Malware Analysis Report

2025-03-15 07:58

Sample ID 240816-nv16dssere
Target 9e39301bebcce3f25a47854bfa890673_JaffaCakes118
SHA256 21e1ef60214dc04018b919609502116286303b4374dc3ac5966aa923fac9616c
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

21e1ef60214dc04018b919609502116286303b4374dc3ac5966aa923fac9616c

Threat Level: Likely malicious

The file 9e39301bebcce3f25a47854bfa890673_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Office macro that triggers on suspicious action

Suspicious Office macro

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 11:43

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 11:43

Reported

2024-08-16 11:46

Platform

win7-20240708-en

Max time kernel

144s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc"

Signatures

Abuses OpenXML format to download file from external location

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?OCMO_kU568825.9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?OCMO_kU568825.9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?OCMO_kU568825.9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{8D816DC5-8938-4ED4-9497-182758A1CFE3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8D816DC5-8938-4ED4-9497-182758A1CFE3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8D816DC5-8938-4ED4-9497-182758A1CFE3}\2.0\0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8D816DC5-8938-4ED4-9497-182758A1CFE3}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{8D816DC5-8938-4ED4-9497-182758A1CFE3}\2.0\FLAGS\ = "6" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/2148-0-0x000000002FE41000-0x000000002FE42000-memory.dmp

memory/2148-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2148-2-0x0000000070B7D000-0x0000000070B88000-memory.dmp

memory/2148-10-0x0000000070B7D000-0x0000000070B88000-memory.dmp

memory/2148-25-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-13-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-46-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-51-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-59-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-60-0x000000000D380000-0x000000000D480000-memory.dmp

memory/2148-58-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-57-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-75-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-61-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-56-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-55-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-54-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-53-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-52-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-50-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-49-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-48-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-47-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-45-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-44-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-43-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-42-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-41-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-40-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-39-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-38-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-37-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-36-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-35-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-34-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-33-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-32-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-31-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-30-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-29-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-28-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-27-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-26-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-24-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-23-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-22-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-21-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-20-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-19-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-18-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-17-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-16-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-15-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-14-0x00000000003F0000-0x00000000004F0000-memory.dmp

memory/2148-12-0x00000000003F0000-0x00000000004F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{CA0A8FBA-8F3E-4D3C-900F-69559D076754}

MD5 efce514216d43ba15e312b99f462aa37
SHA1 2d29beaf4954b4403c6e6bff9ad23d95a5dd5f07
SHA256 dcab7c7aac1e4b1962b1b0b58cd96f4b7e5df098ac9b8b23c491a54287ca0f15
SHA512 78ab7bebfcb592033ee476bf39180739b265b31e70376053b77253af0ac5d0f58d90759cd1ecad316780ccc6e00160deb6fa564427c77b90206a259db1c2eb15

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{666C0B53-A1BF-4FCA-974B-B66379797202}.FSD

MD5 7c3a15a735b8e59e35f3e0c4733a1786
SHA1 db73aa3fcdcfdd5c2b36a7fa9245b20e5e7c6b76
SHA256 d3f47e4e94a5c01cdb543ff908772612e4e967249ae31a03d501402110988af3
SHA512 a0c5de8e262da825ddbf625744d0b15dc8760e4cffa23a6a3d2f6868446a3b4dffa2ebacae2f58f50cd8aadcc569177d7d52367ff80f947e10bc16a2b1090f93

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 33c6b95e7f2b98b83912bec85ca1bf00
SHA1 0a937078a69ad736a861e8715e5d926b910c89c3
SHA256 f827e877426c65bf5c01ce353f6432d2903748e5b8fbdf01612e18eca9158f19
SHA512 38c1f5e2acb78605d108a05083946415b420b817ba9b6008cf5f82ae62f309369a4af1d35b08540ba5352945d7b5f812a7e147bc49b79f294b13203e633615e5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{154F0D58-719D-4D4F-A365-28EDD19D0466}.FSD

MD5 a51974493e5e35ee3e69d12da360b1aa
SHA1 55c857144a7e7fcdae6fdf06730480ed0178e4a8
SHA256 7a09ec2e8f162db0e745d8eb0167029296400b38d861664c864a30adb6f8bd0b
SHA512 f62977527712565cde66b682d943e82315411b5be34021d96dcaa11129ea76987bcb9181c4b3c10b0f8fe5bf304d9ae1167ba612aa9b7e48e273e0aecb270a3e

memory/2148-818-0x000000000D380000-0x000000000D480000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 aaf0a184045d04c892ff76ec465185e0
SHA1 d459b460456caf375eb33377e8f5ad9a83e3bf68
SHA256 fa22bb6c288f4e88946481a696c8501cedb5d5de37df15e39f5c69455ecfa894
SHA512 fd6954b49233616bcef60fbfe1f1ba5c63a0c975a28306e93f314c231ff9eb829b983918d6d47cd5f075463db49cd360e239a68f86f24e5e58ca2783fc2a319d

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 c521d379b38227a61858cb666871fe6f
SHA1 6b290b62e9c2805508e76eb34e08872125c7ebeb
SHA256 7810c0e79cc82b979f726af3015a276ad08cdfc45ea65aa7dc881941fbdb772f
SHA512 46ee97e9b5638d610a9da0c5a96f9d0a99842d43aba959a419877452f895f3bddc483714836182432b9be6f64ec923364fd65a85eb326eea4f8b006ef601aaa8

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{154F0D58-719D-4D4F-A365-28EDD19D0466}.FSD

MD5 7ab81e7de1d280f5d5bf8d3334f35350
SHA1 d97509e6f05e20e3ae1ccc514db1cd15d6e0fb61
SHA256 5e0d1a412b05f13da62f172bfa475a14cabce22c22ffad254efaf9d167ba9aac
SHA512 c1c051a72138bbbce2f159667f9d22df4bdc900c89e8040c6e523c8a8abc83b47367883553f1e999a4b8b48f04525254b75057b131d7e5f17ea1df3ef6ff934b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

MD5 eecfabf7360d8764f66f7de5942ccf12
SHA1 59766b9fe5ecd35db7063c9f0166759a9d4b4034
SHA256 2bed0894487a6bc5028a09e222a2ea9aaf1e37326e78256f02f4deca993f8e16
SHA512 56c23045a3712d776d3b541281795bbb6e4f04fb3deeddd0248921bf0334262a39336cb91dbc1601e7bc35c26b2f1c3502dc3b4d6cdbbb27231898826115324b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 4b1f6bef77792e65360bbe40e6c7f2f3
SHA1 98d5bfb52ac788bfb38154ec8705c7501039035a
SHA256 80c1e8410a47aa29a4f98fbc8f4f66ff731d2fede0e9e630c8151709d4c47055
SHA512 c55fa30a8d19238e9f9091e382f68fb97f63ac422fc3838507ea59b0881e0e718abffeb0f3939f9faf6ed52e206aa26775b3131552f7e344d6ab17925c4c6519

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{666C0B53-A1BF-4FCA-974B-B66379797202}.FSD

MD5 c4366415a26e6a59557b00c38d7e4d08
SHA1 2a62540ed7e75c3c5126ac0ca520f1d2f89e3d67
SHA256 b94dd6634a504dec713988c9ff2f0e8132a80a6c15de1248788d2ca2ba93cdfb
SHA512 46d694bf2fc9fe6a53a8cfc688d1d0131604f56c9e01e61e0ef8e6e32fde021b88d73402a83799fd24d6a76fb96bac652731e4104687483f37a8237f93f61706

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

MD5 8a73b6ff89d8caf2664de113e46fbebf
SHA1 fb2aa9686e8a83f9dd945f0ac50d51b6884353b5
SHA256 887099ef7402a9f013163b07d733c8845118e678f21becc0446a68aba3b7bc4a
SHA512 810874669e18f5ba851aa4ed1c123fccbcce369609c4070bddee48462a31aa3118b85ff62e929326f532f43a58d5a1fcde4e7cacf9b3431c1829b2d936525b8c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 62bf7fb1656b2b15a7e9dd3ac4a038ee
SHA1 0ec23179f437a9e19840be6a164705d400e50b35
SHA256 bd04d2455657cc66a6cb75b2a1cfa2f878d95bfb379591d17dce2dc42387eaa6
SHA512 a6b10a4e307319981505220d0dc04dcabe698a3e02e75d04deab51bfd8671f919b20c0850f085fad57d07919f30628f4ac69fabdb98d0bbd909bfbe9b7e7c0a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 11:43

Reported

2024-08-16 11:46

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

130s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e39301bebcce3f25a47854bfa890673_JaffaCakes118.doc" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.202:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.49:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 202.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 49.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 khalilmouna.com udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 khalilmouna.com udp

Files

memory/3632-1-0x00007FFA4DE8D000-0x00007FFA4DE8E000-memory.dmp

memory/3632-3-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/3632-2-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/3632-0-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/3632-6-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

memory/3632-4-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/3632-5-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

memory/3632-7-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/3632-9-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

memory/3632-8-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

memory/3632-10-0x00007FFA0B510000-0x00007FFA0B520000-memory.dmp

memory/3632-11-0x00007FFA0B510000-0x00007FFA0B520000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f6f801e5b0502f5e803ed826dd37ae44
SHA1 273e87aa518397186653443c0c3e81d574361708
SHA256 e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1
SHA512 8fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584

memory/3632-29-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

memory/3632-30-0x00007FFA4DE8D000-0x00007FFA4DE8E000-memory.dmp

memory/3632-31-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

memory/3632-32-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2fff921ae80f612ce31028335997a101
SHA1 c7a4388d4d6fb2b278bce7d7cce5f59ab8f62117
SHA256 e5aea2d59eb3c1ca0854d8db121ecc9a192e1ec4812aa1d018ad46f47a3a5024
SHA512 eb759161eb5a99cdf7845e416431463dab12cc5c22c5268d78e36eded374d1ee178a18512020e2ee8c45a5465f97741dfcb7daa6b545d01dd12ade2ef24739ba

C:\Users\Admin\AppData\Local\Temp\TCD100F.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3632-419-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC4536BD-05AF-4E73-B030-BB4792332601

MD5 78c89da322724fb7b49bc96189eb06be
SHA1 a87ab0e399dc9e9b0160ba7eea430c2d6b8ce38d
SHA256 770cb908b96daaff3ee26f0d28bcb3d9b3d51be40b729cf4d57e7a01853b09bf
SHA512 aedd7ee1efa397b7c194f20cb94df0eed759475ad84aa4af02f6be10e0a25116da8e7b4edba87761f61829202d907668cb18e417b8457d73285e61523e045ecf

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 c323eb098a0b5498ccc4b1489ecaccc4
SHA1 92f5c6680b0bf94b43e9a1f0fda5da533f71f698
SHA256 3b253c59cd641d1f18b2c8c0e5d3e58e41ef9d1afcf729265de25050776cb518
SHA512 05f81339f76cdd9939036206198fb99ee9edea5c16a09fcd6755f59848a7b9a51642838d568fd582197a6375e7fcb1509d6b4061f246241297ae6b3556c86da0

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 829b9babbdda5b73334a65296724fe6d
SHA1 f7979def5dbbf1a0e07eb2186e1823cabc2ff8f4
SHA256 004d3465ff2fc39a15be8dd108f6ac29465309be5ceee396c2703ad42bef8b40
SHA512 a1f98b251aaec108c6b74139e2056b7a64c698e9687cc045ebabc4eeac0a1ac8884ff4b93601e09c3a26c183906e3336b66fae3156d1cb27196d55b0173d863b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 2d72c7fd107986dff9d09acdd4f8255f
SHA1 f60da83ed901faee7352589e46ae5a361a33af2a
SHA256 2bacf273a6b20fab94aec2c3c2fa483a24e62b36070121cd0dfd40ccfdf5be8a
SHA512 063c9a0b595480d50d3c5581d9cd4b15242c32f1ca9d24c72673835a577a8187a398ab214cea86a6c04a8e425fa81591be0369be80c9a1c66128a7672c039f93

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 ccfc033500e2871900fc3f161511c809
SHA1 e01008d83244c60570ded6598d6c989be46f622a
SHA256 8183d0791fc27b5515c4b5411fd6a804ba153ec40001958a7968f31778e314b5
SHA512 af43aa9236949cace4f6bd6b565351cbc86a7cae903ac658990992aabf1a2433c6293e7f94197da0853e7bf1f7dc56acd1dc6ab120e799bc3f50d8ad43b5ae74

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 0d34527d1c8f3c4c04409402ec1018e5
SHA1 e3adaed47bcc035fc26e77def57212afd583a121
SHA256 bbcf67c7ad661df89571263ab621be191682a861ddb3322a426f70b7277487aa
SHA512 f79b5d1c173498eaf5064caf60fdb862f9b0a3bb384bb5778ed104398a94974925f8f3e09483d48508dcd37f0d892c43db11729eacdbedcff38b1a8cf6da273f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 7b00aadb86c7ca6a9e2e13afc03f4e12
SHA1 328dee04af21b9ae30166582430df63998cadbfd
SHA256 305aa8c67c4037f33832b6c0fc8f6c5be0bc480362753814692067bef587fd51
SHA512 ef8ca924481ad0af45d58275d3017b134101164ee931fbc411e07c929d4cbb46a2d95cbec8a2fc3f168a079c9a7a8ea45526cc7647cecb5e531c6e47a8727381

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 f5620c92cbdc293c3ae3aae31aef598b
SHA1 1f2b47a9ddcf2e644eb45eba39cdbf02ab292bda
SHA256 a31cb1fb5b8ae640c14a44be54ba89c30034b42c9638b264583e38924e787f12
SHA512 6009ec07f3853df80436f80e3d81a5d95d0d2ff2d501d46b6854438bfa16447e6a787f6610556b957e0e950087109145b6f94de08232d4a085035427e8db7c24

memory/496-1412-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/496-1413-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/496-1414-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/496-1415-0x00007FFA0DE70000-0x00007FFA0DE80000-memory.dmp

memory/3632-1422-0x00007FFA4DDF0000-0x00007FFA4DFE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

MD5 9048efb4c96728b0bcfb5b2e2b52dd76
SHA1 1d0c697ca716bd4850f27def14d4a8855e0e4d6f
SHA256 662f74f7ab09084e621106667d58a2a846e4857efe76bfef057237bdce1bbf1d
SHA512 7d6509c12d08dfde124ff429696368fc24da736a3032f64be3eb9659a2c0b9360557913af51b12a6df962f219fd9eeec12ab21a236f8f8d2ff376319e00b1bd6

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 1860cdd48aea9511bbd598c3d6e80ec2
SHA1 4d80fb389297d1b42330fc9cc043890b7de843ef
SHA256 c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035
SHA512 64718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

MD5 8867e02c27e1adfd64dbd9cd1d8e6d76
SHA1 0ed191d90935a08a5256b20f0c8cc9c3ddfd0516
SHA256 d761082012e5c49153de68c25b4bc5bd10c9623cf4d11b484840184fe2cbcb42
SHA512 604c538714683f11ec7e01a92a98c7c275f7fc69a68d2038180a6e3ea834b08d7b4e2df29dfe78aaa06802a2f8e81b9db935d7c510cc74ce608a8efc38b1a0a1

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 085ebd119f5fc6b8f63720fac1166ff5
SHA1 af066018aadec31b8e70a124a158736aca897306
SHA256 b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512 adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

MD5 33eea2792b9fa42f418d9d609f692007
SHA1 48c3916a14ef2d9609ec4d2887a337b973cf8753
SHA256 8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb
SHA512 b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9