6e64fd50cb9d38dceb3e6100794f3c11e3b8a458f6265b80101f1d976ad5564f

Analysis

max time kernel
97s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Size

1.7MB
MD5

3ebd5f4ded0c75e7f67b3db28b84bf5f
SHA1

1d99ea9979a89332f83ee802e54e03a4db1652e1
SHA256

6e64fd50cb9d38dceb3e6100794f3c11e3b8a458f6265b80101f1d976ad5564f
SHA512

8b5c46ed3b3a8bd6fcd59aa662a26632d400780c5bbe7430752813a1a8f189028af1c22abb7a512533fa68fda4fdd007c16b89509d5407c22543371bf169d870
SSDEEP

49152:3X3cC99eprWnVNCLaZzCfB43ejbu7BqSXO5YytTEdg:nspprFL/4a6VoDES

Score

8^/10

adware aspackv2 bootkit persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\mspcidrv.sys	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\mspcidrv.sys	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\msprotect.sys	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mspcidrv\ImagePath = "system32\\DRIVERS\\mspcidrv.sys"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234d0-213.dat	aspack_v212_v242
behavioral2/files/0x00070000000234d5-221.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4100	internet.exe

Loads dropped DLL 5 IoCs

pid	Process
2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
4288	regsvr32.exe
2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
5044	regsvr32.exe
536	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop = "\"C:\\Windows\\system32\\internet.exe\""	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D0903A3B-F0EA-434a-9742-98C5335C7946}	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\internet.exe.txtmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CreateDomTree.dll.txtmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IEHelper.dll.txtmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IEHelper.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NTDLL32.dll.txtmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CharSet.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WebPageParser.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NTDLL32.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\internet.exe	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NTDLL32.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WebPageParser.dll.txtmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CharSet.dll.txtmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CreateDomTree.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\847145\internet.exe	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\mspcidrv.inf.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSUC2GBK.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\IEHelper.dll.zgx.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\mspcidrv.sys	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\WebPageParser.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSB52UC.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSUC2B5.TXT.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\hissys.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\IEHelper.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\uISGRLFile.dat.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\uISGRLFile.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\wpp_entity.txt	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\mspcidrv.sys	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\WebPageParser.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\wpp_keyword.txt	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\bk\skin1.GIF.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSB52UC.TXT.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSGB2UC.TXT.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSGBK2UC.TXT.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\hissys.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\IP.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\SHLWAPI32.DLL.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\wpp_entity.txt	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\allverx.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\bk\skin2.GIF	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\hissys.dat.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\mspcidrv.sys.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\setup.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\WebPageParser.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSGB2UC.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CreateDomTree.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CreateDomTree.dll.zgx.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\IP.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\_uninstall	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\bk\skin2.GIF	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CodeConvert\regCodeMap.ini	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSGB2UC.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\SHLWAPI32.DLL.zgx.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\sInfo.ini	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\regCodeMap.ini.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\regCodeMap.ini	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSUC2B5.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSUC2GBK.TXT.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\allverx.dat.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\allverx.dat	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CharSet.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CharSet.dll.zgx.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\internet.exe.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\NTDLL32.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\WebPageParser.dll.zgx.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\wpp_keyword.txt.tmp	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSGBK2UC.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSUC2GBK.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CreateDomTree.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\IEHelper.dll	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\bk\skin1.GIF	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CharSet.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\CharSet.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\CodeConvert\ZSGBK2UC.TXT	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\mspcidrv.inf	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\847145\mspcidrv.inf	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\847145\NTDLL32.dll.zgx	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\CLSID\ = "{D0903A3B-F0EA-434a-9742-98C5335C7946}"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\InprocServer32	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\CLSID\ = "{D0903A3B-F0EA-434a-9742-98C5335C7946}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\VersionIndependentProgID\ = "IEHelper.BHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO.1\CLSID\ = "{D0903A3B-F0EA-434a-9742-98C5335C7946}"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\TypeLib\ = "{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\HELPDIR	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\TypeLib	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\VersionIndependentProgID\ = "IEHelper.BHO"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\ = "IIEMonitor"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\ = "IE Browser Helper"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ProgID	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\TypeLib\ = "{8899D7F9-C544-4bab-8CDC-D16C9D6B3AF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\Programmable	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\ProxyStubClsid32	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ = "IE Browser Helper"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO.1\CLSID	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO.1\ = "IE Browser Helper"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\FLAGS\ = "0"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO.1\CLSID\ = "{D0903A3B-F0EA-434a-9742-98C5335C7946}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\InprocServer32\ = "C:\\Windows\\SysWow64\\IEHelper.dll"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\InprocServer32\ThreadingModel = "Apartment"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO.1	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\CurVer	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ProgID\ = "IEHelper.BHO.1"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\ = "IIEMonitor"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\TypeLib	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\ = "IE Browser Helper"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\IEHelper.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\TypeLib	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\0	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO.1\ = "IE Browser Helper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\CurVer\ = "IEHelper.BHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\ = "IEHelper 1.0 Type Library"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\0\win32	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\TypeLib\Version = "1.0"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ProgID\ = "IEHelper.BHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\TypeLib\ = "{8899D7F9-C544-4bab-8CDC-D16C9D6B3AF4}"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\FLAGS	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0903A3B-F0EA-434a-9742-98C5335C7946}\ = "IE Browser Helper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.BHO\CLSID	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8899D7F9-C544-4BAB-8CDC-D16C9D6B3AF4}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\IEHelper.dll"	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{900F9840-BE29-48CC-8A4E-ACAD94164139}\ProxyStubClsid32	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
536	rundll32.exe
536	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
4100	internet.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 4288	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	86
PID 2948 wrote to memory of 4288	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	86
PID 2948 wrote to memory of 4288	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	86
PID 2948 wrote to memory of 5044	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	87
PID 2948 wrote to memory of 5044	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	87
PID 2948 wrote to memory of 5044	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	87
PID 2948 wrote to memory of 4100	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	88
PID 2948 wrote to memory of 4100	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	88
PID 2948 wrote to memory of 4100	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	88
PID 2948 wrote to memory of 4812	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	89
PID 2948 wrote to memory of 4812	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	89
PID 2948 wrote to memory of 4812	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	89
PID 4812 wrote to memory of 556	4812	rundll32.exe	90
PID 4812 wrote to memory of 556	4812	rundll32.exe	90
PID 4812 wrote to memory of 556	4812	rundll32.exe	90
PID 556 wrote to memory of 1352	556	runonce.exe	91
PID 556 wrote to memory of 1352	556	runonce.exe	91
PID 556 wrote to memory of 1352	556	runonce.exe	91
PID 2948 wrote to memory of 536	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	93
PID 2948 wrote to memory of 536	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	93
PID 2948 wrote to memory of 536	2948	3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe	93
PID 536 wrote to memory of 3420	536	rundll32.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3ebd5f4ded0c75e7f67b3db28b84bf5f_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Windows\system32\IEHelper.dll" -s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4288
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Windows\system32\NTDLL32.dll" -s
    3⤵
    - Loads dropped DLL
    PID:5044
- - C:\Windows\SysWOW64\internet.exe
    "C:\Windows\system32\internet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4100
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 .\mspcidrv.inf
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1352
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\Downloaded Program Files\847145\NTDLL32.dll",Run
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Downloaded Program Files\847145\NTDLL32.dll

Filesize
405KB

MD5
a11f3270131a300ed63373e3967aa66c

SHA1
a2763e490b3eb3c05a497e97177302d79c66edb3

SHA256
e3c9bdb1995bb628a3869ad14f7da73acee0303857c3c7fb800a4f9d67f528e9

SHA512
8981a7b7205f279f075512e1f0a0ce7599d392b3323b3a325b12fcb841c702cdcf2a4a0f3956c00582471421f1ec7c5d862beebbfbb73a11e76ba08902f8436f

Download Submit
C:\Windows\Downloaded Program Files\847145\mspcidrv.inf

Filesize
2KB

MD5
e3bc0a6d0011382cbd78f76de9c64337

SHA1
a8fac2ff69aa438d0d2bef7949b02a7783a9e761

SHA256
8a99894441243e3b0340e3d835e29f91cfd1d22289c8359f9c0d6ca0f0f831c4

SHA512
1154dedb01e76ea2b77b37fd2ae10e756519e922969e986487408df15550846ecba606826a58fe3f78e99ee7874f63adc9535cb9ad0e12b025695252fd4e356a

Download Submit
C:\Windows\Downloaded Program Files\847145\sInfo.ini

Filesize
122B

MD5
5374512e180c60068ffff8c28393acd0

SHA1
36c563fc6f6262e8e300f79da18c77a479e735f0

SHA256
88df600c36228605e33c8bce47f1ba5de207e4842b14f7367b6f52a498c9dbdd

SHA512
f2d74d1dd2c10b2fbaf98ec4dda86357f7b13296dd80e39fc67860f2717c0ab70b1653bfe2f62b54e86f9b22c74d53662573191acf2c9de345ebf1b948cb5e82

Download Submit
C:\Windows\SysWOW64\CharSet.dll

Filesize
208KB

MD5
eb7b696154c5a2606e4380ed033b6933

SHA1
d2730d9c0db43c617a61a5a955c165321b112ae9

SHA256
69587c9ec06428abe8341db486df980cbc7f44db93dfe609b6dd740bc03b8eed

SHA512
9de806a59e925c1bf4a77cfdcb981548fa4d0767ef28335b47cc772ec053bc8f32b2e828b09a87e8648170af29cc9198c82eee6daaffb85c9a04b7fbfb55e333

Download Submit
C:\Windows\SysWOW64\CreateDomTree.dll

Filesize
308KB

MD5
8f0d398ee510dfe14d3d7c0e59f5a3f4

SHA1
5e98508c083ecb59d94657309d716d52d3188c9f

SHA256
fb823d0df53245686cc67f04aceca143b35a31c4009c2d850258ef7e30af6abd

SHA512
540ca0c8e453cb8552ca7ab062ee1284d7c708a3c0de74ee3d198fd7a2b778878be2628fcbd52764629b1addf6949ecbeca9194e1c0d7d8190c11f6cf6ab78e6

Download Submit
C:\Windows\SysWOW64\IEHelper.dll

Filesize
222KB

MD5
4a173f6aa173f8ded05abb044cdd5111

SHA1
8e7c54810fcb33acbf59d6f470e36ce22ef7ec62

SHA256
e62df5ec0421223c79497118bca5ac98ab5aa34e65052971b5f8925c6c28ed02

SHA512
ea91d6c697d38fe5fd2a8c1efd567be3eb23a1098bf000a1f540c879cfe69a741c44dfeff13efeb940990edab1daab34a5172b0548dec8f4e2e77c7a40511ba9

Download Submit
C:\Windows\SysWOW64\WebPageParser.dll

Filesize
148KB

MD5
c0c113ec59cbce8b7d1bd54524643d0c

SHA1
ebafebf8eabeb3c61c661933e8ef3f70c3bee4b6

SHA256
49daa3a5dc31b2f679bf0095dfa11adeead8817b3446ca3aed33a3ffec238917

SHA512
6c4fc79119b1dc0404368e018dbea5217329dbf28c9cf64bb7e55733ed686fd1bed42c5032fe71a5f01ccc31fe3289468b6a08e633f9cc0df5a91135883d86c4

Download Submit
C:\Windows\SysWOW64\drivers\mspcidrv.sys

Filesize
42KB

MD5
738583d7595c2755ec909ef2082f6c29

SHA1
4a21247df5bd8c1a6be5088c26b873312769d5a5

SHA256
d96375035779b3298a2dafd8cde0fa2bada8e39f04e23562f7e4b6c12763c5df

SHA512
4781998709364871d468cac318eea6d721051c01d028a1e650fc8b643121dde0ce4e33e0c31c2703828d3c5c5f7cac3d4d262815377d4c745fcba7dbec50beb6

Download Submit
C:\Windows\SysWOW64\internet.exe

Filesize
205KB

MD5
874727a18bc31a0e87b6624f1eae1c71

SHA1
ad617ab43fba11a7d716b8f548f85a26e1e4e47e

SHA256
61302fc6b0f2c26103ffca2c07717ff535701da905be5998ebfa8312ab63db0d

SHA512
da969db0d3a7a96b94a3d616fa14bb674b651cfca29510a338ac30c110e4ed7311a8ac7bc2c95dfa38a93a485985000762c973172a54862128c4464f7e228963

Download Submit
memory/536-272-0x0000000010000000-0x00000000100A6000-memory.dmp

Filesize
664KB

Download
memory/2948-25-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2948-30-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2948-7-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2948-6-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2948-21-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2948-11-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2948-12-0x00000000025A0000-0x00000000025A4000-memory.dmp

Filesize
16KB

Download
memory/2948-10-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2948-13-0x0000000000CE0000-0x0000000000CE5000-memory.dmp

Filesize
20KB

Download
memory/2948-15-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2948-18-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2948-44-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2948-43-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2948-42-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2948-41-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2948-40-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2948-39-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2948-38-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2948-37-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2948-36-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2948-35-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2948-34-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2948-47-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2948-52-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2948-51-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/2948-50-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2948-49-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/2948-48-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2948-33-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2948-32-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2948-31-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2948-20-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2948-29-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2948-28-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2948-27-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2948-26-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2948-3-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2948-24-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/2948-23-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2948-22-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2948-9-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2948-2-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2948-282-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/2948-17-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2948-16-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2948-14-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2948-220-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2948-219-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/2948-4-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2948-5-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2948-242-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/2948-241-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2948-240-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2948-239-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2948-238-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2948-237-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2948-236-0x0000000002EA0000-0x0000000002EE3000-memory.dmp

Filesize
268KB

Download
memory/2948-235-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2948-234-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2948-244-0x0000000000C50000-0x0000000000C93000-memory.dmp

Filesize
268KB

Download
memory/2948-294-0x0000000000C50000-0x0000000000C93000-memory.dmp

Filesize
268KB

Download
memory/2948-252-0x0000000010000000-0x00000000100A6000-memory.dmp

Filesize
664KB

Download
memory/2948-293-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2948-284-0x0000000010000000-0x00000000100A6000-memory.dmp

Filesize
664KB

Download
memory/2948-283-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/2948-8-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000000C50000-0x0000000000C93000-memory.dmp

Filesize
268KB

Download
memory/2948-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2948-273-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2948-274-0x0000000002EA0000-0x0000000002EE3000-memory.dmp

Filesize
268KB

Download
memory/2948-276-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2948-280-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2948-279-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2948-278-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2948-277-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2948-275-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/2948-19-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2948-281-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4100-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4100-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4288-247-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/5044-255-0x0000000010000000-0x00000000100A6000-memory.dmp

Filesize
664KB

Download