1c65b51acf75be143c63e6ab89a6bc3016c9f1ae8316c1be50f8e97d04b28119

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Size

924KB
MD5

177bcdc345c7f2d722f6d1f884c5d883
SHA1

fa0df1df598fd0c0171a3246333e5afba50e5f7c
SHA256

1c65b51acf75be143c63e6ab89a6bc3016c9f1ae8316c1be50f8e97d04b28119
SHA512

ac7b3c51559686018ac04bcca9e498155ec4f5dbf9bab04c28dbdeb9f9869a1ad80ac2885095a2e64b22b9b481dfd8fd337e095ec6f3a9c323febc7d7e7be897
SSDEEP

12288:rAxq8wRkKYCCl47aKHENNyHRFkTiwYfpbPciZl32Cd9QvgIfRmRoRKZ+gm:Uq8wRzYCCKpkcrkTiwYuEFvd9mMRAjp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svuhost.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svuhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svuhost.exe

Executes dropped EXE 10 IoCs

pid	Process
4184	svuhost.exe
2756	svuhost.exe
1988	svuhost.exe
4308	svuhost.exe
4404	svuhost.exe
1288	svuhost.exe
1900	svuhost.exe
2284	svuhost.exe
2220	svuhost.exe
3960	svuhost.exe

Loads dropped DLL 33 IoCs

pid	Process
4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
4184	svuhost.exe
4184	svuhost.exe
4184	svuhost.exe
2756	svuhost.exe
2756	svuhost.exe
2756	svuhost.exe
1988	svuhost.exe
1988	svuhost.exe
1988	svuhost.exe
4308	svuhost.exe
4308	svuhost.exe
4308	svuhost.exe
4404	svuhost.exe
4404	svuhost.exe
4404	svuhost.exe
1288	svuhost.exe
1288	svuhost.exe
1288	svuhost.exe
1900	svuhost.exe
1900	svuhost.exe
1900	svuhost.exe
2284	svuhost.exe
2284	svuhost.exe
2284	svuhost.exe
2220	svuhost.exe
2220	svuhost.exe
2220	svuhost.exe
3960	svuhost.exe
3960	svuhost.exe
3960	svuhost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\packet.dll	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File opened for modification	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe
File created	C:\Windows\SysWOW64\packet.dll	svuhost.exe
File created	C:\Windows\SysWOW64\svuhost.exe	svuhost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\pybfnn\ = "x`mXyJbRcMSOXEtKSXmaZQg"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InprocServer32\ThreadingModel = "Both"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxJZ~\\\x7fRFtdjTKp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKN~\\\x7fRFfH^QpP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NqnW_USZeHR\x7fsxD^ksSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InprocServer32\ = "combase.dll"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NznW_USZeCR\x7fsxD^jKSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxJJ~\\\x7fRFwsES~@"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NrnW_USZeKR\x7fsxD^kbSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\AppID = "{0A886F29-465A-4aea-8B8E-BE926BFAE83E}"	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N\x7fnW_USZeFR\x7fsxD^jUSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKn~\\\x7fRFbZhXb`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NrnW_USZeKR\x7fsxD^kQSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NrnW_USZeKR\x7fsxD^kbSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxH~~\\\x7fRF}uvj@p"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKr~\\\x7fRFztI]v`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxK~~\\\x7fRFNsc}gP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxHB~\\\x7fRFTUwVbp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxJR~\\\x7fRFlaeTUP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxJV~\\\x7fRFTHnTk@"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxHz~\\\x7fRFQwSJO`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NxnW_USZeAR\x7fsxD^jDSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N~nW_USZeGR\x7fsxD^jUSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N\|nW_USZeER\x7fsxD^jwSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N\|nW_USZeER\x7fsxD^k@Srq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxJN~\\\x7fRF[q`sqP"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N}nW_USZeDR\x7fsxD^jwSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\pybfnn\ = "x`mXyJbRcMSOXEtKSXmaZQg"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NpnW_USZeIR\x7fsxD^ksSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NxnW_USZeAR\x7fsxD^jKSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxJF~\\\x7fRFp]ul\x7f@"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N\x7fnW_USZeFR\x7fsxD^jUSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKz~\\\x7fRFbqF]h@"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N\|nW_USZeER\x7fsxD^k@Srq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@NynW_USZe@R\x7fsxD^jKSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N~nW_USZeGR\x7fsxD^jfSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxHb~\\\x7fRFe[WoTp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKR~\\\x7fRF^eOBB`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKv~\\\x7fRFB]B]Hp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\pybfnn\ = "x`mXyJbRcMSOXEtKSXmaZQg"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\pybfnn\ = "x`mXyJbRcMSOXEtKSXmaZQg"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxHF~\\\x7fRFRYovEp"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\tcJhHmQF\ = "}GQpbz@N~nW_USZeGR\x7fsxD^jfSrq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\oItrikktHFsh\ = "pMN^\x7fNYRiyzFOxRiah_CYqz_"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\pybfnn\ = "x`mXyJbRcMSOXEtKSXmaZQg"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKV~\\\x7fRFfLDB\|p"	svuhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\InprocServer32	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\iqaxavBkmkcq\ = "OqQRL\|GfVFWkXxKB~\\\x7fRFROtqa`"	svuhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA}\ZIkgnst\ = "AyR\\gock}_WLZjhn`cpa@Fk\|PcMHZxcq"	svuhost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe
File opened for modification	C:\ProgramData\TEMP:466F9D5D	svuhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
Token: 33	4184	svuhost.exe
Token: SeIncBasePriorityPrivilege	4184	svuhost.exe
Token: 33	2756	svuhost.exe
Token: SeIncBasePriorityPrivilege	2756	svuhost.exe
Token: 33	1988	svuhost.exe
Token: SeIncBasePriorityPrivilege	1988	svuhost.exe
Token: 33	4308	svuhost.exe
Token: SeIncBasePriorityPrivilege	4308	svuhost.exe
Token: 33	4404	svuhost.exe
Token: SeIncBasePriorityPrivilege	4404	svuhost.exe
Token: 33	1288	svuhost.exe
Token: SeIncBasePriorityPrivilege	1288	svuhost.exe
Token: 33	1900	svuhost.exe
Token: SeIncBasePriorityPrivilege	1900	svuhost.exe
Token: 33	2284	svuhost.exe
Token: SeIncBasePriorityPrivilege	2284	svuhost.exe
Token: 33	2220	svuhost.exe
Token: SeIncBasePriorityPrivilege	2220	svuhost.exe
Token: 33	3960	svuhost.exe
Token: SeIncBasePriorityPrivilege	3960	svuhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4184	4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	83
PID 4864 wrote to memory of 4184	4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	83
PID 4864 wrote to memory of 4184	4864	177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe	83
PID 4184 wrote to memory of 2756	4184	svuhost.exe	91
PID 4184 wrote to memory of 2756	4184	svuhost.exe	91
PID 4184 wrote to memory of 2756	4184	svuhost.exe	91
PID 2756 wrote to memory of 1988	2756	svuhost.exe	93
PID 2756 wrote to memory of 1988	2756	svuhost.exe	93
PID 2756 wrote to memory of 1988	2756	svuhost.exe	93
PID 1988 wrote to memory of 4308	1988	svuhost.exe	95
PID 1988 wrote to memory of 4308	1988	svuhost.exe	95
PID 1988 wrote to memory of 4308	1988	svuhost.exe	95
PID 4308 wrote to memory of 4404	4308	svuhost.exe	96
PID 4308 wrote to memory of 4404	4308	svuhost.exe	96
PID 4308 wrote to memory of 4404	4308	svuhost.exe	96
PID 4404 wrote to memory of 1288	4404	svuhost.exe	97
PID 4404 wrote to memory of 1288	4404	svuhost.exe	97
PID 4404 wrote to memory of 1288	4404	svuhost.exe	97
PID 1288 wrote to memory of 1900	1288	svuhost.exe	98
PID 1288 wrote to memory of 1900	1288	svuhost.exe	98
PID 1288 wrote to memory of 1900	1288	svuhost.exe	98
PID 1900 wrote to memory of 2284	1900	svuhost.exe	99
PID 1900 wrote to memory of 2284	1900	svuhost.exe	99
PID 1900 wrote to memory of 2284	1900	svuhost.exe	99
PID 2284 wrote to memory of 2220	2284	svuhost.exe	100
PID 2284 wrote to memory of 2220	2284	svuhost.exe	100
PID 2284 wrote to memory of 2220	2284	svuhost.exe	100
PID 2220 wrote to memory of 3960	2220	svuhost.exe	101
PID 2220 wrote to memory of 3960	2220	svuhost.exe	101
PID 2220 wrote to memory of 3960	2220	svuhost.exe	101

C:\Users\Admin\AppData\Local\Temp\177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\svuhost.exe
  C:\Windows\system32\svuhost.exe 1424 "C:\Users\Admin\AppData\Local\Temp\177bcdc345c7f2d722f6d1f884c5d883_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\svuhost.exe
    C:\Windows\system32\svuhost.exe 1440 "C:\Windows\SysWOW64\svuhost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\svuhost.exe
      C:\Windows\system32\svuhost.exe 1460 "C:\Windows\SysWOW64\svuhost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1464 "C:\Windows\SysWOW64\svuhost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1468 "C:\Windows\SysWOW64\svuhost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1432 "C:\Windows\SysWOW64\svuhost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1476 "C:\Windows\SysWOW64\svuhost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1456 "C:\Windows\SysWOW64\svuhost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1484 "C:\Windows\SysWOW64\svuhost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\svuhost.exe
        
        C:\Windows\system32\svuhost.exe 1452 "C:\Windows\SysWOW64\svuhost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
5890b6fd0d35c03969f36a63669f7b65

SHA1
b1a6c355f1e1ff1dd5c053d43dddfbe09193793f

SHA256
ff20174f820b7e34cb62bbcc0e30a39d3d20afc69839b6e4a4c62fae66151fb9

SHA512
a286311a930ba7422a868535c93a7fd0db9c93c59912b9d64e9fcaa1b3d72a855b405425d26c8a40031b0be71a1f872daea4c92aad083683440a9151620bfaec

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
abd63c6f33e36d649484643de83aabba

SHA1
43c03456426c07a5aec553677a6bc3513ed7241f

SHA256
6f1799c0e0303460a4a6b0a8299db230fb4158cb4b3a3267ae2a4aa35686e30a

SHA512
774e4a9183be76ec28bcb02e0336f63eae154ef6783b88006ad08acde11e3e0aec49419fbc5708b219d5bb3009887a916c05727aec8ac5f5867e4467e95d67cd

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
249a2f56c97b886422d1e24d4397a8ca

SHA1
51e49793a5c05c424afde70f83efa3ed5338d784

SHA256
0e9c4ae0d5852fce0df29d909fc4f926a31ff22a19506ff5c4567a999f052a14

SHA512
7c97ad3eda4b9504bbe9392e462df7828ef6d43a049de82cd4700e3ca87fc39b09b9c8e723d5fbcc63c50a0e5e179c9d04f16f6e06bfd8c715857426cb447863

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
cf3305ac639b4d8ccf23b5203a48505a

SHA1
3aa8e39cb4c81c42447798bb0b33258f7558f49c

SHA256
0479eb2348879f85a8c7a0d10d5aab0feedb186e3bb830d21cb7f1bb5ec225ad

SHA512
2916eef4216b217fe53b504ba426e600169bef10eb04c6524504c6cb9cc36c802619c1afa8a2b956f4d7e425512a4e1fd6495703a623a4d67b5ac5a6297265d1

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
4a9193f27e38f4cc95340fb4db9a5cb1

SHA1
620454d2faa6ac84e85cb20c57ba3784750cb13d

SHA256
c2b20983481858f74ed720d6ddbbb87a5d28650256b11954332e6acbd85d025b

SHA512
490e20a5042106a089770313731d64012462f0f2d7a4f8343f772e66066ab238d9ac975b41f532af6352cfd44ae6c28e68025c3f6dc2dd941b07142c911cd620

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
9fe6dac9d5b634ee28c775231054b2df

SHA1
fa3f7e3d0cdd187c81e391a09cc975e7df0f3736

SHA256
2a3b01751642f325fd2b6bc486e14174197b0eca58d6e3bca7da247f32f79067

SHA512
96b89d6748933139ea0e72e4b6291c2a088b8c68be519ccaadd03a6a855e7a313c28b0eda124bd01f84a29d2648ed9a9c419803d8e98e4d8f2e9171117bd1156

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
ec55d55f4ba1b91a98bb2b1f9781c2be

SHA1
69d050bdfa8b4d7c411db90a53db647bd503ee9f

SHA256
354eb0424c8d0cf46f92112baa774665292a199cb1844bf33e9e3fea87ce07e3

SHA512
7d000a6fc1784da0657b58b1b53ee18d1fdc25a84b26e6906a385bed99453da6e3c5a7e1ad3b53f36754d66cf84f0f326b62b06d79d0d61aa1f90c4e337753d4

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
ce05d5535edd42ccddd94aa2e4b5c37e

SHA1
b8c8d589cf3071a81f5c464b5963cff2279ac162

SHA256
f3cbafd74c9f4e0f413894dbc425b8d10b8732122fcf94c4c6aacd982385f4f8

SHA512
a2cf3dddd4a018ed4316c5fe513a32d78029670a0c769671f820355eadd010c7aa47c1e502e99b2fb6dfa2f00e7ec97a9ab164ea713e36773974298d98d0632e

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
a12aaccc9a2ef8ddd5a0b229d4e4374a

SHA1
86d51474c5de71ff115e33d73e7d15630781af69

SHA256
10c80be2f4abded18b41914f38097168b4fb864b78df020de433e3ba97ede7dc

SHA512
b028b961ab765ebd62c679bdba863b10ee6153c3464126bff7e71a237955ff9ed71777066b57ced00ea3b9ba48cd08ebb93f632c21c64b834c87aff683e7e766

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
3e59af2c05b6c1c8a3ba8174c59143d3

SHA1
410997ac2746583ac7770b70437fa7b98021af46

SHA256
0221fd193da4c9bd3aad087eb2f02b798017e0cb5647df6a765166586b4093d1

SHA512
d132e28f70abdb4f8a0e2956ff365e051ba74c588be8888d29cdb2054a4b2cf754cc2f2a50bf14511480990b121cf350d24b98402753a6623fba2f1c141b64ff

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
2610f11d56490def49d952fbee7e838a

SHA1
ba3a74d0942b43ff39e2201e97082301236252af

SHA256
25017905188bca66684ff055acbda9164e8a08ded03a7cb5b9935bed73e46b35

SHA512
90330ec3fd1d3b03a454332d1b9bd951448a5c8508eeb1b005fa0693b95167ec2fdc806b4e68d91570efc0b956139d1d513daee4b6829cf4e66b5174cb62f511

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
caf6657287ef904a1cccafe3f741ff59

SHA1
68a64251ffd2b086a71ec6330a3834a74f82b7d4

SHA256
e4f188de7e4d38be9024d146fb496d48d23fe1d61bc49512ba94bd45a2a76938

SHA512
0c319dff9410a1771a1dddf0e23157b5b28aea5b3b5862b0dc135a74c3a1ab7be9313a8ef5baeda0aefde4a51229fc1fa448fd94398c3e6d1893f695a5ef7617

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
ac1dae5ae8ffd26cb150e6ef48d9581b

SHA1
bb0ba41cd4e7d2f4c36bd5b81563ff8a0238fce1

SHA256
dac91df0de1eed52ee3e3245ade6e3a25c86cc7393ff5bf5fc62426580086b64

SHA512
9368505fc6e057f1449b424a8fcf3ef9b169db5c478e9e3f8574da862295110a8e428f02f635287e7a14ab8f6672cef34ecb733ee6903c72d4370d4142e1f4a3

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
183a9c2ff84c77d60d5aa1676dea6f90

SHA1
cd29bb53c665dea17cc8cb47dec52b2c45b3aed2

SHA256
41c4bb192a032d4d5a914756e42f87c6a7ee10acc01ca1f2ebbf27475775cb9b

SHA512
f56de3c430162973378cc578e97bf2940f336c3d87d0af0c5be2287aaead2fc6130fe9612f90f2a3e510bdc9876a939317e5a5354ef89858fe5e7d33c0840303

Download Submit
C:\ProgramData\TEMP:466F9D5D

Filesize
99B

MD5
640f297e219c1c24bc48b8cead94fc0b

SHA1
df689fbf7558fcfc2c6fc1173d144cd154f6ff3b

SHA256
8c63602f3aa571b44dacecc669745ad968d149d4cd74efc3131756a3a2a6cc6e

SHA512
5f31a33372966be0c1182225301d3e557412e14458ce048bf80d3ef675d9dcf2c9814644a202b094e09a59150eeb780ffffe230bb26e7236b4bee35463703778

Download Submit
C:\Windows\SysWOW64\drivers\NPF.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
C:\Windows\SysWOW64\svuhost.exe

Filesize
924KB

MD5
177bcdc345c7f2d722f6d1f884c5d883

SHA1
fa0df1df598fd0c0171a3246333e5afba50e5f7c

SHA256
1c65b51acf75be143c63e6ab89a6bc3016c9f1ae8316c1be50f8e97d04b28119

SHA512
ac7b3c51559686018ac04bcca9e498155ec4f5dbf9bab04c28dbdeb9f9869a1ad80ac2885095a2e64b22b9b481dfd8fd337e095ec6f3a9c323febc7d7e7be897

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/1288-253-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1900-280-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-111-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-113-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-155-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-114-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-115-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-116-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-110-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1988-102-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/1988-106-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2220-342-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2284-315-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-124-0x0000000002290000-0x0000000002325000-memory.dmp

Filesize
596KB

Download
memory/2756-98-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-79-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-85-0x0000000002290000-0x0000000002325000-memory.dmp

Filesize
596KB

Download
memory/2756-84-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-82-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-81-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-83-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-74-0x0000000002290000-0x0000000002325000-memory.dmp

Filesize
596KB

Download
memory/2756-123-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-78-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2756-69-0x0000000002290000-0x0000000002325000-memory.dmp

Filesize
596KB

Download
memory/2756-95-0x00000000032A0000-0x00000000032B5000-memory.dmp

Filesize
84KB

Download
memory/2756-96-0x0000000002290000-0x0000000002325000-memory.dmp

Filesize
596KB

Download
memory/4184-49-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-90-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-66-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-64-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4184-62-0x0000000002510000-0x0000000002525000-memory.dmp

Filesize
84KB

Download
memory/4184-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-55-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-56-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4184-50-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-43-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4184-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-42-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-89-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4184-37-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4184-52-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4184-91-0x00000000020C0000-0x0000000002155000-memory.dmp

Filesize
596KB

Download
memory/4308-134-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4308-191-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4404-218-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-47-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-44-0x0000000000AE0000-0x0000000000B75000-memory.dmp

Filesize
596KB

Download
memory/4864-1-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-24-0x0000000002700000-0x0000000002715000-memory.dmp

Filesize
84KB

Download
memory/4864-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-14-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-15-0x0000000000AE0000-0x0000000000B75000-memory.dmp

Filesize
596KB

Download
memory/4864-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-9-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4864-7-0x0000000000AE0000-0x0000000000B75000-memory.dmp

Filesize
596KB

Download
memory/4864-2-0x0000000000AE0000-0x0000000000B75000-memory.dmp

Filesize
596KB

Download