fbc5366fa03db88deb0bce0cb92784e23dc14f5f01d72abf75698273c1b034ad

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Size

2.6MB
MD5

d02e40bfeaec6d8a92f1b336a5626237
SHA1

ee06e90b62584abf50c5c02b9b7624163be72a01
SHA256

fbc5366fa03db88deb0bce0cb92784e23dc14f5f01d72abf75698273c1b034ad
SHA512

c6de7587fcc4347cf9d75718d8463840a4b60fe2615b87ba1a0763c109e2bd8142dccf334aec5aa1ed3d6af3778a90624bcb6f16266fc0ed7b870b24392feeec
SSDEEP

49152:b7747b777Jf/v/eA7F/DAw/Ci1SODfOl0XcVxY/Sd58p9+fFd:b7747b777Jf3/eA7F8QcODAEcVCa58HQ

Score

10^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\host_new	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\host_new	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssg_4104.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnad.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\otfix.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscache.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupsrv.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfplogvw.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotpatch.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppvstop.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sperm.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswChLic.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sms.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-98.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exe.avxw.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JsRcGen.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixfp.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxdl.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-3-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-6-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-7-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-8-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-249-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-250-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-259-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-265-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-255-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-248-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-247-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-266-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-267-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-322-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-362-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-363-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-360-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-381-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-382-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-385-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-383-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-396-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-399-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-325-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-320-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-303-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-429-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-432-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-430-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-434-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-489-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-490-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-491-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-493-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-492-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-629-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-631-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-630-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-633-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-664-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-670-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-667-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-665-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-672-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-675-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-674-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-669-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-677-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-676-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-678-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-679-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-680-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-681-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2944-682-0x0000000013140000-0x0000000013746000-memory.dmp	upx

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Essentials = "\"C:\\ProgramData\\80986\\IS0bc.exe\" /s /d"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\X:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\Z:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\E:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\N:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\O:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\P:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\S:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\U:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\J:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\K:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\Q:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\T:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\W:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\Y:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\I:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\H:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\L:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\M:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\R:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\G:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IIL = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ltTST = "602"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler\Clsid	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2928	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30
PID 1096 wrote to memory of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30
PID 1096 wrote to memory of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30
PID 1096 wrote to memory of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30
PID 1096 wrote to memory of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30
PID 1096 wrote to memory of 2944	1096	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2928	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2928	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2928	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2928	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2608	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	33
PID 2944 wrote to memory of 2608	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	33
PID 2944 wrote to memory of 2608	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	33
PID 2944 wrote to memory of 2608	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	33
PID 2944 wrote to memory of 2092	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	35
PID 2944 wrote to memory of 2092	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	35
PID 2944 wrote to memory of 2092	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	35
PID 2944 wrote to memory of 2092	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	35
PID 2944 wrote to memory of 2912	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	38
PID 2944 wrote to memory of 2912	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	38
PID 2944 wrote to memory of 2912	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	38
PID 2944 wrote to memory of 2912	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	38
PID 2944 wrote to memory of 844	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	41
PID 2944 wrote to memory of 844	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	41
PID 2944 wrote to memory of 844	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	41
PID 2944 wrote to memory of 844	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	41
PID 2944 wrote to memory of 2428	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	43
PID 2944 wrote to memory of 2428	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	43
PID 2944 wrote to memory of 2428	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	43
PID 2944 wrote to memory of 2428	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	43
PID 2944 wrote to memory of 1020	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	45
PID 2944 wrote to memory of 1020	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	45
PID 2944 wrote to memory of 1020	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	45
PID 2944 wrote to memory of 1020	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	45
PID 2944 wrote to memory of 1188	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	47
PID 2944 wrote to memory of 1188	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	47
PID 2944 wrote to memory of 1188	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	47
PID 2944 wrote to memory of 1188	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	47
PID 2944 wrote to memory of 2880	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	49
PID 2944 wrote to memory of 2880	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	49
PID 2944 wrote to memory of 2880	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	49
PID 2944 wrote to memory of 2880	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	49
PID 2944 wrote to memory of 1860	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	51
PID 2944 wrote to memory of 1860	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	51
PID 2944 wrote to memory of 1860	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	51
PID 2944 wrote to memory of 1860	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	51
PID 2944 wrote to memory of 1760	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	53
PID 2944 wrote to memory of 1760	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	53
PID 2944 wrote to memory of 1760	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	53
PID 2944 wrote to memory of 1760	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	53
PID 2944 wrote to memory of 868	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	55
PID 2944 wrote to memory of 868	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	55
PID 2944 wrote to memory of 868	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	55
PID 2944 wrote to memory of 868	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	55
PID 2944 wrote to memory of 2280	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	57
PID 2944 wrote to memory of 2280	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	57
PID 2944 wrote to memory of 2280	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	57
PID 2944 wrote to memory of 2280	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	57
PID 2944 wrote to memory of 1796	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	59
PID 2944 wrote to memory of 1796	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	59
PID 2944 wrote to memory of 1796	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	59
PID 2944 wrote to memory of 1796	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	59
PID 2944 wrote to memory of 936	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	61
PID 2944 wrote to memory of 936	2944	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	61

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2944
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\7174.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe" "Internet Security Essentials" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1860
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
304B

MD5
d53820d6822e312e477361597ca620dc

SHA1
87d5f65f947628afc46f1bd87b986ff23250897c

SHA256
db59f166f55e04a20d87e7e4648b9a36ec873b25342e0a1ee3c0297c1d2a8b8a

SHA512
396f98e6ecc75b21d159ee1d88bf7f9f719157aafd469b1e1eff3e3843c2e96eb271ef565db2157cba6bf5209b73310fc34afb6568706d1cfa5b8b2722e265de

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
383B

MD5
87d7b02e474bec2e90e735593991f992

SHA1
1af737b80ad4a9f668cc1d08f94c1b4cea587108

SHA256
a089bda8ced85d3bad9451d8a0fa39f0c692209d1daed06b284f6cd49b9a65f6

SHA512
752161f38083803306d1f6f0fd1c8960129c68ba551e88110ff30b625ccce16f48774a560682913eccffeb1c6bf371698b73fc82d47ec538f0f219b9ec388dac

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
601B

MD5
397705f2c7728316864c2af182cc6654

SHA1
3b04099eb16b03ba879295074a15c40758044da2

SHA256
76dbeeb209d32913e57e4ebf033b6c7afa4619bd104f15a1d0b5fe96c1004397

SHA512
2986c4b341adc699fcd7c8a724274e283c4dba6c163eb8b09d16f87437888c68bf652ed9b5d4e8aa3f5edbc42dbd865798401c1a9cb0e80bb1d4de2e34aeae92

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
913B

MD5
d9a815c730cc3f0bc826293bf5e147f0

SHA1
5c3d7d6cd09ba209d05243a901151f3902d852ec

SHA256
5c1e775a24a54fc0cf4633f29f61222b64d4a0bf524f59dcd091b4d8144a8e43

SHA512
643f7f09a603e24da05a4e038d1cdac745653b3e366d744696959435297b5dca73520d9ec3eae0e67f644c8197bd8b5f2bb05aeb18e9cc812a62fcb96cdb193e

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
1KB

MD5
189c52d558f008b976df4b146c5100d6

SHA1
1ca797cbd53664dd578b9eb1578dfef2ef25bed2

SHA256
b1958b41d84cf6fcdad96d0037ed35b58d9315ceba0331df0fb3a19ef0a63c21

SHA512
dbf7fb69bf06b5cfe01467611f957abf7521564c62f6f2b1221c6d3d6dafe5b28846b5c98c89c5088e35996e6cbb48190a2de02b28f383fc2dc4f8add94241e3

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
2KB

MD5
07cb18b7da9588942479400d81a8efaa

SHA1
1e70d36038829bd52bdc482e5ee8024de42f6fe8

SHA256
3b497467ebd579712ab088ddb87fc574ff7707862990f451bba3b337525119c2

SHA512
8bde9d028c08d3f727c36aba0152a3eb44fc069dc5d633a2a58f60d2d3ba1b674fa15be15e2409fe96e93e94c12dc8e5f22feb70c7a8fbaaf52bd18c04ff46a0

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
2KB

MD5
c2e76842c978bd2687b9b79ccac6577b

SHA1
526aeda50d3469e5e9e2c5dac1442f1ee7706868

SHA256
64936ecc7b2441d843f143ef0ecec0266d3a21fb596d72e941c634f75c4a381b

SHA512
267546b7497a75ea06e505d6c193b9c9780ceb60a585cff647b09c99897d1e2e4a6371fd9a6e32af37104b8f658cb8688e752ee52478880274cf3f748f220229

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
2KB

MD5
fa6fba97545b814b34577b521e5c21b2

SHA1
76ef77739bc782cc1763d3fb3aca45d7247fef6c

SHA256
b14d202ee9f11fd3610e34915841c06f6d7634210910bca95c19e28bb669c921

SHA512
51429abc0022c819d53b09fa936c0c0fae549e49121ffc8f2d22fd5d6d6ba42144d9d96cdea82bc397428c9606e96b7a48c5bfe748dd9c02c716c86fa44092ad

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
3KB

MD5
058627e7ed7fd2d875d14a085ff2d30a

SHA1
94803f58c3f56a8ead7d8f885a64a488fde15b75

SHA256
4632c7d50d8d4b8efcf88013b0378eb89c4cdc51e1367898b8165c369390bef5

SHA512
b5d0cc2d9ff8f523a19b5e10e07a4f86ee5e45eeaa0bcdc800c5898fedca3594595881c100a977f7147bdecb6ee5fc5fdec696734173c2487cd478a2d8886ce9

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
4KB

MD5
bc5be83c528fb8a0e7cb68c9d3a78cc3

SHA1
a554f92ca09820e439aab40759c4911ffadb2669

SHA256
bb91103c94f010dc6c9337cf8b0ce6f23c586a60b61099c561d4615409f8e565

SHA512
d579faf8d4d350100dcc3fce6c454d4ff74a8bac0a2f086ba189b87456bbfc6772879857d224a753b184064fc9f364c154763944872281e159ccdc00aec0fbf6

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
5KB

MD5
8ac5fa5709e099f8c594fa9b15c3589e

SHA1
9d47c3344a322373bfb9f4b2598614797289b565

SHA256
bdc1d86faaf66584efe6c8600eb5af60371310e4fc5b2b46f94568ab7ffd59bd

SHA512
a111f556f504e2dc398a48f327b84178cd7d4b6e524e9dc019d06ca7a6a5b7330c68ac3c4d9610094d90351ecebc22ea0c9b4c49f4c130e8aa9beab4aeb30308

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
5KB

MD5
4af8dcea69993c9ff350a2bd2158013d

SHA1
0b65d8a094dc3f494d7b155bb34d28cb805b0320

SHA256
71665c5a7fbb7d6ce6895b00e55d9a3a9a67827aa897551e9f8af46991377470

SHA512
b1f84b49c069606b62105483b1ddebd8b13cba1a629f12b5849d3e227a511f65eb38666f160a2d86585bf77ce45cdf8a8f81ae9e99867345d22d32859ea2c55d

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
6KB

MD5
c752493cc37ca7eff243f35de16595ac

SHA1
e8fc02de59d9e5bc37de9447879f19b3b1a5b804

SHA256
47c6980b867d647da5c817588f2978391ce21d18153228bb3278b76db825c834

SHA512
4844983f79aa2dc4b60d622d384247679678dc4397153c453e75739919f12fd27e44608e50255380fbf5e9f9b723bd0f704f42742ac6a9f277f84b6bb7660334

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
7KB

MD5
264ccf43154961487be8758a1dd8d622

SHA1
32d45bf486c6b0ce845836af08a7586ff7bdb1fc

SHA256
6a7af80b4f84acc0107f44912290068c9a10f9d8639aa5a257ae3f1ba5870d7a

SHA512
b3f795bc2b5f7e9f5057b65921fb07b1951b2ec13b108e17461153b811d951d9425da36bb35d1fc5a969ea25b387f0f5ec284197b1e1052e8088c070fc5e768e

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
8KB

MD5
f4b85a62fb9a08633f08b598528ccfd8

SHA1
1d778d5040fef493c0cc8a95d5286b3b8f2830f4

SHA256
a26b882414617aaf5bbfae8b372abbe67af125e57ebe89e1287d1595ad0d6442

SHA512
38843b4a6057973339095b64e47ed6bd665986959855a9cfb11bc0f7548f932a314e36fd78d768379a3f5b231649397505e4224c9aa4b8c0599d567620ee6b71

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
9KB

MD5
8c356204cfa1ef4e1723a98d7699da37

SHA1
edd4f8c9508d8d79e7f28c267a0a27933d5af3ac

SHA256
04379fe513ad57ffe864c850e5648c33205cbf93b644134efc30769a17903c30

SHA512
6a195dd61a336752cff81ed8056bbcade0c8220b01452d98ca28a65e6138641b89bce0aba468b285d38b2e8180ee1ca0dad63bcb34c41a945d657cd5e17260ba

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
10KB

MD5
70ec4708e7e6c6bf95d72d052e71f827

SHA1
7bbc9906d3206fe37e77bd926cdc6da799431d6b

SHA256
924651e7496eea87bd426a25367ce83968b3d7bd774e08fb74ad164f99339315

SHA512
891215c3d1ce3c783a78759086a559e549a546dab29c622444b41499b0c663fc6db3b7d9a27327df621f754e514ddfae20af5f2d5fba85aaa0f11dfde5b97cab

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
11KB

MD5
069bcc0bee4b0538f4246c85d6b9074d

SHA1
ca87e06362bdf4b406e6d8c51df92886372d151b

SHA256
f4ea8896d42d96850d9e263f7d6b2af769f1b42066064e02424274cdd3f2d81f

SHA512
1ec5a19fc2d912c00a809d62956b1e111895070bfca65f43934d00a68096926b13d2d19e42e6241dc1ac7fdf807f391099df5b4dde47c15fe963d2869e173e4e

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
12KB

MD5
9a0690b49b247c54361642e37a3da2d4

SHA1
0c0b56a40125d4296d5d8737911f8e051e4228da

SHA256
4be7ead2f9d429a76a3222dec629ed63f5469f2c8f5c74c0b8178b43f0d1591f

SHA512
7310caf50f5f9ed4129473df251fdd91ea80bc49bb904cbd8a1fcf66543ba234c3faed26ddf59528f47689cfd22531c67d3ebe28c0489e155e215363c535c516

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
13KB

MD5
9ab80ac07c8568439c86c089ebfddc36

SHA1
939661998babbdb28d0e3ae7eb2ddbb529630a88

SHA256
6dfb7ef76fd512f5ed0f6e94f9af837bf402072b853b787b46d0718693f71084

SHA512
cf030ab4d7c53a701361892dc3fb31e688dfe256fafea385ef655e3b21a0128294b465332aa262a90b260e2d2d0361edf7ebdd9a4fefaee90fb58a02e91c006d

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
15KB

MD5
894cd46d837a801b1b497f48a9cd86f1

SHA1
a0269d0dc18b27ceb300de83d07a14e950659ee0

SHA256
0ca79c5bf3de9c5009cbbfd41d667196609e73bed160b42473a510f57bada2a7

SHA512
300b834fccf946ef6ca1d789d49c032975d89f57f293065d26c7de389a150c0058606f6ea2246850ff80ac72e9f09e7ac4d1810e42fa618d8f592fb9b6a6e91a

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
15KB

MD5
f4578d17cb89a2ef3f4305d236ced6cd

SHA1
2d9585c7d092f3300a9b186cd11793a6a36336dc

SHA256
26558eb0bb1bfdf2814422ad465ea15a574d974246988df7015c2d69dfd210b0

SHA512
19407f57a6b674ef2fc53ed9bbb884c8d192a95c7b0dd408c2a9bf4298c0fba14ad345b40b0bbc147861582e7c651557203d927d4b35c98859085905fc8fd3a2

Download Submit
C:\ProgramData\ISAJMSE\ISNZOYQHZE.cfg

Filesize
15KB

MD5
144ff3ca8a07a4123a3df46a4b340b6d

SHA1
dbd394b300c9fa9515ee4d78e448179b4c66d848

SHA256
3cec5d304d28480e83825efe2c3dda7ff0f4efef85bb8a988a21cf927f5a13e9

SHA512
dd76f6e8902ede1063eda94dfd8c8748bd8ca3a1a93758e93d8c8cf5955206b39016e1e9b98d1b4bba8a03a2f5d1eec5dec3b9ceea31459e3b5569a41c6d8baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7174.mof

Filesize
354B

MD5
fa519fd5ef9898152a14b517a0bb15fa

SHA1
c251aca894d31c04d2fe9a1f1198a820dae9f1f1

SHA256
bfe6e999511b585343adcfe42b4013ee5463b2c4fceb5f0b6b1840aa0d2a9719

SHA512
3c004f5f604ccfa576e5c9b666c930c7fefe4cdc8c1549c29d6e2609aab03a4abd22862bd3d74aa00ca66c75ccb327b9557940a8e48571e3b7f6b51c5a7c9454

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1006B

MD5
29fb989ad4af25ca439bc6567858484d

SHA1
3be9db2d3302ed1b22d59f3e9efc7e1396c3f9fe

SHA256
04bb5af047d20da4eab57f87a3a679dc2d64984b18ddaaed4ae747301d73b23e

SHA512
bd1ccde84e140fe397faceeb26c6da5f4cb83c318c579176e8668680cb32bc0fe8a2afbc2ad4235f8428dc64e3844ad7b3a738f322f12d6223c69b6deacebeb4

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
977B

MD5
53316bc0c42b9d65743709021f1d03c7

SHA1
44cfe377bf7fedee2ce8f888cfacefd283e924e6

SHA256
600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

SHA512
9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

Download Submit
\ProgramData\80986\IS0bc.exe

Filesize
2.6MB

MD5
d02e40bfeaec6d8a92f1b336a5626237

SHA1
ee06e90b62584abf50c5c02b9b7624163be72a01

SHA256
fbc5366fa03db88deb0bce0cb92784e23dc14f5f01d72abf75698273c1b034ad

SHA512
c6de7587fcc4347cf9d75718d8463840a4b60fe2615b87ba1a0763c109e2bd8142dccf334aec5aa1ed3d6af3778a90624bcb6f16266fc0ed7b870b24392feeec

Download Submit
memory/1096-5-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/2944-489-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-7-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-382-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-385-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-255-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-383-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-360-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-396-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-399-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-265-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-325-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-320-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-303-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-259-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-429-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-432-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-430-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-433-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2944-434-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-250-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-249-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-363-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2944-8-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-267-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-490-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-491-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-493-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-492-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-381-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-6-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-3-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-0-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-362-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-322-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-248-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-629-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-631-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-630-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-633-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-247-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-266-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-664-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-670-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-667-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-665-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-672-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-675-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-674-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-669-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-677-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-676-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-678-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-679-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-680-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-681-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2944-682-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download