69e885cae86457c4a4b21095555cd0906ff22dfc34b65b0b45b633aaae30dda7

Analysis

max time kernel
141s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Size

920KB
MD5

0e35d1aa1cd581494bccb286d0c9adff
SHA1

1099d1119361c2a5f4867bcf16e2a25d4874db7b
SHA256

69e885cae86457c4a4b21095555cd0906ff22dfc34b65b0b45b633aaae30dda7
SHA512

00b0fddcb97dfead478d227f6d00334ce308ab6ad40ef1e5b90db8cebe121f059e2bfc649e819339e5b66b3effe458aef610df784d5f665fad6b912395ce93db
SSDEEP

24576:KeFDHYvmR38IJS7kF6lDJqLGT4RSskUMFiHYrWMj3:7FbR547kQlDJqDzHsl

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe

Executes dropped EXE 10 IoCs

pid	Process
2308	svehost.exe
4484	svehost.exe
400	svehost.exe
2356	svehost.exe
2268	svehost.exe
3328	svehost.exe
1548	svehost.exe
4520	svehost.exe
4156	svehost.exe
3912	svehost.exe

Loads dropped DLL 33 IoCs

pid	Process
3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
2308	svehost.exe
2308	svehost.exe
2308	svehost.exe
4484	svehost.exe
4484	svehost.exe
4484	svehost.exe
400	svehost.exe
400	svehost.exe
400	svehost.exe
2356	svehost.exe
2356	svehost.exe
2356	svehost.exe
2268	svehost.exe
2268	svehost.exe
2268	svehost.exe
3328	svehost.exe
3328	svehost.exe
3328	svehost.exe
1548	svehost.exe
1548	svehost.exe
1548	svehost.exe
4520	svehost.exe
4520	svehost.exe
4520	svehost.exe
4156	svehost.exe
4156	svehost.exe
4156	svehost.exe
3912	svehost.exe
3912	svehost.exe
3912	svehost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\VersionIndependentProgID	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AlhDJeApE}N_\|"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A]hDJeA}am`d\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A\\hDJeA\x7f@hx~@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NrnW_USZeKR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A[hDJeApwMF^X"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jhtStrixPhv = "Z_GyRDgnCk{_WTZkHnfcpy@GK"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jhtStrixPhv = "Z_GyRDgnCk{_WTZkHnfcpy@GK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@N\x7fnW_USZeFR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^jwSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NpnW_USZeIR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^hLSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\VersionIndependentProgID\ = "DXImageTransform.Microsoft.CrBlinds"	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jhtStrixPhv = "Z_GyRDgnCk{_WTZkHnfcpy@GK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^jwSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AQhDJeAztbzkP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@N\x7fnW_USZeFR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AuhDJeAxJ`~VT"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^k@SrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^kQSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NxnW_USZeAR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jhtStrixPhv = "Z_GyRDgnCk{_WTZkHnfcpy@GK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ProgID\ = "DXImageTransform.Microsoft.CrBlinds.1"	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^jDSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AthDJeAzkefLH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A_hDJeArARPz\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NpnW_USZeIR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AZhDJeA{wd^]l"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ProgID	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NxnW_USZeAR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\rmiksq = "YRiyzFOxRiah_CYp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AahDJeAuqwLJl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\rmiksq = "YRiyzFOxRiah_CYp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NznW_USZeCR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A\x7fhDJeAtGI\x7fpP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A~hDJeA\x7fG`gsd"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AdhDJeAu~_`qp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NqnW_USZeHR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\rmiksq = "YRiyzFOxRiah_CYp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^ksSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@NxnW_USZeAR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AshDJeArPqeal"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AhhDJeArsbX{x"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^kQSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^kbSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_AYhDJeAxPmj~d"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InprocServer32\ThreadingModel = "Both"	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ToolBoxBitmap32	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zbbpKsmlG = "\|VcMPZyCq{GQhbz@N~nW_USZeGR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\rmiksq = "YRiyzFOxRiah_CYp"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InprocServer32	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\jhtStrixPhv = "Z_GyRDgnCk{_WTZkHnfcpy@GK"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^ksSrqOqQb~ISPA"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\nUmy = "uOTpSIYZc_A^hDJeAyA{Hyh"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\cfIjuch = "x`mXyJbRcMSOXEtKSXuaZQgvMN^\x7fN"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\vRazsag = "\x7fsxD^kbSrqOqQb~ISPA"	svehost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File created	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svehost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
Token: 33	2308	svehost.exe
Token: SeIncBasePriorityPrivilege	2308	svehost.exe
Token: 33	4484	svehost.exe
Token: SeIncBasePriorityPrivilege	4484	svehost.exe
Token: 33	400	svehost.exe
Token: SeIncBasePriorityPrivilege	400	svehost.exe
Token: 33	2356	svehost.exe
Token: SeIncBasePriorityPrivilege	2356	svehost.exe
Token: 33	2268	svehost.exe
Token: SeIncBasePriorityPrivilege	2268	svehost.exe
Token: 33	3328	svehost.exe
Token: SeIncBasePriorityPrivilege	3328	svehost.exe
Token: 33	1548	svehost.exe
Token: SeIncBasePriorityPrivilege	1548	svehost.exe
Token: 33	4520	svehost.exe
Token: SeIncBasePriorityPrivilege	4520	svehost.exe
Token: 33	4156	svehost.exe
Token: SeIncBasePriorityPrivilege	4156	svehost.exe
Token: 33	3912	svehost.exe
Token: SeIncBasePriorityPrivilege	3912	svehost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2308	3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	80
PID 3772 wrote to memory of 2308	3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	80
PID 3772 wrote to memory of 2308	3772	0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe	80
PID 2308 wrote to memory of 4484	2308	svehost.exe	81
PID 2308 wrote to memory of 4484	2308	svehost.exe	81
PID 2308 wrote to memory of 4484	2308	svehost.exe	81
PID 4484 wrote to memory of 400	4484	svehost.exe	84
PID 4484 wrote to memory of 400	4484	svehost.exe	84
PID 4484 wrote to memory of 400	4484	svehost.exe	84
PID 400 wrote to memory of 2356	400	svehost.exe	88
PID 400 wrote to memory of 2356	400	svehost.exe	88
PID 400 wrote to memory of 2356	400	svehost.exe	88
PID 2356 wrote to memory of 2268	2356	svehost.exe	91
PID 2356 wrote to memory of 2268	2356	svehost.exe	91
PID 2356 wrote to memory of 2268	2356	svehost.exe	91
PID 2268 wrote to memory of 3328	2268	svehost.exe	92
PID 2268 wrote to memory of 3328	2268	svehost.exe	92
PID 2268 wrote to memory of 3328	2268	svehost.exe	92
PID 3328 wrote to memory of 1548	3328	svehost.exe	93
PID 3328 wrote to memory of 1548	3328	svehost.exe	93
PID 3328 wrote to memory of 1548	3328	svehost.exe	93
PID 1548 wrote to memory of 4520	1548	svehost.exe	94
PID 1548 wrote to memory of 4520	1548	svehost.exe	94
PID 1548 wrote to memory of 4520	1548	svehost.exe	94
PID 4520 wrote to memory of 4156	4520	svehost.exe	95
PID 4520 wrote to memory of 4156	4520	svehost.exe	95
PID 4520 wrote to memory of 4156	4520	svehost.exe	95
PID 4156 wrote to memory of 3912	4156	svehost.exe	96
PID 4156 wrote to memory of 3912	4156	svehost.exe	96
PID 4156 wrote to memory of 3912	4156	svehost.exe	96

C:\Users\Admin\AppData\Local\Temp\0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\svehost.exe
  C:\Windows\system32\svehost.exe 1424 "C:\Users\Admin\AppData\Local\Temp\0e35d1aa1cd581494bccb286d0c9adff_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\svehost.exe
    C:\Windows\system32\svehost.exe 1444 "C:\Windows\SysWOW64\svehost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\svehost.exe
      C:\Windows\system32\svehost.exe 1468 "C:\Windows\SysWOW64\svehost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1456 "C:\Windows\SysWOW64\svehost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1464 "C:\Windows\SysWOW64\svehost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1448 "C:\Windows\SysWOW64\svehost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1440 "C:\Windows\SysWOW64\svehost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1480 "C:\Windows\SysWOW64\svehost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1452 "C:\Windows\SysWOW64\svehost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1488 "C:\Windows\SysWOW64\svehost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
a262ff7ed9962d5894827ab035e73b3e

SHA1
791e0327fbe0d686b664e07c1f763c8fb43cd8b6

SHA256
a6aac4e14a1293e9668a7c2cf503800b8f4ef51f1961c388950a7c295d1f09e3

SHA512
5ed80f360ac81026dc76f4a96a545f3268f032451e78be93bf8b5d636a1e4553913c0acd3781cdcf0560655e5536a9e1788a9d69b858660c14ed41079067b8cd

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
5f2e32fef5b82c1ac7adba825a9446a2

SHA1
b1d189c1dbe62fe5dc51b0531f64f705e949aad3

SHA256
f3aee381f30accc44818e763fee8cf622a12f884f85f95c8185b472e6aeb6f81

SHA512
9d0de072c6c9ebe32bd911fcfa6a838953229fbb96d9b905e40d88ac7359ab49d697bf446b7bbd6ec4eded53b07255089ab0d238ff4e5d26e8385d79b8857e08

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
06b39d387b239ada0aecafd2efdcb8ec

SHA1
5955cfc3f918361c3cbe83a897bc122d96df0ee9

SHA256
136508427ca385b7e0f9567fe0991258a4c6ce0eea3695006e7212963266f9f6

SHA512
ed0624a4ab8cf5a0e15091c8f33b0c6d9a3edfc13d24c38bdc4e20df3f364fbcbd8a071487404212efd4241129e2cefd77861375248f69ce2177ebb9e4b81cfc

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
8bae03c16d831c603a3f2af62d4d95c3

SHA1
7b8a6e4b7958c0f7e744a38d4e4a3064bc7e0d71

SHA256
9461e7e5e4500f678d31eba485d899bce29d1d5f51a69f6c0832b1aecebfe682

SHA512
beb3fb7bd8eaef2b587d0cf1f03c969802ab64513a9a189617372c0a1c8fa5d0e2954583179777c0a871592b3f746f807a568ba3fe7fb388f059b9651a70868d

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
eb3faca3e8d40f42ed705c0d15222a71

SHA1
ebf3d1dd3b74368b61cc945e40da101f2ce4bbe7

SHA256
9357ce8cb7fda01ab41f76b550223c5e32fa9feeaac6352f513b67d1f7d41f6b

SHA512
95637b5f43cd9d78a0c74e09158f77ddae9893ef303d7101f626613d8cb2688a544ae50dcfbfa7a0705cfe3e11af6c1be42b1218815bc0e4652a846d5d687c2e

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
10b91e005bc6f7b929c572b267b984bd

SHA1
b61143e42938fa71a1aa8973d41098c28fc88824

SHA256
63a61eb39b995a4f5598f12de590ccc85186c9c9caa22663639a1bcda2ddec20

SHA512
86b9bb616694d409a84c464df98aaafe7272d8c5205786df4ecdc9b1c8bdacecfcabf21ec1823013a1277c2b825d0e950e5182eb178b9397e6a99abe8d64a6cd

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
77fb4890bd7958cee8b79a485ff644eb

SHA1
cd8045f4b98348f16f0d868154fd108db803a79c

SHA256
3bdfcb8926dac68c3027a4172b94764f28e4e494a43d72835fae53176b7bb767

SHA512
c5a8a4d8cf57d80f438c5bb301eac39fe1be5071b760ea48df91564695f87eff10351ede69aafa61ece26e4c45c40b4ccb5b04b6e09345bc334213f5b38a9fa1

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
4d31eb933ea068739f4f83d86a110321

SHA1
d1ad770f96c1f9150cff73849963e71e280ba03c

SHA256
13af62efcc11032556ce939312d836f9ebe5da25a0ab0bccd9178cf354fe1a76

SHA512
cb8f1dc234b65becf63949a0d84910a7611e41e24b575856c111c56fdd36a516aede3eb1d8d9cf01132f037116f4ae44a7ed4797e08341acb177d371bc395de1

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
f08d21c7b74c21069008bad58bc5f4a2

SHA1
989db1e2315f6a132633342f573eab3390731b24

SHA256
7e1a51c1e4e9f5db838d3ebc5ee3f79f782d109bd9fe4facc0424d1e15b8242d

SHA512
370c48d7cba7fe3a72ed3692daf73cd0fc827d8574444993855c56791ae0e5a010996a565913af0a7f812b867fbdfebef37edda308f0c5a3887329a40338f8a0

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
edbb504c89d700bff1b300f0b9450439

SHA1
5b83a9a74032b79d135bf095fe8521cbe0539958

SHA256
90bbda80d1ead9739030315ab4e98b548334a24e93ccdc05f1783ba11ea76280

SHA512
10db16906d5b73d31abb8033d2e64b064540ee19a6ad9e0a74ff512bcf240d3b4c6a3341a6ed29783c0219ce4e5af09aee5676f507e5b7a73c0ce92bb6a21db6

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
79b6e7de1c96855c760ac15ff6d6621d

SHA1
eef91f39e48f1425648d5f84ffdee08e96979005

SHA256
9ba0c8c72a6aaf84850ba44ecea1ce5f2d646b12596c0723f463b636b3fffdc9

SHA512
72ad690d624e34a4debf1240aafb477a49e3b4b8981beb2e548fee1024f362e4d8b69c45a3dc252631bcfd5a48907403ccf8b5eca4e660a1cb2a31019282b33c

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
87eaff9e29534ca0a65322dcd22567d3

SHA1
be51a770e977600bd1171d1bf1ba3f5e6610848d

SHA256
68dcf36d5806bdc998e67de071ef6381f846155bde7163695cf09a2df4789bf7

SHA512
4eaf87a721fb8a55c9a4aaf74fff207c024034a7005822fc5debd1ebefd27b206c9751502d69172bae5f0675034acede5ec2b907a22b5efa8577ad4aeca01f33

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
5d4115c7f540a8f1ac548129f11b67e4

SHA1
fced60e83b8507b73b9a122cb18d93dafab718e0

SHA256
82f866eec5ffb3813ea6f9ec8e9cb822d89ebc69e72be3f1539eb9e0e0433f4b

SHA512
1ad8c8b1c0488063e30c32aa45fd16f2b190f6723272309c7fcfbf0135d173f033ac3c2baabde6fd9f6f4fc39a75f8d13fe65092eccad021cdb4e9feaf707e8a

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
b4163dba9904c1d93ba3ec4f2391b4a5

SHA1
84313422c428017ba816bb9257f7e71336bbed98

SHA256
1d7a11819a831dc547b880af422b9ab24d08ad1593c8b15f4d448780f99042bd

SHA512
5b6d8a5f417c26ca8aac2bb194d3278fbf9f3a00e4d8cfd2b546c1d799564ffe1c1d1e459ba8732fb88adb92828df664cc05275b13e449aac55b882576756fad

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
68445ca458d83301d3bc0bebb74a630e

SHA1
bfc7678b0045ceedac3fe33cbc7f08387ee4b894

SHA256
2d318365f94592fd9d611a22bb299d226fae6b690126cc2ffa1cea661069e9d0

SHA512
52c90abe86c336e4c713b8ec04500ff1bea97a6825228d2387c95dd6fd2652816cf3223851f58b90ba3b62f7b298ceff2b5fbf4c29d6447284177abaa12caab5

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
3642b3a3de0b0229b690e8a026f6c929

SHA1
005a563d6249c06470374882c79732bd0609cb3e

SHA256
6d571ba01988198f4f795991c70f9cb976da56fad66d2f30ec86869a8ec0088c

SHA512
f7322ebea7b37e38d144594c41ef4db94161403b4203a91b780ffc32363f2ead5a98aefa5490f1624e789ee23f42a945711b4e7d1d25f7d44dccdbb9424c7330

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
cf0ef82c54a201bad4cb8f3237eb0116

SHA1
90fc4cc545b2abe55a8f171adb44e92cb47dbd2c

SHA256
ee755c801b50c1de95fb807f0f64b8feb4793215734b508fc172987d0361b5d5

SHA512
99612585c0c87d03a3d0d6637dff3b566ea6a6d213114ce7a4ff174c9000f7dae8e7067aac67c51f6ae1778065cb75fe6a843e9a1307923b352ceaa413773eea

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
103B

MD5
c848565d55bf26d47f0f2f97ee61aad8

SHA1
c0ee8001d5462fd84d37caf1aaa9dd6e37bbe680

SHA256
cd3f3c99c45b218c9b6d039418edf20f9c2fecff64387942394960d1fdcdb795

SHA512
8ffc716c560f90c1abc8000ffcd20c06fc9c77ce5b966f4e5013c8ec2ab0f3559c0feb1e4cb8d1db49b59aac4ebb7e4fe7adfeca537c1254a7460dae05f551c4

Download Submit
C:\Windows\SysWOW64\drivers\NPF.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
C:\Windows\SysWOW64\svehost.exe

Filesize
920KB

MD5
0e35d1aa1cd581494bccb286d0c9adff

SHA1
1099d1119361c2a5f4867bcf16e2a25d4874db7b

SHA256
69e885cae86457c4a4b21095555cd0906ff22dfc34b65b0b45b633aaae30dda7

SHA512
00b0fddcb97dfead478d227f6d00334ce308ab6ad40ef1e5b90db8cebe121f059e2bfc649e819339e5b66b3effe458aef610df784d5f665fad6b912395ce93db

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/400-117-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/400-160-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/400-112-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/400-103-0x0000000002190000-0x0000000002225000-memory.dmp

Filesize
596KB

Download
memory/400-114-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/400-111-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/400-116-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/400-115-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1548-284-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2268-222-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-42-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/2308-55-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-67-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-65-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/2308-63-0x0000000002750000-0x0000000002765000-memory.dmp

Filesize
84KB

Download
memory/2308-37-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/2308-56-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-51-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-90-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/2308-93-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/2308-92-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-50-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2308-57-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/2308-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2356-191-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3328-253-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-9-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-1-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-48-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-24-0x0000000003260000-0x0000000003275000-memory.dmp

Filesize
84KB

Download
memory/3772-15-0x0000000000A00000-0x0000000000A95000-memory.dmp

Filesize
596KB

Download
memory/3772-3-0x0000000000A00000-0x0000000000A95000-memory.dmp

Filesize
596KB

Download
memory/3772-49-0x0000000000A00000-0x0000000000A95000-memory.dmp

Filesize
596KB

Download
memory/3772-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-14-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3772-7-0x0000000000A00000-0x0000000000A95000-memory.dmp

Filesize
596KB

Download
memory/4156-344-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-82-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-83-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-129-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/4484-100-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-98-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/4484-97-0x0000000000B80000-0x0000000000B95000-memory.dmp

Filesize
84KB

Download
memory/4484-79-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-128-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-84-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-85-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-86-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/4484-70-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/4484-80-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4484-75-0x00000000021C0000-0x0000000002255000-memory.dmp

Filesize
596KB

Download
memory/4520-311-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download