1c65b51acf75be143c63e6ab89a6bc3016c9f1ae8316c1be50f8e97d04b28119

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Size

924KB
MD5

177bcdc345c7f2d722f6d1f884c5d883
SHA1

fa0df1df598fd0c0171a3246333e5afba50e5f7c
SHA256

1c65b51acf75be143c63e6ab89a6bc3016c9f1ae8316c1be50f8e97d04b28119
SHA512

ac7b3c51559686018ac04bcca9e498155ec4f5dbf9bab04c28dbdeb9f9869a1ad80ac2885095a2e64b22b9b481dfd8fd337e095ec6f3a9c323febc7d7e7be897
SSDEEP

12288:rAxq8wRkKYCCl47aKHENNyHRFkTiwYfpbPciZl32Cd9QvgIfRmRoRKZ+gm:Uq8wRzYCCKpkcrkTiwYuEFvd9mMRAjp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe

Executes dropped EXE 10 IoCs

pid	Process
2852	svuhost.exe
2116	svuhost.exe
1764	svuhost.exe
2228	svuhost.exe
1252	svuhost.exe
2064	svuhost.exe
2696	svuhost.exe
2936	svuhost.exe
1004	svuhost.exe
1020	svuhost.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
2852	svuhost.exe
2852	svuhost.exe
2852	svuhost.exe
2852	svuhost.exe
2852	svuhost.exe
2852	svuhost.exe
2116	svuhost.exe
2116	svuhost.exe
2116	svuhost.exe
2116	svuhost.exe
2116	svuhost.exe
2116	svuhost.exe
1764	svuhost.exe
1764	svuhost.exe
1764	svuhost.exe
1764	svuhost.exe
1764	svuhost.exe
1764	svuhost.exe
2228	svuhost.exe
2228	svuhost.exe
2228	svuhost.exe
2228	svuhost.exe
2228	svuhost.exe
2228	svuhost.exe
1252	svuhost.exe
1252	svuhost.exe
1252	svuhost.exe
1252	svuhost.exe
1252	svuhost.exe
1252	svuhost.exe
2064	svuhost.exe
2064	svuhost.exe
2064	svuhost.exe
2064	svuhost.exe
2064	svuhost.exe
2064	svuhost.exe
2696	svuhost.exe
2696	svuhost.exe
2696	svuhost.exe
2696	svuhost.exe
2696	svuhost.exe
2696	svuhost.exe
2936	svuhost.exe
2936	svuhost.exe
2936	svuhost.exe
2936	svuhost.exe
2936	svuhost.exe
2936	svuhost.exe
1004	svuhost.exe
1004	svuhost.exe
1004	svuhost.exe
1004	svuhost.exe
1004	svuhost.exe
1004	svuhost.exe
1020	svuhost.exe
1020	svuhost.exe
1020	svuhost.exe
1020	svuhost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svuhost.exe	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeHR\x7fsxD^ksSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "HN~\\\x7fRF`R]vs@"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NynW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\leNitKvm\ = "x`mXyJbRcMSOXEtKSX"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@N\|nW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NsnW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ProgID	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "Ze@R\x7fsxD^jDSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Jz~\\\x7fRF@ZSOe`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@N\x7fnW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\leNitKvm\ = "x`mXyJbRcMSOXEtKSX"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@N}nW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "K~~\\\x7fRFNsc}gP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeER\x7fsxD^k@SrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "KN~\\\x7fRFfH^QpP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NrnW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "JR~\\\x7fRFKW~slp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeDR\x7fsxD^jwSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Hj~\\\x7fRFiuvO{P"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "HB~\\\x7fRFTUwVbp"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\leNitKvm	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeER\x7fsxD^jwSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeER\x7fsxD^kQSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "KV~\\\x7fRFZleqb`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "K^~\\\x7fRFjbebSP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Kb~\\\x7fRFV]BxsP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@N}nW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "KB~\\\x7fRFROtqa`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "JN~\\\x7fRF[q`sqP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeGR\x7fsxD^jfSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NpnW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NznW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NynW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Kr~\\\x7fRFztI]v`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NxnW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\leNitKvm\ = "x`mXyJbRcMSOXEtKSX"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "ZeKR\x7fsxD^kbSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Kn~\\\x7fRFbZhXb`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@NqnW_US"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\wnKxpjfYwrdul\ = "maZQgpMN^\x7fNYRiyzFOxRi"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "JV~\\\x7fRFgU[Sc`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\qgWYjn\ = "`cpa@Fk\|PcMHZxcq}GQpbz@N\|nW_US"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Hv~\\\x7fRFmxFoWp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Jr~\\\x7fRFc~yUbP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\euzsLg\ = "ah_CYqz_AyR\\gock}_WLZjhn"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "Hz~\\\x7fRFQwSJO`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InprocServer32\ = "%systemroot%\\SysWow64\\PortableDeviceApi.dll"	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\VersionIndependentProgID\ = "PortableDeviceManager.PortableDeviceManager"	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "Ze@R\x7fsxD^jKSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\zeghMdyNdfsn\ = "Ze@R\x7fsxD^jDSrqOqQRL\|GfVFWkXx"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ztmXj\ = "HF~\\\x7fRFRYovEp"	svuhost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File created	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Token: 33	2852	svuhost.exe
Token: SeIncBasePriorityPrivilege	2852	svuhost.exe
Token: 33	2116	svuhost.exe
Token: SeIncBasePriorityPrivilege	2116	svuhost.exe
Token: 33	1764	svuhost.exe
Token: SeIncBasePriorityPrivilege	1764	svuhost.exe
Token: 33	2228	svuhost.exe
Token: SeIncBasePriorityPrivilege	2228	svuhost.exe
Token: 33	1252	svuhost.exe
Token: SeIncBasePriorityPrivilege	1252	svuhost.exe
Token: 33	2064	svuhost.exe
Token: SeIncBasePriorityPrivilege	2064	svuhost.exe
Token: 33	2696	svuhost.exe
Token: SeIncBasePriorityPrivilege	2696	svuhost.exe
Token: 33	2936	svuhost.exe
Token: SeIncBasePriorityPrivilege	2936	svuhost.exe
Token: 33	1004	svuhost.exe
Token: SeIncBasePriorityPrivilege	1004	svuhost.exe
Token: 33	1020	svuhost.exe
Token: SeIncBasePriorityPrivilege	1020	svuhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2852	2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2852	2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2852	2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2852	2072	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2116	2852	svuhost.exe	29
PID 2852 wrote to memory of 2116	2852	svuhost.exe	29
PID 2852 wrote to memory of 2116	2852	svuhost.exe	29
PID 2852 wrote to memory of 2116	2852	svuhost.exe	29
PID 2116 wrote to memory of 1764	2116	svuhost.exe	30
PID 2116 wrote to memory of 1764	2116	svuhost.exe	30
PID 2116 wrote to memory of 1764	2116	svuhost.exe	30
PID 2116 wrote to memory of 1764	2116	svuhost.exe	30
PID 1764 wrote to memory of 2228	1764	svuhost.exe	33
PID 1764 wrote to memory of 2228	1764	svuhost.exe	33
PID 1764 wrote to memory of 2228	1764	svuhost.exe	33
PID 1764 wrote to memory of 2228	1764	svuhost.exe	33
PID 2228 wrote to memory of 1252	2228	svuhost.exe	34
PID 2228 wrote to memory of 1252	2228	svuhost.exe	34
PID 2228 wrote to memory of 1252	2228	svuhost.exe	34
PID 2228 wrote to memory of 1252	2228	svuhost.exe	34
PID 1252 wrote to memory of 2064	1252	svuhost.exe	35
PID 1252 wrote to memory of 2064	1252	svuhost.exe	35
PID 1252 wrote to memory of 2064	1252	svuhost.exe	35
PID 1252 wrote to memory of 2064	1252	svuhost.exe	35
PID 2064 wrote to memory of 2696	2064	svuhost.exe	36
PID 2064 wrote to memory of 2696	2064	svuhost.exe	36
PID 2064 wrote to memory of 2696	2064	svuhost.exe	36
PID 2064 wrote to memory of 2696	2064	svuhost.exe	36
PID 2696 wrote to memory of 2936	2696	svuhost.exe	37
PID 2696 wrote to memory of 2936	2696	svuhost.exe	37
PID 2696 wrote to memory of 2936	2696	svuhost.exe	37
PID 2696 wrote to memory of 2936	2696	svuhost.exe	37
PID 2936 wrote to memory of 1004	2936	svuhost.exe	38
PID 2936 wrote to memory of 1004	2936	svuhost.exe	38
PID 2936 wrote to memory of 1004	2936	svuhost.exe	38
PID 2936 wrote to memory of 1004	2936	svuhost.exe	38
PID 1004 wrote to memory of 1020	1004	svuhost.exe	39
PID 1004 wrote to memory of 1020	1004	svuhost.exe	39
PID 1004 wrote to memory of 1020	1004	svuhost.exe	39
PID 1004 wrote to memory of 1020	1004	svuhost.exe	39

C:\Users\Admin\AppData\Local\Temp\177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\svuhost.exe
  C:\Windows\system32\svuhost.exe 728 "C:\Users\Admin\AppData\Local\Temp\177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\svuhost.exe
    C:\Windows\system32\svuhost.exe 760 "C:\Windows\SysWOW64\svuhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\svuhost.exe
      C:\Windows\system32\svuhost.exe 748 "C:\Windows\SysWOW64\svuhost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 764 "C:\Windows\SysWOW64\svuhost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 768 "C:\Windows\SysWOW64\svuhost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 756 "C:\Windows\SysWOW64\svuhost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 772 "C:\Windows\SysWOW64\svuhost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 752 "C:\Windows\SysWOW64\svuhost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 780 "C:\Windows\SysWOW64\svuhost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 788 "C:\Windows\SysWOW64\svuhost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
4b5aff614fd4238a28bdd77ccc8393a4

SHA1
6dec1e6892229a45b9f57ceba97d04863826a523

SHA256
ccc7a8b72a85f29b1dd226a34b6b99d3ad86fa7e2784bd0dd7506e427f94598d

SHA512
083c291d17db91257a8eccf894f926d0129a3b2e90996895b5056127be22afc3e7a3771ca64f0f8959cf3211f3659d62b3afa9abcff5c42ae9123249d0d99899

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
abd63c6f33e36d649484643de83aabba

SHA1
43c03456426c07a5aec553677a6bc3513ed7241f

SHA256
6f1799c0e0303460a4a6b0a8299db230fb4158cb4b3a3267ae2a4aa35686e30a

SHA512
774e4a9183be76ec28bcb02e0336f63eae154ef6783b88006ad08acde11e3e0aec49419fbc5708b219d5bb3009887a916c05727aec8ac5f5867e4467e95d67cd

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
4f0f303b70e3b819c56080fc9a15bef2

SHA1
c799f2dcbcfd44bd090b4225c3f8a7029963db32

SHA256
5a494122052497ac8087000c360bda2e4b7f28ee6ab01ae55cd54546e515dc9b

SHA512
7221afbc9fc3c23d7e2ce0d101330f97f0ed88cf6003ffecdb7519760f02873b10d552274cf1ff6ebe44d8dc97faa70f23fb6635ca6ea994f5d79b02176b169d

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
cf3305ac639b4d8ccf23b5203a48505a

SHA1
3aa8e39cb4c81c42447798bb0b33258f7558f49c

SHA256
0479eb2348879f85a8c7a0d10d5aab0feedb186e3bb830d21cb7f1bb5ec225ad

SHA512
2916eef4216b217fe53b504ba426e600169bef10eb04c6524504c6cb9cc36c802619c1afa8a2b956f4d7e425512a4e1fd6495703a623a4d67b5ac5a6297265d1

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
4a9193f27e38f4cc95340fb4db9a5cb1

SHA1
620454d2faa6ac84e85cb20c57ba3784750cb13d

SHA256
c2b20983481858f74ed720d6ddbbb87a5d28650256b11954332e6acbd85d025b

SHA512
490e20a5042106a089770313731d64012462f0f2d7a4f8343f772e66066ab238d9ac975b41f532af6352cfd44ae6c28e68025c3f6dc2dd941b07142c911cd620

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
f95bcef5b357f8602c8a97cf9bd4e6a5

SHA1
2f47919dcb0020c124a7963514f0daf2f036b198

SHA256
d50c99a7de7a8dac72576501baa6ecabccf4470cfcedb089e30f6ca2e77b7883

SHA512
fb064f00998c30423893b8c45f7efc91f6b225b81d763a1ec58eb2f52903abbbe5d80e55dbd91b28be88914069bdb1074059e6263e74b5125f5b4296e8d74e17

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
ec55d55f4ba1b91a98bb2b1f9781c2be

SHA1
69d050bdfa8b4d7c411db90a53db647bd503ee9f

SHA256
354eb0424c8d0cf46f92112baa774665292a199cb1844bf33e9e3fea87ce07e3

SHA512
7d000a6fc1784da0657b58b1b53ee18d1fdc25a84b26e6906a385bed99453da6e3c5a7e1ad3b53f36754d66cf84f0f326b62b06d79d0d61aa1f90c4e337753d4

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
ad547062f545583fdcc114ad9872e17a

SHA1
63ec2673410aec5edc3557493ff8a39f9858e73f

SHA256
a09abb1c02eb5e67cd91e7a7c08f4966724168c97a9d848b17427d63ccf86136

SHA512
f8a8afa50cb738dd1550d97d7d1f547e78f14a9f77c9ddcd8cddde70253436fe2e002e607d02daa41e67c40e7159fbc17407a98cc8cb21fc426123ed526930ab

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
640f297e219c1c24bc48b8cead94fc0b

SHA1
df689fbf7558fcfc2c6fc1173d144cd154f6ff3b

SHA256
8c63602f3aa571b44dacecc669745ad968d149d4cd74efc3131756a3a2a6cc6e

SHA512
5f31a33372966be0c1182225301d3e557412e14458ce048bf80d3ef675d9dcf2c9814644a202b094e09a59150eeb780ffffe230bb26e7236b4bee35463703778

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
\Windows\SysWOW64\svuhost.exe

Filesize
924KB

MD5
177bcdc345c7f2d722f6d1f884c5d883

SHA1
fa0df1df598fd0c0171a3246333e5afba50e5f7c

SHA256
1c65b51acf75be143c63e6ab89a6bc3016c9f1ae8316c1be50f8e97d04b28119

SHA512
ac7b3c51559686018ac04bcca9e498155ec4f5dbf9bab04c28dbdeb9f9869a1ad80ac2885095a2e64b22b9b481dfd8fd337e095ec6f3a9c323febc7d7e7be897

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/1004-350-0x0000000003460000-0x0000000003632000-memory.dmp

Filesize
1.8MB

Download
memory/1004-349-0x0000000003460000-0x0000000003632000-memory.dmp

Filesize
1.8MB

Download
memory/1004-345-0x0000000002390000-0x0000000002399000-memory.dmp

Filesize
36KB

Download
memory/1004-322-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1004-374-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1004-344-0x0000000002390000-0x0000000002399000-memory.dmp

Filesize
36KB

Download
memory/1020-351-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1020-369-0x0000000000770000-0x0000000000779000-memory.dmp

Filesize
36KB

Download
memory/1020-368-0x0000000000770000-0x0000000000779000-memory.dmp

Filesize
36KB

Download
memory/1252-218-0x0000000001E60000-0x0000000001E69000-memory.dmp

Filesize
36KB

Download
memory/1252-219-0x0000000001E60000-0x0000000001E69000-memory.dmp

Filesize
36KB

Download
memory/1252-225-0x0000000003330000-0x0000000003502000-memory.dmp

Filesize
1.8MB

Download
memory/1252-190-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1252-254-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-132-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-136-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-117-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-145-0x0000000002880000-0x0000000002889000-memory.dmp

Filesize
36KB

Download
memory/1764-146-0x0000000002880000-0x0000000002889000-memory.dmp

Filesize
36KB

Download
memory/1764-153-0x00000000032C0000-0x0000000003492000-memory.dmp

Filesize
1.8MB

Download
memory/1764-183-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-135-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-121-0x0000000001F00000-0x0000000001F95000-memory.dmp

Filesize
596KB

Download
memory/1764-133-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2064-251-0x0000000002040000-0x0000000002049000-memory.dmp

Filesize
36KB

Download
memory/2064-261-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2064-277-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-21-0x0000000000620000-0x0000000000635000-memory.dmp

Filesize
84KB

Download
memory/2072-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-10-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-7-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-6-0x0000000001FF0000-0x0000000002085000-memory.dmp

Filesize
596KB

Download
memory/2072-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-14-0x0000000001FF0000-0x0000000002085000-memory.dmp

Filesize
596KB

Download
memory/2072-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-55-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-46-0x0000000001FF0000-0x0000000002085000-memory.dmp

Filesize
596KB

Download
memory/2072-30-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/2072-0-0x0000000001FF0000-0x0000000002085000-memory.dmp

Filesize
596KB

Download
memory/2072-5-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2072-31-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/2116-111-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2116-81-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2116-120-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2116-112-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-128-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2116-127-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-116-0x0000000003390000-0x0000000003562000-memory.dmp

Filesize
1.8MB

Download
memory/2116-95-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-106-0x0000000002120000-0x0000000002135000-memory.dmp

Filesize
84KB

Download
memory/2116-109-0x0000000002140000-0x0000000002149000-memory.dmp

Filesize
36KB

Download
memory/2116-101-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2116-99-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-98-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-97-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-100-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-91-0x00000000005E0000-0x0000000000675000-memory.dmp

Filesize
596KB

Download
memory/2116-94-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2228-176-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/2228-177-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/2228-154-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2228-212-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-316-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-262-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-293-0x0000000003440000-0x0000000003612000-memory.dmp

Filesize
1.8MB

Download
memory/2696-292-0x0000000003440000-0x0000000003612000-memory.dmp

Filesize
1.8MB

Download
memory/2696-287-0x0000000002140000-0x0000000002149000-memory.dmp

Filesize
36KB

Download
memory/2696-288-0x0000000002140000-0x0000000002149000-memory.dmp

Filesize
36KB

Download
memory/2852-58-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-89-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2852-70-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2852-68-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2852-76-0x0000000003720000-0x00000000038F2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-69-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2852-64-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/2852-57-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-75-0x0000000003720000-0x00000000038F2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-78-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2852-103-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2852-39-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-88-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2852-40-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2852-102-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-59-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2852-47-0x0000000002040000-0x00000000020D5000-memory.dmp

Filesize
596KB

Download
memory/2852-56-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-51-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-72-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-52-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2852-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2936-332-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2936-320-0x00000000034B0000-0x0000000003682000-memory.dmp

Filesize
1.8MB

Download
memory/2936-321-0x00000000034B0000-0x0000000003682000-memory.dmp

Filesize
1.8MB

Download
memory/2936-311-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/2936-294-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download