Malware Analysis Report

2025-03-15 05:48

Sample ID 240624-aj5gsatcjq
Target 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118
SHA256 d2d9a048e2543d8c41c8db1683f6872472b4253cca2ca21fb4db6fe7113b0b66
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2d9a048e2543d8c41c8db1683f6872472b4253cca2ca21fb4db6fe7113b0b66

Threat Level: Shows suspicious behavior

The file 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 00:15

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 00:15

Reported

2024-06-24 00:18

Platform

win7-20240220-en

Max time kernel

119s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\yytmp1\2431015487\fj2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2431015487\2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\filebak C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2431015487\mu2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2431015487\2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2431015487\fj2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2431015487\sx2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2431015487\yadviser.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\filebak C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\syys7.1.6.3.syw C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2431015487\sx2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2431015487\mu2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\reopenf1.re C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\2431015487\lk2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\2431015487\lk2431015487.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601e68d3cbc5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5BDD7D1-31BE-11EF-8B56-EE69C2CE6029} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000034048a9e378e69489ab687a0c9b8b1bd0000000002000000000010660000000100002000000083104a822407e91b588c2b18c67a9e401d1a80082bc139d3ecaa4e4f0c1947a2000000000e8000000002000020000000c924b45c77923f6db297ff8937e3de3eeea3118b45168ac1545feb31cab163042000000053c4741464519bb8d923b0b77445de3aa37c1142f44fbea7430621782b3ae66c4000000008e860aed6aadb4fda00447f9691b339fa3a420b368493ff9b6b00bbc7743b8b0028895bdbca5be3a13d8d682db72878d2afccca07e2a4fd8b81992c1a6331dc C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000034048a9e378e69489ab687a0c9b8b1bd00000000020000000000106600000001000020000000a125ce92c85fe9a9a5a728ba17ee55884d0e84e12c2098090c08023e60a90162000000000e80000000020000200000003ee17c022c804b8f4b1552bb2a68648194834c112cf3d668f573a5fd4d98c95590000000c12c29d04066df6d2ae758597e1c73c5619b9b95794a7dcdd58f4e0bce41e4e59dd8a4093cc480b5c0566d9e9395829e1facc50064bf5771f84fb00a4a2ad62dbd5f372c6122c990c20d99e3a4e5c6a533dc012c89bcb3bf0763627b721a9eaf9c3de8de668b163c0ec1d32836d9f6da3dae4de2fd5a8ab3b6f21d3ad7ea9b12afebfce884b0081c5bf931108eab5d654000000057a61a92b306698cac03ac1ff351d08fb0fc8dfa2bd6ac751b1e3684e92c62ae07c945707f318edab586cdfa4ed5c6db34fb6f5e3b76953d0534a4d828b574df C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425350011" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493491-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A66-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493475-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493484-5A91-11CF-8700-00AA0060263B}\ = "TextFrame" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493487-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EE-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A53-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493479-5A91-11CF-8700-00AA0060263B}\ = "Shape" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345B-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5C-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartFormat" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C3-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D8-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E7-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\ = "AnimationPoint" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347C-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493491-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493452-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347F-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C8-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E4-5A91-11CF-8700-00AA0060263B}\ = "AnimationBehavior" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493466-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347B-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A74-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349C-5A91-11CF-8700-00AA0060263B}\ = "HeaderFooter" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A73-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E553-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493491-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349B-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CB-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DD-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E5-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493454-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "FileConverters" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C5-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2652 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2652 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2652 wrote to memory of 1840 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2184 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2184 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2184 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2184 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2204 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2204 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2204 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2204 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" www.cnshu.cn/toptan/2rlzy.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.5ucom.com udp
CN 117.78.37.232:80 www.5ucom.com tcp
US 8.8.8.8:53 www.cnshu.cn udp
HK 122.10.69.157:80 www.cnshu.cn tcp
HK 122.10.69.157:80 www.cnshu.cn tcp
HK 122.10.69.157:80 www.cnshu.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2184-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2652-72-0x000000002D421000-0x000000002D422000-memory.dmp

memory/2652-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2184-84-0x0000000006180000-0x0000000006182000-memory.dmp

memory/2652-83-0x0000000002590000-0x0000000002592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20241\11588\9862\2431015487\tmppp1.ppt

MD5 45729dcbe476efb18ed0aed0605e6f2b
SHA1 2f3a5261d439473a797c14233fe44489ee26bdab
SHA256 f9322eb48d646bae91353baaa5e0fd08efb93dfe3ff71afe341423309d4a65b2
SHA512 b46d5507d565e07a0e4cd6ca729d1404789ecc65660eca681181c99e68b10114f4803cbb3ef9c2d0f5e36870b69ca2988d6bb81aa591f576e476d2e8803c4d3b

memory/2184-87-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2184-88-0x0000000000400000-0x00000000005A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20241\11588\9862\2431015487\tmppp1.ppt

MD5 de84448d90e7844e888ab0cbee3129d3
SHA1 33e5e10abf5962c50fa7bf097e73904e36c6835f
SHA256 8bcaaf20084764749d905302edf4de2f3955a717cad27ace85cfe7f64c932bbc
SHA512 60f259662c0d22ead126721ec135e68c5eb2d73c67f234debfdc6dfe61419c72730cc7773277e85efb20ffeca75d7a834c834e1b9f99d7b74b0b76e5d581d597

C:\Windows\SysWOW64\opfilejlA

MD5 063daefe72aa3aaa408fe809454137bb
SHA1 fdcf4e3cad79734ce67054aa55931af7363393ed
SHA256 1b3724ff08d35723f26fabbc8262c5045069162be162eed078c73de36f764dad
SHA512 7145d5f712dda3cc8e0312ca939889e3a63b908ff2d78554df093ba626726e41264d3354c653a4603ca85070dfba38e32c8744fb4d5f5037395db875c3b560b0

memory/2652-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2184-112-0x0000000000400000-0x00000000005A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFF0A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFFDC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e4e8d5b3a38547e8bc4bccf382f194d
SHA1 a1fb537791c5274b1d235184ad70324d08977645
SHA256 9d24a1f4bad2b4c08af4cb714e38fee1281926af04a56b8f0adf8527b64784fa
SHA512 a7eb2e90fba958b620dec2eb5cfe81584a9cd3b9f4ab8a1a0f09815230eec060949949170883d6dd6d2191a8c970648f793d47a41b369c557a87a253a7c94eb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 567897e8d769f8dcf12b057e2f2a366c
SHA1 301aad8198c0fbf325cf7ef3d83c3811c633e980
SHA256 3eb8925db3df07eb89537f0558d5ce1555bf9c01ab6087c56fa2f18044e18d74
SHA512 e65534368ff7c9fa9f50d03aabdf355dfa17a4a93a95e970463c841b782b50b73245ecc4b4c020d5b7022aa3b14476fe7ffd5e91b10235752fbfb0151d85f8e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96f7f4d3961779ea22833a3ad6738d71
SHA1 f98c18b96c2ba07c4f1ab77c770f4720214ae6f3
SHA256 d639ef4c273dfd5c371ff27997eeb8a51702cdd844599d6ef5109c7927315e22
SHA512 6a7b15a4e0ba71d4315c140e31c9c7baf1ab1935eb848e3b3802ba5587fee7a446b698327dbb3a3ad6d7f743921df0a6aec78e25c8b31c2bc3fd23f0fa7e6c06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d78b0b52222af391400c25d1e183f924
SHA1 0e2c1fb2994b7e41457425fa2c6a007e29dad784
SHA256 e3c9803a8e27306cdc18ba2c418f9f93f6fb545f3b942e47ed708ac921d5e15b
SHA512 0416ce8f7530690ffbd3114c4d7be0d1247fea17929efd97349df610c4c02c2463e7cba9cf2045e88776e70a26950c64d984be7487dd01f23d97973ad3b90e4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d91d0f129d3eb979d75f7ef0535b32da
SHA1 4e17c739450bc8f17e78a54d8f31ff95e336e3e2
SHA256 b73e2e6e1ff73178cbff726136a2e011cada59cc22b0f502f44b355c767dd9a6
SHA512 c6b1f0be3625cd062510957b73e446d37369e6ec3f2cd53e023a7b35b1c8bcf0278d7f44ef4df4afca5e770f06243b7d7f83e374fa219fba28f20490340928e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b1ba02ec7e0d529f1fe6a1ac381c466
SHA1 43be4b617628fdfe1eb49a05eabf1844447151c6
SHA256 e4f673e3080d44efc48fc35c666dd878ad79abdd9dda115ba1ad2d41bd523912
SHA512 eb868ca4270e9f453f8c9b98c0e9dbb00d7b4aa5e5eaacded94f2bb4321787ca282a9b9cfcad9a666e567c88b4557e0ffc17f5a76433174701c2077f617e72c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77ad9f6e9abeab257bf2ead25ea0122f
SHA1 11ff402680a114dbf1b82c669f40e770b034fdb6
SHA256 deef989f5aa933e2be5a0da0bc96ec610656db525aab4f4f22d91e9fdce4533c
SHA512 f4253d5c41cfda7e7a4f4b3a12cb5419258fa8cc4985219f5b30de04d230e7c982f84b148e37e1451bdc545bddad854b1550a312c5025765a4132ee1e0095fc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0be0943d218562f238a1e1d14ede488a
SHA1 8ff3602bb3cc511a2b59f7a3859b38ba78183001
SHA256 30ddbc89a0a0b9e4cb890a433647c3630595b6828be324d1d00fc5b8bcbb9381
SHA512 883949f40daf327fd4f86bb319a412d2fdabbf575dabffd88bfff6c6c59772a3a885f5bdb7b944064e9f9a73385749c8bb45361e746316affcea33eaa50ce977

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dc7b55cbbbfb3305abc7c2c467a5a2f
SHA1 82332f90b533b65ce879ec36cb9c3adc2c9f59ed
SHA256 0774faaa2db2d6ad4883a448edf79e0e35b092b3c740d9459bb55a9f647ed2e0
SHA512 e3ccb0b374495665de928ac08087fe440b6e745f535a601d7f31fbb6ef35e83a7e0eafdccd78c55985c0b78206c6e79829cadc4e50bece563efaa79a7a497cc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7917e1017ddce5c30cbff3f7a0566777
SHA1 d21df27444fa2ebe46916b6481290c63c3526257
SHA256 0617783c202c7527b285fe30bacd8b547b29f2fd575930140ac04b04fa1b3ff8
SHA512 56fe52a45478213313da9d0ac07175f123a4524da85b0e2e9c9517ea748b09d5d1b98718b6a4610f45410420a50f4bfb5657510f601568165010ae0c222014cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d81ff20a47fc6d9aedfaee697068212
SHA1 6dfe965842142aa5e2d3971e53bab8cb6916679f
SHA256 9626d36a09051de710387a0f8beda2b5826a9f5e3848573b49ddd4ed88091d4d
SHA512 e7c4207f6a717f4b27a732612e0c302597a7405761693e342ad4f8717b5b2c504b6291818cf0a56af57438a5f70a4267aa21058cf1c5972c118676a854a5da9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 885e7fe05d3eed2ee654d06998f1fa35
SHA1 68d522097c22882430d177c6b39eee62f3ba7f13
SHA256 afd8dbf3672e9d3b7f819182389dfc7f4a221c74ff60746b91c07b9db06619df
SHA512 3883aed87d4cec186ac64cd86f1e9f274d75a80c17078a14fb7aa910dc2c1684e0fab97e06ccaf1a422025fc585751247f99ebe64073cc9519fc2814b1bc6cfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08baf58d1fb577ebc02b5adcafd3ff33
SHA1 c11dd66986e929a1f461b304ec72257e103df98a
SHA256 e5a2b5d83ba5f64e77bf114378361afe1e52756258d0ba1c6003bfd50e6e6278
SHA512 02edb3acccf20b637373475ea50ee2fb95f0d97490031408da232fc931d5389cc0c2115e6f341aea129ab6e0be114aa1d0bb8eaf1d5eee1ffe14713286d860df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b1f8510d0c52d6310515d244ba7177
SHA1 f72d7acd16c710528f190a5d741c0b4fe9db1ed2
SHA256 fce604b5594e44ecb7c41bf82802f76c533049a4d01f881e2f4ae1b96a8045ee
SHA512 d9bbad7aa50dac5c170feb66f7bed50dc117bc7b276ca9ca1123dab955180f215a310de66b952208d1920efee7a9de5865ac71362d829c024874ff51cd9e10cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e18e53788de5a5f7f37a20961e2937db
SHA1 b4709ca0e2a704e4e98eb523691398ea6371330c
SHA256 65449a29589ada598a452ca39ec78419b190b8504f339fe3072f451b31f2a659
SHA512 2db67939d456cf44fd455c2ded8b3de3e015800af8038706b15f3d31794affb8fe16b1e1796463938444c8cd0f5a26b144f1da44a0c68fb2ed02bcc7bf2ecd00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3bfdc7971d76c284d46de6e87130e13
SHA1 b29cd2aeb8431f854512a28558230a2852d14a7d
SHA256 c96afec5b56748c15e3e3c98bb098b9152141c182db6c3e31ed4dcb5f6d9a3b5
SHA512 efaf6ff7496fa0e59b8cf788ea0315199ab43e760d48b57e39856b659c6d285f00cc307a2bee257945e4f12e8f49319106a05920cc06b8d28f95aeb6bb5690c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d167c70fdffcc3658b65bfe42e44b3a5
SHA1 0f13366fbc7d22b60ac0285b99a1cb2800f0595e
SHA256 98464b092a364829f1799824969580118a5eff1288d48ec175de1983077ca515
SHA512 c5e4d04b4b502c12182c98e347ab0f906fb02dda8bafa49ec9dbc07157c57271b64852aed64e30bc8b97fcfaebeb5996ee25a16a3677874a078f1b658274735a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7dfa2143714236ff781836e0b8f86e7
SHA1 08133d27b23b57c2fe8d3a02c94b42bfd32a8058
SHA256 c75249232b66a8af2fce769463b46a7f388f53c071a36b2560b11768a4799be7
SHA512 043946f79518741f96056b162d8c1ec4e7864cf0e1f6979734940c6332cb5c6471dac2b4c6f9f9bfcee3670c16ba0a51be5a30db90984dba732e52feec0474b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 00:15

Reported

2024-06-24 00:18

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\yytmp1\24330150\24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\mu24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\filebak C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\24330150\yadviser.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\sx24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfilejlA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\24330150\mu24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\24330150\fj24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\fj24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\filebak C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\syys7.1.6.3.syw C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\24330150\lk24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\yytmp1\24330150\sx24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\opfileOneA C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\lk24330150.tmp C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536" C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe"

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.5ucom.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
CN 117.78.37.232:80 www.5ucom.com tcp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/1396-0-0x0000000002300000-0x0000000002301000-memory.dmp

memory/1816-72-0x00007FFB30510000-0x00007FFB30520000-memory.dmp

memory/1816-77-0x00007FFB30510000-0x00007FFB30520000-memory.dmp

memory/1816-76-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-74-0x00007FFB30510000-0x00007FFB30520000-memory.dmp

memory/1816-75-0x00007FFB7052D000-0x00007FFB7052E000-memory.dmp

memory/1816-73-0x00007FFB30510000-0x00007FFB30520000-memory.dmp

memory/1816-78-0x00007FFB30510000-0x00007FFB30520000-memory.dmp

memory/1816-79-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-80-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-81-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-82-0x00007FFB2DCC0000-0x00007FFB2DCD0000-memory.dmp

memory/1816-83-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-84-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-87-0x00007FFB2DCC0000-0x00007FFB2DCD0000-memory.dmp

memory/1816-86-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-88-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-89-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-85-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-91-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-92-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1816-90-0x00007FFB70490000-0x00007FFB70685000-memory.dmp

memory/1396-105-0x0000000000400000-0x00000000005A9000-memory.dmp

memory/1396-542-0x0000000002300000-0x0000000002301000-memory.dmp

memory/1816-543-0x00007FFB70490000-0x00007FFB70685000-memory.dmp