69e885cae86457c4a4b21095555cd0906ff22dfc34b65b0b45b633aaae30dda7

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 13:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Size

920KB
MD5

0e35d1aa1cd581494bccb286d0c9adff
SHA1

1099d1119361c2a5f4867bcf16e2a25d4874db7b
SHA256

69e885cae86457c4a4b21095555cd0906ff22dfc34b65b0b45b633aaae30dda7
SHA512

00b0fddcb97dfead478d227f6d00334ce308ab6ad40ef1e5b90db8cebe121f059e2bfc649e819339e5b66b3effe458aef610df784d5f665fad6b912395ce93db
SSDEEP

24576:KeFDHYvmR38IJS7kF6lDJqLGT4RSskUMFiHYrWMj3:7FbR547kQlDJqDzHsl

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe

Executes dropped EXE 10 IoCs

pid	Process
2704	svehost.exe
2152	svehost.exe
2496	svehost.exe
1720	svehost.exe
328	svehost.exe
904	svehost.exe
2412	svehost.exe
2916	svehost.exe
3068	svehost.exe
2848	svehost.exe

Loads dropped DLL 64 IoCs

pid	Process
2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2704	svehost.exe
2704	svehost.exe
2704	svehost.exe
2704	svehost.exe
2704	svehost.exe
2704	svehost.exe
2152	svehost.exe
2152	svehost.exe
2152	svehost.exe
2152	svehost.exe
2152	svehost.exe
2152	svehost.exe
2496	svehost.exe
2496	svehost.exe
2496	svehost.exe
2496	svehost.exe
2496	svehost.exe
2496	svehost.exe
1720	svehost.exe
1720	svehost.exe
1720	svehost.exe
1720	svehost.exe
1720	svehost.exe
1720	svehost.exe
328	svehost.exe
328	svehost.exe
328	svehost.exe
328	svehost.exe
328	svehost.exe
328	svehost.exe
904	svehost.exe
904	svehost.exe
904	svehost.exe
904	svehost.exe
904	svehost.exe
904	svehost.exe
2412	svehost.exe
2412	svehost.exe
2412	svehost.exe
2412	svehost.exe
2412	svehost.exe
2412	svehost.exe
2916	svehost.exe
2916	svehost.exe
2916	svehost.exe
2916	svehost.exe
2916	svehost.exe
2916	svehost.exe
3068	svehost.exe
3068	svehost.exe
3068	svehost.exe
3068	svehost.exe
3068	svehost.exe
3068	svehost.exe
2848	svehost.exe
2848	svehost.exe
2848	svehost.exe
2848	svehost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NrnW_USZeKR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\Hnss = "SXuaZQgvMN^\x7fNYRiyzFOxRiah_CYpZ_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^jvSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AmhDJeAqPAoRx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NsnW_USZeJR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\Hnss = "SXuaZQgvMN^\x7fNYRiyzFOxRiah_CYpZ_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AthDJeAwxOzud"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AhhDJeA\x7ftUGvP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AuhDJeAt[}bqH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^jeSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AlhDJeA}VWRfP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\deaBolxixpe = "x`mXyJbRcMSOXEtK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AehDJeA}eBV\|t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xdjkKahlFjZu = "GyRDgnCk{_WTZkHn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\AppID = "{0da7bfdf-c0a0-44eb-be82-b7a82c4721de}"	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\Elevation	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AYhDJeAuCGvGH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NqnW_USZeHR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@N}nW_USZeDR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AchDJeA}bwk]\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xdjkKahlFjZu = "GyRDgnCk{_WTZkHn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\deaBolxixpe = "x`mXyJbRcMSOXEtK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AkhDJeA\|FaIh\|"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xdjkKahlFjZu = "GyRDgnCk{_WTZkHn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^kGSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NpnW_USZeIR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\deaBolxixpe = "x`mXyJbRcMSOXEtK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xdjkKahlFjZu = "GyRDgnCk{_WTZkHn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\deaBolxixpe = "x`mXyJbRcMSOXEtK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xdjkKahlFjZu = "GyRDgnCk{_WTZkHn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^j[SrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^kPSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AfhDJeA~lfLOt"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\xdjkKahlFjZu = "GyRDgnCk{_WTZkHn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^krSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NxnW_USZeAR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@N~nW_USZeGR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@N\x7fnW_USZeFR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NpnW_USZeIR\x7fsx"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InProcServer32	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InProcServer32\ThreadingModel = "Apartment"	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^jKSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\Hnss = "SXuaZQgvMN^\x7fNYRiyzFOxRiah_CYpZ_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_A`hDJeA~PCeCp"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NznW_USZeCR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^j[SrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\deaBolxixpe = "x`mXyJbRcMSOXEtK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_A\\hDJeArSBdGl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AphDJeAs@VQBl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InZin = "fcpy@GK\|VcMPZyCq{GQh"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NsnW_USZeJR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_A[hDJeAsCt\x7fI@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NynW_USZe@R\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_A~hDJeArTJ{JH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_APhDJeAyfjPxP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^hCSrqOqQb~ISPAuOTpSI"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@N\|nW_USZeER\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zrrdjqoffb = "bz@NqnW_USZeHR\x7fsx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AjhDJeAwFHQkH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\Hnss = "SXuaZQgvMN^\x7fNYRiyzFOxRiah_CYpZ_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\deaBolxixpe = "x`mXyJbRcMSOXEtK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\hvtlY = "YZc_AwhDJeAzyuRqx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\UvbBJx = "D^jeSrqOqQb~ISPAuOTpSI"	svehost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Token: 33	2704	svehost.exe
Token: SeIncBasePriorityPrivilege	2704	svehost.exe
Token: 33	2152	svehost.exe
Token: SeIncBasePriorityPrivilege	2152	svehost.exe
Token: 33	2496	svehost.exe
Token: SeIncBasePriorityPrivilege	2496	svehost.exe
Token: 33	1720	svehost.exe
Token: SeIncBasePriorityPrivilege	1720	svehost.exe
Token: 33	328	svehost.exe
Token: SeIncBasePriorityPrivilege	328	svehost.exe
Token: 33	904	svehost.exe
Token: SeIncBasePriorityPrivilege	904	svehost.exe
Token: 33	2412	svehost.exe
Token: SeIncBasePriorityPrivilege	2412	svehost.exe
Token: 33	2916	svehost.exe
Token: SeIncBasePriorityPrivilege	2916	svehost.exe
Token: 33	3068	svehost.exe
Token: SeIncBasePriorityPrivilege	3068	svehost.exe
Token: 33	2848	svehost.exe
Token: SeIncBasePriorityPrivilege	2848	svehost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2704	2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2704	2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2704	2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2704	2032	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	28
PID 2704 wrote to memory of 2152	2704	svehost.exe	29
PID 2704 wrote to memory of 2152	2704	svehost.exe	29
PID 2704 wrote to memory of 2152	2704	svehost.exe	29
PID 2704 wrote to memory of 2152	2704	svehost.exe	29
PID 2152 wrote to memory of 2496	2152	svehost.exe	30
PID 2152 wrote to memory of 2496	2152	svehost.exe	30
PID 2152 wrote to memory of 2496	2152	svehost.exe	30
PID 2152 wrote to memory of 2496	2152	svehost.exe	30
PID 2496 wrote to memory of 1720	2496	svehost.exe	33
PID 2496 wrote to memory of 1720	2496	svehost.exe	33
PID 2496 wrote to memory of 1720	2496	svehost.exe	33
PID 2496 wrote to memory of 1720	2496	svehost.exe	33
PID 1720 wrote to memory of 328	1720	svehost.exe	34
PID 1720 wrote to memory of 328	1720	svehost.exe	34
PID 1720 wrote to memory of 328	1720	svehost.exe	34
PID 1720 wrote to memory of 328	1720	svehost.exe	34
PID 328 wrote to memory of 904	328	svehost.exe	35
PID 328 wrote to memory of 904	328	svehost.exe	35
PID 328 wrote to memory of 904	328	svehost.exe	35
PID 328 wrote to memory of 904	328	svehost.exe	35
PID 904 wrote to memory of 2412	904	svehost.exe	36
PID 904 wrote to memory of 2412	904	svehost.exe	36
PID 904 wrote to memory of 2412	904	svehost.exe	36
PID 904 wrote to memory of 2412	904	svehost.exe	36
PID 2412 wrote to memory of 2916	2412	svehost.exe	37
PID 2412 wrote to memory of 2916	2412	svehost.exe	37
PID 2412 wrote to memory of 2916	2412	svehost.exe	37
PID 2412 wrote to memory of 2916	2412	svehost.exe	37
PID 2916 wrote to memory of 3068	2916	svehost.exe	38
PID 2916 wrote to memory of 3068	2916	svehost.exe	38
PID 2916 wrote to memory of 3068	2916	svehost.exe	38
PID 2916 wrote to memory of 3068	2916	svehost.exe	38
PID 3068 wrote to memory of 2848	3068	svehost.exe	39
PID 3068 wrote to memory of 2848	3068	svehost.exe	39
PID 3068 wrote to memory of 2848	3068	svehost.exe	39
PID 3068 wrote to memory of 2848	3068	svehost.exe	39

C:\Users\Admin\AppData\Local\Temp\0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\svehost.exe
  C:\Windows\system32\svehost.exe 728 "C:\Users\Admin\AppData\Local\Temp\0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\svehost.exe
    C:\Windows\system32\svehost.exe 752 "C:\Windows\SysWOW64\svehost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\svehost.exe
      C:\Windows\system32\svehost.exe 748 "C:\Windows\SysWOW64\svehost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 760 "C:\Windows\SysWOW64\svehost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 756 "C:\Windows\SysWOW64\svehost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 768 "C:\Windows\SysWOW64\svehost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 776 "C:\Windows\SysWOW64\svehost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 772 "C:\Windows\SysWOW64\svehost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 784 "C:\Windows\SysWOW64\svehost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 792 "C:\Windows\SysWOW64\svehost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
2a1ea15428416b9a5fd2c49e3499e5e8

SHA1
5cd8da22a69f147560756e6da64b94e6e0cdac16

SHA256
3fb3564cc5504ddaa1e31742bcb27de6c08bf803c354d01db73acb3c74c25819

SHA512
6833244a517a014edb30fb9596d6316982d7e693edecb1ee397eba8ee07ebe15f0c5ceaf6f503134530e784ee9529a69069b9156c6e901e3aaffd042da35d5fc

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
aeaaa06377d7a2e451011b045746386f

SHA1
524c5a4d2fd7f7a692c091490c9a4e650a16cd53

SHA256
b5140c9896d07a936ae6893fb9c18c9dc4009d83081802fd0250cc88540da5fb

SHA512
da0c61e69adf7ce17afdd60bf3cb4e54e392272ad9b32989aad07ae8e1bf3b3c0e625582e0bd07b75ff1f32f47fa0249816b214f9ce38e15a6c422069cd63ab4

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
071c1b698f972270aaf2abbb0a10073a

SHA1
d769c7889b2df893fc159bc80c6c7d1e0b230151

SHA256
cb67d745bcba2ef735a85ace181c47a5a250ea69778d241d2d08addf724c1cce

SHA512
508ca67015f6181d986b90f572cb93d1b7b96372a75067e4f6fe9f4558c5557d35b3c31a3510be26e204c9375502d4597165d23e58c51e1e87eceea4aa383d7e

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
eb35351dccf6d00ba4ba255183516902

SHA1
78e837c1c992a11e839507cc5a5c00771997597f

SHA256
7f2dec3fb66c2c1df956618599a0b0b99f79d96b91c0dc27e8abcbcd0f8ede81

SHA512
160f0c45f380526a6af7dd952a19f8bb40523b0644b96dba7d23ddd05709616b904ae985b417cbb30bd62778a0a39cc52d9ed81cd8b75d54750a54d580cf30f8

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
b9852ddd2a4a9a6c5f09bddd88393d74

SHA1
9c38fb9d72e6939d3e4349c6a077ce095fe1c237

SHA256
2d9fa6ddb7e8a7442d383af93e30a4ad782fee0275a123b641c19fe6a277adc5

SHA512
1f8764a24de9e2a969db5591f068fe11ce8165be9dfcb0418cb920878bbe731939a759e55bced38868ca7acb49918b6e779580697772d84edcdff08e548eb70a

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
7f592d209452a89dc93a0fe79dd64e86

SHA1
43e43d7c582e5b09fce1be3b5c6648b626c6e709

SHA256
eb8575864fa44612b96a202ccbd77801d48973a26a08409186b2349996c5d939

SHA512
c4820dedab2dac030f6d6c87edeb1fd5fd296db2f88dd1f3013f782b1e40a693498f456f40ac86cbe172ad2f192b491e9a87eda783296005e5f0ddb814d24e3b

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
2b17a9837f8d18c3f03be5e2ca9086c5

SHA1
7a3cb62e0dae7b490d70dae13f604586e46510ba

SHA256
67adc9179dc95f72dc02f6fc867b487e77f7269e4ebd79228fc1260f1e2b5fdd

SHA512
99815cb0a49fb3e5c3719a0c6cda8db672abda5ecacf16d123f2b66db091f6040c861bf1dbafe9fcdfea23a29b843ebe5bb44f016234ef91458efa9671984753

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
d9be19b1de6e0caade13ffb081dbbc8e

SHA1
3b15b66dfb99cd62acb3bc8d056e6b89c4eb2230

SHA256
0fc994690fd026d52867ca2cb0109ae4d6eede2ad3b33e7f748f4c9144c68727

SHA512
32339572743892686d4023278a4f90e821f7347530a85b034c8879719ed59111bf92ecd312897a7579b84b72d96ba795412eac5ace24ccb61cebced3272a1b46

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
e602cb3b1645256cde550754553e8b4c

SHA1
2c7aa71610c0f0f58360bfb03f2f0e80604ca793

SHA256
80d60762becb195ea9d5b14bab6098b76ea720df64256252999dd681b93aac10

SHA512
1f4d8c20e0d5f7f3ea41f0108900bfe03caf42041817639a926ec21cb000d1e185a8ff46b02ed9f95f6aa0bbab6ac1be8a8aabf5ed1780d2ee5cea9d64b70fa8

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
\Windows\SysWOW64\svehost.exe

Filesize
920KB

MD5
0e35d1aa1cd581494bccb286d0c9adff

SHA1
1099d1119361c2a5f4867bcf16e2a25d4874db7b

SHA256
69e885cae86457c4a4b21095555cd0906ff22dfc34b65b0b45b633aaae30dda7

SHA512
00b0fddcb97dfead478d227f6d00334ce308ab6ad40ef1e5b90db8cebe121f059e2bfc649e819339e5b66b3effe458aef610df784d5f665fad6b912395ce93db

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/328-226-0x0000000003360000-0x0000000003532000-memory.dmp

Filesize
1.8MB

Download
memory/328-228-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/328-214-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/328-191-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/328-242-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/904-264-0x0000000003260000-0x0000000003432000-memory.dmp

Filesize
1.8MB

Download
memory/904-257-0x00000000027A0000-0x00000000027A9000-memory.dmp

Filesize
36KB

Download
memory/904-256-0x00000000027A0000-0x00000000027A9000-memory.dmp

Filesize
36KB

Download
memory/904-265-0x0000000003260000-0x0000000003432000-memory.dmp

Filesize
1.8MB

Download
memory/904-288-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1720-213-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1720-183-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/1720-182-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/1720-190-0x0000000003460000-0x0000000003632000-memory.dmp

Filesize
1.8MB

Download
memory/1720-154-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1720-220-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-31-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/2032-68-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-58-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2032-0-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-71-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2032-38-0x00000000031A0000-0x0000000003372000-memory.dmp

Filesize
1.8MB

Download
memory/2032-30-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/2032-1-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2032-6-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2032-7-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-10-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-14-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2032-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-21-0x00000000028A0000-0x00000000028B5000-memory.dmp

Filesize
84KB

Download
memory/2032-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2032-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-105-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2152-95-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2152-101-0x00000000006A0000-0x00000000006B5000-memory.dmp

Filesize
84KB

Download
memory/2152-89-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-88-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-91-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-93-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-111-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2152-112-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-106-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2152-92-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-94-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-121-0x00000000033E0000-0x00000000035B2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-85-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2152-139-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-79-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2152-140-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2412-292-0x0000000003450000-0x0000000003622000-memory.dmp

Filesize
1.8MB

Download
memory/2412-271-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2412-315-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2412-293-0x0000000003450000-0x0000000003622000-memory.dmp

Filesize
1.8MB

Download
memory/2496-153-0x00000000034F0000-0x00000000036C2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-145-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/2496-132-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-129-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-131-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-166-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-127-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-116-0x0000000000340000-0x00000000003D5000-memory.dmp

Filesize
596KB

Download
memory/2496-130-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-126-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-122-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-56-0x0000000001FD0000-0x0000000002065000-memory.dmp

Filesize
596KB

Download
memory/2704-107-0x0000000001FD0000-0x0000000002065000-memory.dmp

Filesize
596KB

Download
memory/2704-104-0x0000000001FD0000-0x0000000002065000-memory.dmp

Filesize
596KB

Download
memory/2704-78-0x00000000035D0000-0x00000000037A2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-74-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-72-0x0000000001FD0000-0x0000000002065000-memory.dmp

Filesize
596KB

Download
memory/2704-64-0x0000000001E40000-0x0000000001E55000-memory.dmp

Filesize
84KB

Download
memory/2704-69-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2704-70-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2704-49-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-55-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-109-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-50-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-52-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2704-46-0x0000000001FD0000-0x0000000002065000-memory.dmp

Filesize
596KB

Download
memory/2704-40-0x0000000001FD0000-0x0000000002065000-memory.dmp

Filesize
596KB

Download
memory/2848-347-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2848-369-0x0000000000750000-0x0000000000759000-memory.dmp

Filesize
36KB

Download
memory/2916-294-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2916-316-0x0000000000660000-0x0000000000669000-memory.dmp

Filesize
36KB

Download
memory/2916-320-0x0000000003340000-0x0000000003512000-memory.dmp

Filesize
1.8MB

Download
memory/2916-342-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3068-321-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3068-346-0x00000000035D0000-0x00000000037A2000-memory.dmp

Filesize
1.8MB

Download
memory/3068-367-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download