35181b6699a30ad63ce8b9d4b5ae6805417c06982c3840cce8f7e2f267a1035b

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Size

2.3MB
MD5

93e8e83790318fcc53101b70e0cad00c
SHA1

f3a8583904fdafd1e625e0e7133d7c2a431041ed
SHA256

35181b6699a30ad63ce8b9d4b5ae6805417c06982c3840cce8f7e2f267a1035b
SHA512

4ffd6926f64083c68c080bdee209d12e2a62ef5337516aa0366cdbceb39aa53c85c3466ea378b2a52244e5f15c9603ac89c116a4e29ebeff10115332eb14bdec
SSDEEP

49152:0zTN42xej+czE83AJcaLh+YBuhxEFGmQkBWp:4TNTxS+cn3KLhxfFlcp

Score

10^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\host_new	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\etc\host_new	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shield.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mapisvc32.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dssagent.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmgt.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svc.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchosts.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blink.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsisetup.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emsw.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nssys32.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Arrakis3.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intren.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wkufind.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgchk.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe\Debugger = "svchost.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/496-6-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-7-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-8-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-3-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-249-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-248-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-251-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-259-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-266-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-254-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-252-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-267-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-268-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-346-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-359-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-331-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-334-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-388-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-391-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-369-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-402-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-389-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-405-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-327-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-325-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-304-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-434-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-436-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-438-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-439-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-442-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-443-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-444-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-455-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-456-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-457-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-458-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-489-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-643-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-644-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-645-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-647-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-650-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-665-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-668-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-666-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-674-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-670-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-675-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-672-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-677-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-678-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/496-679-0x0000000013140000-0x000000001372D000-memory.dmp	upx

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Smart Security = "\"C:\\ProgramData\\3f7b8\\SS33c.exe\" /s /d"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\Z:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\N:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\P:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\S:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\T:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\U:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\Q:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\G:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\H:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\I:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\L:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\O:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\E:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\M:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\R:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\X:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\Y:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\J:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\K:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
File opened (read-only)	\??\W:	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\ltTST = "60322"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=2112&q={searchTerms}"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IIL = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2112&q={searchTerms}"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2112&q={searchTerms}"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2112&q={searchTerms}"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2112&q={searchTerms}"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.DocHostUIHandler	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Software\Microsoft	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Software\Microsoft\Internet Explorer	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.DocHostUIHandler\Clsid	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.DocHostUIHandler"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Software	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	688	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30
PID 3068 wrote to memory of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30
PID 3068 wrote to memory of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30
PID 3068 wrote to memory of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30
PID 3068 wrote to memory of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30
PID 3068 wrote to memory of 496	3068	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	30
PID 496 wrote to memory of 688	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	31
PID 496 wrote to memory of 688	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	31
PID 496 wrote to memory of 688	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	31
PID 496 wrote to memory of 688	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	31
PID 496 wrote to memory of 860	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	33
PID 496 wrote to memory of 860	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	33
PID 496 wrote to memory of 860	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	33
PID 496 wrote to memory of 860	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	33
PID 496 wrote to memory of 2676	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	35
PID 496 wrote to memory of 2676	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	35
PID 496 wrote to memory of 2676	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	35
PID 496 wrote to memory of 2676	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	35
PID 496 wrote to memory of 2172	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	37
PID 496 wrote to memory of 2172	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	37
PID 496 wrote to memory of 2172	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	37
PID 496 wrote to memory of 2172	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	37
PID 496 wrote to memory of 2416	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	40
PID 496 wrote to memory of 2416	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	40
PID 496 wrote to memory of 2416	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	40
PID 496 wrote to memory of 2416	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	40
PID 496 wrote to memory of 1976	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	42
PID 496 wrote to memory of 1976	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	42
PID 496 wrote to memory of 1976	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	42
PID 496 wrote to memory of 1976	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	42
PID 496 wrote to memory of 2104	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	45
PID 496 wrote to memory of 2104	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	45
PID 496 wrote to memory of 2104	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	45
PID 496 wrote to memory of 2104	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	45
PID 496 wrote to memory of 2512	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	47
PID 496 wrote to memory of 2512	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	47
PID 496 wrote to memory of 2512	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	47
PID 496 wrote to memory of 2512	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	47
PID 496 wrote to memory of 2128	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	49
PID 496 wrote to memory of 2128	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	49
PID 496 wrote to memory of 2128	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	49
PID 496 wrote to memory of 2128	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	49
PID 496 wrote to memory of 2628	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	51
PID 496 wrote to memory of 2628	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	51
PID 496 wrote to memory of 2628	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	51
PID 496 wrote to memory of 2628	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	51
PID 496 wrote to memory of 552	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	53
PID 496 wrote to memory of 552	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	53
PID 496 wrote to memory of 552	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	53
PID 496 wrote to memory of 552	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	53
PID 496 wrote to memory of 2152	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	55
PID 496 wrote to memory of 2152	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	55
PID 496 wrote to memory of 2152	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	55
PID 496 wrote to memory of 2152	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	55
PID 496 wrote to memory of 1388	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	57
PID 496 wrote to memory of 1388	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	57
PID 496 wrote to memory of 1388	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	57
PID 496 wrote to memory of 1388	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	57
PID 496 wrote to memory of 344	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	59
PID 496 wrote to memory of 344	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	59
PID 496 wrote to memory of 344	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	59
PID 496 wrote to memory of 344	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	59
PID 496 wrote to memory of 1876	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	61
PID 496 wrote to memory of 1876	496	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe	61

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:496
- - C:\Windows\SysWOW64\Wbem\mofcomp.exe
    mofcomp "C:\Users\Admin\AppData\Local\Temp\6132.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\SysWOW64\netsh.exe
    netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\93e8e83790318fcc53101b70e0cad00c_JaffaCakes118.exe" "System Smart Security" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:860
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:344
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt wyaf374ooxaeltbd.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3f7b8\SS33c.exe

Filesize
2.3MB

MD5
93e8e83790318fcc53101b70e0cad00c

SHA1
f3a8583904fdafd1e625e0e7133d7c2a431041ed

SHA256
35181b6699a30ad63ce8b9d4b5ae6805417c06982c3840cce8f7e2f267a1035b

SHA512
4ffd6926f64083c68c080bdee209d12e2a62ef5337516aa0366cdbceb39aa53c85c3466ea378b2a52244e5f15c9603ac89c116a4e29ebeff10115332eb14bdec

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
196B

MD5
6e86650ad96258b23f022605c5f202d5

SHA1
321290e91871cb653441e3c87ee8b20ab5f008a0

SHA256
8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223

SHA512
e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
306B

MD5
c9f809643d46662c4580c1fde3f0892b

SHA1
80bb6e4f77d2038f532f6ec756fb0dabdd5377a2

SHA256
a9d9c922be885073ef972876a25e91ffdd1a851b37e0f709a31992d912b4faa2

SHA512
abaa44a1e327a3fd4d48267f3264c20538041d72dbd1595b3914a9554de3367f484f0f9abf5c9dad69cc3f5788a7e93adbad98f9073e35dae0a0690ac6801a37

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
385B

MD5
52aac256783949db06e24ef9692d2ce3

SHA1
74e3ff8b1b0ad99348a8deda94d5222af3cfe8e9

SHA256
f7d6fe573d822b180e48895c091326cd63e89c7a03fb2ab449aa34b008a256b1

SHA512
27b0934bddb37033cf14b2fc8fcafb9fa9f95df37b65e45c2cec8f36998c73c6cc113605c3d8c23c86bcf43c714178ab1fa160a4aa39479aa9263217c942ccbb

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
915B

MD5
3acabb060e0caed9b02066c0ddf7b0db

SHA1
54ef9d554af58a72b214752ec215b83d2b6f9272

SHA256
562a4d53917b63190e95997e118e6ff4b49a531fc45a7affd2834fe59f7fa386

SHA512
385ce69c5e3fb68f70bbe41ae350abe48a0f0785a9f93c6367609ab9a6b4c5c5c7f5806ab3c2d3b4e47466a07e58e39e399373681eec6136ab6813a78da5e39d

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
1KB

MD5
a70f2f66e22e6de768bbb03e27cbc010

SHA1
4bf42a47cfe7434bba1017aef36446c308ea2f2d

SHA256
db613d315575277fd8e472f99cdbfb907d4cadbdbccf64823a10dc5c0a51916c

SHA512
25ef95f9c50a8e082b28f81dd146b1a937d944178f59ab76ca8616e5853ae99c5dee48f8f0da73a6a8ab1dab0814be8fe581a159b10ed02dc3c092672214817b

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
1KB

MD5
a9a40f93970f46d41f3cba98c812d529

SHA1
77019d2d6e5eaeb116d0a2970f8aba37a81b89e1

SHA256
fac0a6f886a8b74118cc01f86425a7333f32608c78c23954d46d4d3855b7c780

SHA512
804380e0920cf9419dd2f1104eba2d7f259842914a8e12898e38bc1411ce949e3aad4bb6cfc8d94c6ac562fc2f699e2af97be650115f9d5807767edeb4b4a0fa

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
2KB

MD5
716677a3f083ff10a1a195df8a9c7001

SHA1
ffc46b5b11e64eb4599b417214dc8927a149e472

SHA256
2d59513748dd69547a5e41ebf4a9b0eba2613b7350c92c5fa8858b3ef7e4efd7

SHA512
11347a38c3b168346b6cd16475d780193fc02add18002363c9af9f9135649f981a502c466c6c9bd39f3dd8cec123ce93438d1bbe40fd1f51c41c3fdca440e175

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
2KB

MD5
68cbfeb20e4413934940bfd306f01c01

SHA1
03152e5d821f9484afc9341bca22cc39caedc858

SHA256
cf9e73e94fcb53e2d8a943230401e513ffc033d7da543a07677233417cc7069e

SHA512
59cdc3c148d29dc1af4a5b441a3e21532486c5de4b3337959dbfcbff8bcae8b29665d214347482e1d2d872ddf2d1d79bc92e848fb97083de7bf9cc5fd2a8ef43

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
3KB

MD5
fc254325bbca91113c12dc2345f85c6b

SHA1
eab0b9c653059e37debd4daae25111094b37fe08

SHA256
e7ab2febc910414ae727b18669d58d81a7a7a28a6ed206117e4b2190ade09d52

SHA512
850521740584689f73e80c61a0aa8abe179e0ae14a56d5a01444e3d6c9f2fdf6674101fa178455a67acc3242f6bc850db5fee5166d45cb4c67aa3d22d1c2af29

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
4KB

MD5
51ab6f3df92f341afdcbc5169612137e

SHA1
023cbf372b008e539e9e6b372883a0e95b46f399

SHA256
ca4625daccaa17a6dfb53d1940b685069b40f40528ef22d7cf9c486ee90b5f2b

SHA512
f5baaedaf674718a29419aa3008949d48850657679649909ee8cb68f6996d02a7a9c6191f4bb57f100b91a4480059cd7550257ff512dc740d1318bc3121f44a9

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
5KB

MD5
c372c1af9aa255336f3f16de767f43e7

SHA1
8dd0396a47509bc55a55a35dd266d0918da8287c

SHA256
3cf3a6e59b6f6e8cb256c6a79e8737b11ea33fa110a94b7f27f7d7f8e54e8de3

SHA512
fa8bafebf1c1d28e1755d6dd1b2eac19b1c9557856bd88c7b1b2224adcb77fd6b1f28b863846c069f14d7862f200f983260cfe25ee889a07dbeb4e504e2a85a0

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
6KB

MD5
7ba0a162e8cb66b3b49ee22c73b9922d

SHA1
7f57395ef5206d44cffab48e50cbdf80fc0e49ab

SHA256
ef718040716cecc7391bd62faad31c583c1d924fd957e28d1dcf05c986db9306

SHA512
aca47515d024e07f7fb8d18aa92ddec2679a04291c1d03df2d53b2e2c74f6ebfd5bdc5c2f683e13d05b2aca2eff879fe554a7889aa9e4287850c22a7a6594010

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
6KB

MD5
c7bb6b49812f527144887ffffd799498

SHA1
5579a8584b0b7496d8a0e8bf0417194bd77caab9

SHA256
71f4d62293e426209234009e8a126b2ab18e939852ce6a1e11481f5d61a21ec6

SHA512
4828bd6e4b1e56375373619837636bc3e545dceaeca2f330a436c4ed15cc9c6f82970ad24bfe67cd8eff4e9ed9044d7608189b972a6c02a5101adff586ae177c

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
8KB

MD5
93640e923a716183f46ae0d3acaa8182

SHA1
3186760f902e496937b65c1c59cc1ef638a304a2

SHA256
52bd2acb7ded4a1fa5f8539891bb0a8a57de3ace079ce62d6bc5e6b06f0fdb9e

SHA512
3ecb8814901ae4c5ce1bbb3355c93eb92b137fe437c2aca3c05d4ae755ccbc3d248ead4c65618db55df904108981ed11b46f2c6fc86ae08d5f39cefd7ea4a9e7

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
8KB

MD5
2a7ecd57da6547b6de5e1e0428fe59e1

SHA1
1d8c4d0ca4c79df4c1544886023c3f0ad9325c11

SHA256
6ef34a0504c71bd39c681d5c8c53f617b5666466513a89a805c2f4495d2de75e

SHA512
ece66925641c0e3cb0a27082de5bb46fb0d47362781ad5b3b6b867ec1c3af03ec6beee96ebc09cef5f06be78ca54ca3f44852c23309adf171a6c4e88d4e9919e

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
10KB

MD5
39296bdbc19b9e7c33ad8f6bb1ced167

SHA1
25b92d636342f777f1d2415c4b8b9815b3b46bd3

SHA256
102465fb687901970217f55061807c248336dc45306682dd6037cda541ece33e

SHA512
7447e03d326ac74e86d4b1f0aa48b8fe87e7c1fab04cd058696323355408d468d635b616455e3659da3aa2a58359c89630d4ff63dff38cba122392394f7666b9

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
11KB

MD5
05c7294bfdd7fc14b56ed14ea0eda557

SHA1
587baf0a835087a5c4a54ac2648bb64bfa03fc25

SHA256
572e788b1038295a048d088f8c7765414c01720bc71d8115ce388878c3f781a8

SHA512
2b36011ced342a4acc117e0052b419af50a6d3322991698c9ae53baaf2fd794b0bf66ad7dc392e72ba3c6e335fe936e6c9b860a6d23790df85197a14d7427cd3

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
15KB

MD5
0cef9e0be1a464951ccce8b366f2be72

SHA1
5d5ec546f22c2b180e1d12939b30c222e1d86ef5

SHA256
856170e9a8d9244a2d45f914fb13cb1e681ced375a37ad77b04b2ca3d2a6d4c9

SHA512
c6186efe5be6e9ae7fcc8e10d18a5e1df33839c5d84bf7c9c2b424e143a63e58d80df15d3c4b62741a2d4b28772d1bbc3f9389ad05491f959f4fa2d8d536a521

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
16KB

MD5
e61b68a3816cfc063684e1145c359d3d

SHA1
af0e7eeec027f3d59bf7ef2a3ee12ffaa1719235

SHA256
963c3c9b05b0e1795bb8337da0e5a33bbd430d5e7699bb126ad22eeef74ca0c0

SHA512
275a8d2ef96092fb136ef458b245fd033457d04690aab67a5085a77daac82e2405f3c60b918bf673b557342e8b5a54259ce5bced249ff5c8f0527c3fcfb6e28d

Download Submit
C:\ProgramData\SSYEANMFS\SSEECS.cfg

Filesize
16KB

MD5
29cb6a8ce11659ec5e0be68603ab6599

SHA1
569c87f074e0302ef669883f87d0d6be323e591d

SHA256
0178c3d028b5641b05eea608194359ab08fae436b0fd057af4f611504a7db4a5

SHA512
1ad149f46cf05df8962f078dd7d4e667a8e0426134105e4a291a93e6dbbc82767a39d06267888c3d20e7764af7dfae6fe42837bde15e1ec7317cb607c6eb80a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6132.mof

Filesize
340B

MD5
d37b493814e9f43c0d7a9461b2bf6315

SHA1
045d3cb6cbde9893d670d3c1742ccc1f6fff0387

SHA256
07acf96a1e3f0474c5d6a9e51dbf26967a0328186b382fdc9bbeb702527277ad

SHA512
fb4ca0ecf430ed14b401eb54ba01276c4d9592c51a2e4daa8490593f06c768ffa867107bf86f56a66400078239c98f5218c4c45bec2410b70216df9d8a82bc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uj06vnfd.default-release\prefs.js

Filesize
6KB

MD5
ee4d88d21ba7fe0afc055ea3d7445a2a

SHA1
d72852a284e3475e0454eef3319f8f921a51595a

SHA256
bdc2b3afab01297c2cd86f850b5367a6ddd50bd3e4aeb4b869d0be0764eac283

SHA512
1c4e3da4d968049a96fec050208f07b45dd7c9aec64be7efd14235b2aa9c735945ea29b68de33500506e8609c9e8c505d7589393bcdf29b8526c430584404584

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
977B

MD5
53316bc0c42b9d65743709021f1d03c7

SHA1
44cfe377bf7fedee2ce8f888cfacefd283e924e6

SHA256
600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

SHA512
9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

Download Submit
memory/496-267-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-456-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-334-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-359-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-388-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-391-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-369-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-402-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-346-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-268-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-389-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-405-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-0-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-327-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-325-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-252-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-304-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-254-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-266-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-434-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-435-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/496-436-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-438-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-439-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-442-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-443-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-444-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-259-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-455-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-331-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-457-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-458-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-251-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-248-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-249-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-489-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-9-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/496-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/496-3-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-8-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-7-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-6-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-643-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-644-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-645-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-647-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-650-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-679-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-665-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-668-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-666-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-674-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-670-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-675-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-672-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-677-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/496-678-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/3068-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download