60dd0c4ad4abaf96f9663b1d59c11b47ba4afc4da
SHA512 18e4e21e3a0ab8f3a232a0e96e770a736b1fc08cb60014a836d45284bb8054fbd4780cd8bb815596c926ee163084f4ddf8760276e1d4eaf4290baa92709196b6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 702fb6262a02c67c1cb1c4da00de3c3d
SHA1 cf4413f4843648912f1c5baa59d5eec563bc20da
SHA256 6a11022b3ee7faa0d84cdb788816b6648c80eb627847fe4cf4b447c8ee081dd3
SHA512 0a769a8ac856c46600678de9b892329d6d1f177f6a9a89c8dcaf524163786f9aa5a743e71b5f6d39017e9577b0a9b0628c27d54520c23395d0b58e921ada2cb8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4EBC3FF6-3874-44BB-B795-2EDBE190D48C}.FSD

MD5 d0683f7befebe2adca76123e3d279545
SHA1 aad650f68190d9b2d9479d9732720c0a13a83389
SHA256 063d0c5e23e21d865211f2924af9a4c0ddba3aad9ba03556b1e38a1b12d497de
SHA512 9b1d47889297109a6e77c395e9b6ad8c5556dc765d066faaf6ea13d7ef6b81acaabae21c7d3d6ae37b57fca188e71fd7a541f6966671148501ef63de266e0c8c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 d18dab793bfa7fb17cac5a94652fd57c
SHA1 32c1693d212dce8f4fcdef85d9d638c8481f7545
SHA256 d689b389fbc5f24162d93ec89015b0c06644b11c6c2815ad426bee81382bbda4
SHA512 a2a16f13c46b7efd77d71ae6f4b3130713b80be6caef33f4a94791405cd0fb3401697851690cba42c0bb5ecff750c251d78c4876d37ebf04a94fe87b2f77876d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4353EB84-202E-4476-A9C7-47E014AAD3DB}.FSD

MD5 96e6c8cdd1cb5e8750b9131a9a5b46dc
SHA1 c83df4b6bb7ff9de1dbd8b106e241a7767a9cfd7
SHA256 a3a1b38c228d2153671d99c04f802a50246edf7fac7c7df00d5f384acb51c923
SHA512 1b8cfb4313024e7f7c796a7281c5cca4027098ec3329c2bb098f0664a275f0f8746cd25bf08d4bd4be97d39ae3306aa23e1d1cb3e7cc576bc481aa955cfb6e64

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 01:02

Reported

2024-08-15 01:05

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\985b1fff593020af8a5dab1b9a431863_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.140:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 140.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1116-3-0x00007FFDD548D000-0x00007FFDD548E000-memory.dmp

memory/1116-5-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/1116-9-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-13-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-17-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-18-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-20-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-19-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-22-0x00007FFD92F00000-0x00007FFD92F10000-memory.dmp

memory/1116-21-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-16-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-15-0x00007FFD92F00000-0x00007FFD92F10000-memory.dmp

memory/1116-14-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-12-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-11-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-10-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-8-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-7-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-6-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-4-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/1116-2-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/1116-1-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/1116-0-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 cf6be6773d2e9c2dbc8f03427d3deb72
SHA1 0886439dd249271fbf82dd050273368a2409c798
SHA256 39d783ea8ef6298ac9f904df8aa5029c9175a69f2095d8a87ca4a2d5ef65c6e1
SHA512 59d301782f61c9b116e8734b84866ee6b67ef0fb0952df2574f6c1433c86bceba2c1f2fd2ea10b5bb90b696874b6b43bd6a73a3b892cce328ab565568efd52e0

C:\Users\Admin\AppData\Local\Temp\TCDEF8A.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/1116-161-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

memory/1116-214-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A0ACAE7E-C5F0-4E0F-A17F-C303514FE9A8

MD5 1d1962a22fe10255bb9e6397368565f8
SHA1 2199f069555677667354b43a5ac02e910d52c321
SHA256 e19c064913debf3d9656609cd728385c1e51191d61bcf23317fbd3f79fb77261
SHA512 43e7d5167f422dafb31dc9df6bae59a155228aa6cac15186110b734330caccc2a10a7c0ddb30c9624f4c4526434334bd6d561c1c02f862fd973d2f7b22630a32

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 c5b5ef2a03a15da8ac71ec86a38e927a
SHA1 1852d311495e7024e22c25f6bc507616b78c5f92
SHA256 32382781bd229aa141a31f88f26e5da08d6ce78b578be4a956ce3308f3f9147c
SHA512 622a0c3779054d756f78a3c7b50c04a10a031cd9a5ad3817b70aa35555118e40f4c6cffe2436bb8bc5daa60153a9fe083db7e3627d3b1b1cf6dcdfde846b9fec

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 6a62a1aba4399bfaa527af6434df8b2c
SHA1 edf971332f4a455cf7f621ec1091eacf088ae40b
SHA256 71dc75fa61d5590e509ee53024885f3202c21b45350c2a9f353892d0451b32da
SHA512 750d55c0f376a42896a9d3056164b35b0500c984c27e7fe0e08caa62ef97e3af5eaae2d7f322e59929a944ae223cbf2b241480ea04f17f0bd712372f2e04df44

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 299790eb4da891c0cad926473bdea5f7
SHA1 dacbd07b42d91a20ba9bfcdee5cdd75ce15644da
SHA256 6fac6770bea97503592e79ac1d458450afd373eb2fa1accf4218d5ee447d52d9
SHA512 3ab4b0d6b5c1eecc6b3fb37ffdf061713906c92b6c2e15f7f869f7b6a8b45a6dd069743080f3fe57f9726770f49a8826b07f50987fa148b882593481bb3670be

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 153cafd95f478f0fb9cf93d3424dcda6
SHA1 79d3141d9d0de579cde4fde6ea8d5a8dfb937e35
SHA256 3f1e50c4b4943b952b02871ed91489bf61c67adbf38ea29cd6a553ad4e45b45b
SHA512 f03545976a6cb0174b65f8e7956795ea9385e8c50e11375e1bf7861dc6dcbb5caedadf51fcd4caf7cd921d73162b66ae56652ed2fca7433a087395a587861cf1

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 3d36ab00ecb8c608b99387694aa71bd4
SHA1 a1747b683c4a581f2a1190d7c323a110826d75da
SHA256 082aa267c3def8abba9f28137f7e8692516121a61468608afeab225c92f3cf48
SHA512 50a341e123665c4619b8689bcaf20b122b2b5e25b8022983d2cb4531283e576d499ac1f818492c47cfa3b9cbef0ad02fa760abb2e1ba8db1f7618d0ce2db2b45

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 2ceb8694ef805c34ef3d89d5fbbcf44e
SHA1 fc2044b96aae4d5bd5e40f8d31bc7b37167be9e7
SHA256 305519c1296341b9125c5f405d672d0bf98bd2e61109b510bb3f3c30168f535c
SHA512 a8ccfcfdffdd14821a691fb1049cb2231d5b3c85c8c403cc48ba77d09487f56868f8a9dfce8a3795be0f14ba8f717a3446ff6ef3b3d049283dbfae947f8db5ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 35051c24742e89e34cf9784a9ab07ba8
SHA1 2ac404f2af8535a53d440705d4b5a1e5398cb4a5
SHA256 1deca664b2555fc611bde7bab71d3e3ae2b0d755a25107c800d13a30c9b54118
SHA512 ef8efb1c9dd496c4d5a622d4f939e8ec573256202dbb70c41285a2d4026314bc3b5cf68f2f6540caffdbe2e827e4b36b28d825be3a6e94be6b7644936b7a9b40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 b8c0f9edc69747692df1d72ef62a993e
SHA1 14b4069ff68209aa1f15b87a6e063118e0c9d92b
SHA256 a8a0ab8dad87e93e2c746556420b921f150388943fe45bab7f9c8ebb222be40b
SHA512 cbcf6286918ca3458be7038c74dca1c1cbe530e8f364f31da99a5c8b94bcdb642e295b0ed2525ae4098e4d3a2d8e704756f570fbf13b6927e31431dd0ad8acaf

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 1a4bd91a5bb892684912659706e1e61c
SHA1 470791cb18964759396930b83586e021aa916397
SHA256 8c7e4bfd0a6d668da08b9b3717caddfb838bb8e87bdcbc1806b98420dce4ca98
SHA512 3387f95b5913e97fa24b63424dfd6f3ed367cad49d9e0118ff4b1660d9071825f2d08ac1833d2725782723f95f744ccfdb546181133fa2eb6c3a22cf1f4ee337

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 d1c1ce3ced493ff9d035b7d341b6d3eb
SHA1 a50a3a6228f0c4e9c99fac7da26ce627f45f8556
SHA256 f4af552f111bc1c7d8b48699b9da255ce4edcc3d2a9122a26941a2e0644dcc09
SHA512 e33296f482ecdcc1b7352c49d3a1b82b8b31550533ed65fec0b822430fd0396757b33121e68591b07aa9592034f0a7dce7b316f896c8e4bd312802203d9a988f

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

MD5 4eabb6fc2695a5a43afa79f1a75a941d
SHA1 677d4724956af0aec27396340a2da7a80ac59e54
SHA256 5c639d8a1183d08acb1c0d4cb5579204f24885bc5b20c1a5fb72fb0314427ed9
SHA512 8d31a75bbfb87a744c05db8f2205b5490770550a8e081f995bcb6be623a87a21675c021a9671f5f10598b771b0d9a6e4fb2108d50e8b0a70feda97038e0ce9e4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 083b6ffd3ad6d6577f772a5ecb3ec394
SHA1 c0934fd927c13b76086f274db55c29d96e74220c
SHA256 71fe1f648000bb3af523f52cea6c68af959155d3b8db4cf8fbeb662a13289363
SHA512 46db8502c99c10fee934f0dbb3648363305b9e8d73350820da654e4de4fbb06ea3ed94846898a64c0ff7b861196d99185040616199cdef115235b8e389e06702

memory/892-2082-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/892-2083-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/892-2084-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

memory/892-2081-0x00007FFD95470000-0x00007FFD95480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 5b4ea7676f0e3aa19f87eaf81cacfc69
SHA1 a776b52f53b1002255d87b4ced9f0d385d4f17ed
SHA256 7e04d3b29ddaa7b7480f081db4d4f3b881e5945b40cd9a7582986603f8ceadaf
SHA512 0a5cbf228584dd5b31b8d640f498ca1003683c571c5f77963b56dc7de6de3e8f5b161781f6d8344e2029816da2909cab293161265eac390646420def640c612b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a205511afbea748b096ce39a40cd3648
SHA1 3284498daa3b5b9addc2cd946bb48b2cbd048282
SHA256 52a5651762b084c966ec5b0e28123769942884e8e29003fe3992af0cc27080d5
SHA512 18b1cceb69ca0993d831303b3efc14045be7ee1c8d4be5c89c7eb2b0c788075fb45f91b4ab5806a160dccfa35f61017b41d81ac9c3cb52cf85223545e06f3d92

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 a9c44255d0c25d26b7060069e8882135
SHA1 a30c735f662612785565898f2aac5e59eac76d55
SHA256 af539487ea047042252e40640ce9aa4b5d483fb37496633273c13b34909fa823
SHA512 b41b81ba01ab1843be05c74bc8d564ce48c4b2e98c43969b62f66c12c1e17546c9dc1b093d6bf42da9f524dd53b1e74285152c095251966301740b8433640d11

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 33eea2792b9fa42f418d9d609f692007
SHA1 48c3916a14ef2d9609ec4d2887a337b973cf8753
SHA256 8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb
SHA512 b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

memory/1116-2129-0x00007FFDD53F0000-0x00007FFDD55E5000-memory.dmp