Malware Analysis Report

2025-03-15 05:48

Sample ID 240623-31j7dssfpl
Target 04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118
SHA256 92e2fc19cc1cf1cf17e0746ffe625103d1285af13870a0848afd8482ee2f6518
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

92e2fc19cc1cf1cf17e0746ffe625103d1285af13870a0848afd8482ee2f6518

Threat Level: Shows suspicious behavior

The file 04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 23:58

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 23:58

Reported

2024-06-24 00:01

Platform

win7-20240611-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\sx23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\23522358522\lk23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\23522358522\sx23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yytmp1\23522358522\tmp1.doc C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\SysWOW64\yytmp1\23522358522\~$tmp1.doc C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\fj23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\yadviser.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\23522358522\23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\syys7.1.1.syw C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ywsexe1.exs C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\23522358522\mu23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\23522358522\fj23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\mu23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\lk23522358522.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yyhelp.yws C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yytmp1\23522358522\~$tmp1.doc C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\23522358522\tmp1.doc C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.yws\ = "ywsfile" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version\ = "7.1.1" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\ = "ÓÑÒæÎÄÊé" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\isogg = "alrGady" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2108-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2676-20-0x000000002FCF1000-0x000000002FCF2000-memory.dmp

memory/2676-22-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2676-23-0x000000006F98D000-0x000000006F998000-memory.dmp

memory/2676-32-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

memory/2108-33-0x0000000005D90000-0x0000000005D92000-memory.dmp

C:\Windows\SysWOW64\yytmp1\23522358522\tmp1.doc

MD5 1b569713890e43a0447ec8733c9972ac
SHA1 a17114e3f062d914a23eccb71ec2171561574724
SHA256 51beb3b60f407e97d388c9d2febc004d8df1b7c5e1373eaf77c9e5f815debd5b
SHA512 b659d9f5763821429d1101e8da6e0712dd9b64572d1b289d2bbfcae36c3827deda25f68328355454f2a735190f1667cb7a8d003ab5ad78d20c2bc6c634fbd460

memory/2108-54-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2108-55-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2676-57-0x000000006F98D000-0x000000006F998000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e84ef40a969d23ede0fa1de0b9b5ec00
SHA1 57228904dc2508e6d56346e990322a23a0930ae7
SHA256 413110d390229baab5dda330165586eea731af25fed9e36ba4b17fabcc0215be
SHA512 fa238e15cea70fe24419af8d2ee0041253ff60b374dd4c1a547b894356535c2215d584400f44895fbeff3041035272a399ebe677a41f039f1edc7290134ac924

memory/2676-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 23:58

Reported

2024-06-24 00:01

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yyhelp.yws C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\fj2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\lk2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2352235877\mu2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\syys7.1.1.syw C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\sx2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2352235877\2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2352235877\lk2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2352235877\sx2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\mu2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\tmp1.doc C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\ywsexe1.exs C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2352235877\fj2352235877.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2352235877\yadviser.tmp C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version\ = "7.1.1" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open\command\ = "c:\\windows\\SysWow64\\ÓÑÒæÎÄÊé.exe %1" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\DefaultIcon\ = "c:\\windows\\SysWow64\\ÓÑÒæÎÄÊé.exe,1" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\isogg = "alrGady" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.yws C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.yws\ = "ywsfile" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\ = "ÓÑÒæÎÄÊé" C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ccf0e82bcef6ac962066582de10cf8_JaffaCakes118.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/2360-0-0x0000000000790000-0x0000000000791000-memory.dmp

memory/3316-20-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-22-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-21-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-23-0x00007FFCB99AD000-0x00007FFCB99AE000-memory.dmp

memory/3316-24-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-25-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-26-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-27-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-28-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-29-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-30-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-31-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-32-0x00007FFC77820000-0x00007FFC77830000-memory.dmp

memory/3316-35-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-36-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-37-0x00007FFC77820000-0x00007FFC77830000-memory.dmp

memory/3316-34-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-33-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-38-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-39-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/2360-42-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/2360-49-0x0000000000790000-0x0000000000791000-memory.dmp

memory/3316-50-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3316-77-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-76-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-75-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-74-0x00007FFC79990000-0x00007FFC799A0000-memory.dmp

memory/3316-78-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp