fbc5366fa03db88deb0bce0cb92784e23dc14f5f01d72abf75698273c1b034ad

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Size

2.6MB
MD5

d02e40bfeaec6d8a92f1b336a5626237
SHA1

ee06e90b62584abf50c5c02b9b7624163be72a01
SHA256

fbc5366fa03db88deb0bce0cb92784e23dc14f5f01d72abf75698273c1b034ad
SHA512

c6de7587fcc4347cf9d75718d8463840a4b60fe2615b87ba1a0763c109e2bd8142dccf334aec5aa1ed3d6af3778a90624bcb6f16266fc0ed7b870b24392feeec
SSDEEP

49152:b7747b777Jf/v/eA7F/DAw/Ci1SODfOl0XcVxY/Sd58p9+fFd:b7747b777Jf3/eA7F8QcODAEcVCa58HQ

Score

9^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\host_new	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\host_new	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAhlp.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec16.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ray.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoler.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.sweepsrv.sys.swnetsup.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infwin.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotpatch.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PavFnSvr.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininitx.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbinst.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JsRcGen.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLT.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssys.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssg_4104.exe\Debugger = "svchost.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brw.exe	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1876-1-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-3-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-4-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-5-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-267-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-266-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-265-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-268-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-283-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-275-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-273-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-284-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-285-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-307-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-309-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-310-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-306-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-331-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-380-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-327-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-381-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-383-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-365-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-396-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-397-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-400-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-417-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-419-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-440-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-441-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-439-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-442-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-481-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-482-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-483-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-562-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-563-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-622-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-624-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-627-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-628-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1389-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1392-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1391-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1398-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1402-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1401-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1396-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1400-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1395-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1404-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1403-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1405-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1407-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1406-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1408-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1409-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/1876-1410-0x0000000013140000-0x0000000013746000-memory.dmp	upx

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Security Essentials = "\"C:\\ProgramData\\e0633\\IS561.exe\" /s /d"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\N:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\V:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\W:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\Q:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\R:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\S:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\T:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\E:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\K:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\M:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\P:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\U:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\X:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\Y:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\Z:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\G:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\I:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\J:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\O:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
File opened (read-only)	\??\L:	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 1876	4440	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "603"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Internet Explorer	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2164&q={searchTerms}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler\Clsid	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	724	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 1876	4440	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	89
PID 4440 wrote to memory of 1876	4440	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	89
PID 4440 wrote to memory of 1876	4440	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	89
PID 4440 wrote to memory of 1876	4440	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	89
PID 4440 wrote to memory of 1876	4440	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	89
PID 1876 wrote to memory of 724	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	91
PID 1876 wrote to memory of 724	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	91
PID 1876 wrote to memory of 724	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	91
PID 1876 wrote to memory of 4420	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	93
PID 1876 wrote to memory of 4420	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	93
PID 1876 wrote to memory of 4420	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	93
PID 1876 wrote to memory of 1092	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	95
PID 1876 wrote to memory of 1092	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	95
PID 1876 wrote to memory of 1092	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	95
PID 1876 wrote to memory of 2648	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	98
PID 1876 wrote to memory of 2648	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	98
PID 1876 wrote to memory of 2648	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	98
PID 1876 wrote to memory of 4368	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	100
PID 1876 wrote to memory of 4368	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	100
PID 1876 wrote to memory of 4368	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	100
PID 1876 wrote to memory of 368	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	102
PID 1876 wrote to memory of 368	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	102
PID 1876 wrote to memory of 368	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	102
PID 1876 wrote to memory of 848	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	106
PID 1876 wrote to memory of 848	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	106
PID 1876 wrote to memory of 848	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	106
PID 1876 wrote to memory of 2844	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	108
PID 1876 wrote to memory of 2844	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	108
PID 1876 wrote to memory of 2844	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	108
PID 1876 wrote to memory of 2352	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	110
PID 1876 wrote to memory of 2352	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	110
PID 1876 wrote to memory of 2352	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	110
PID 1876 wrote to memory of 372	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	112
PID 1876 wrote to memory of 372	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	112
PID 1876 wrote to memory of 372	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	112
PID 1876 wrote to memory of 4760	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	114
PID 1876 wrote to memory of 4760	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	114
PID 1876 wrote to memory of 4760	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	114
PID 1876 wrote to memory of 1180	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	116
PID 1876 wrote to memory of 1180	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	116
PID 1876 wrote to memory of 1180	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	116
PID 1876 wrote to memory of 3332	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	118
PID 1876 wrote to memory of 3332	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	118
PID 1876 wrote to memory of 3332	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	118
PID 1876 wrote to memory of 2920	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	120
PID 1876 wrote to memory of 2920	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	120
PID 1876 wrote to memory of 2920	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	120
PID 1876 wrote to memory of 2264	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	122
PID 1876 wrote to memory of 2264	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	122
PID 1876 wrote to memory of 2264	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	122
PID 1876 wrote to memory of 880	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	124
PID 1876 wrote to memory of 880	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	124
PID 1876 wrote to memory of 880	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	124
PID 1876 wrote to memory of 2028	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	126
PID 1876 wrote to memory of 2028	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	126
PID 1876 wrote to memory of 2028	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	126
PID 1876 wrote to memory of 3880	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	128
PID 1876 wrote to memory of 3880	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	128
PID 1876 wrote to memory of 3880	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	128
PID 1876 wrote to memory of 2144	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	130
PID 1876 wrote to memory of 2144	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	130
PID 1876 wrote to memory of 2144	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	130
PID 1876 wrote to memory of 3900	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	132
PID 1876 wrote to memory of 3900	1876	d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe	132

C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\1557.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\d02e40bfeaec6d8a92f1b336a5626237_JaffaCakes118.exe" "Internet Security Essentials" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4420
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:368
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt dd51ghmosbkqvvz.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:372
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4760
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1180
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3880
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
196B

MD5
6e86650ad96258b23f022605c5f202d5

SHA1
321290e91871cb653441e3c87ee8b20ab5f008a0

SHA256
8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223

SHA512
e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
383B

MD5
156eec8b9d1fc7f4f30d1b5d0f813118

SHA1
48a8837a52e0d77b4dead354e34da7d9c0f160cd

SHA256
2129ba636ff69bb26e10a219b1ca47bf46a1f918d4e08d58e02f3abedd7d6606

SHA512
797014406d6cb52f3a529455e86e4b1167c2173238c585b1978e4e4380877a3d33e1f0492241dd59750f4fa2ff30eb5e0a72251b3cbf7114d1f8e583d7692173

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
1KB

MD5
e650c59698a8eced584203e40b3a5487

SHA1
44727a064283aa9b2dc09efcc921faa442db14b9

SHA256
e61a7cc372796742ebd840a460d988a18dc5045357d997023495d1d69f2b091b

SHA512
ad72ec622c2d3494f495bbd68d942d78b4dbc63f195f9dd471ae1bb01a3d3d8d8516ef0e4980bb154763d6ed020abe6a9c03b8ee97a2cd54aebc9edd0772f22a

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
2KB

MD5
7902ed87abd679687b5b13a5b98ca734

SHA1
774e2f9289fdc6d83cb8eeaaa4c7c39623299408

SHA256
e40b7f57cf87c339edba39459803a93f974c9c2b8d8b5cd32364771eed4621b8

SHA512
ad196192d9f630cf992dcd333958a3623f901f06ac2bf664cc4704d4223e5d6fc5b649244d84204751e1020d84d90aad7846268e93eea5fc4be1e1e92c7abf45

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
2KB

MD5
f7ac09c61282644976458762bf5d4cf9

SHA1
667d47e2711f174c73b14e8cdfa2d4ef6055a993

SHA256
178513713193bac7e96746ef4637e7e5423216baf7298a9823c1430ff79fea7d

SHA512
b13e6495c97fff6ba26204fd75c4c66a96d9b07af18eac5dc7c0cf137bc2d2735f0e2f6f81d8f9530cf0b5d124a1542eac2ef8ab5615128041e1ad0737c8640c

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
3KB

MD5
19582d628d6849e612f304928ef2d5cb

SHA1
0dc60bafa78dae6e3088e32251681bdf549a1e48

SHA256
d90e6fc34d028cebf11b3176b7a3277491ee211a96c74eb765a92f140a804011

SHA512
4e1502ee389801ba7df2603a9082236def3fe0e288077cbcf5e5b490d0e022a91d069ad4e4996ed17d16ef2f3ca08c55b7c76a3b465b99be5d19e0f3cd918e01

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
4KB

MD5
6a90ed5c0b9d4ae598b8ba21e90e17d1

SHA1
caf36824e38a0e250175e478249f092bcf88160a

SHA256
b6315e1988af67ffdc08ed52d15a5d4206871e3057da42b912ecd7012b7a9a71

SHA512
e4813bd9d598067580f5d81dbdc08c18e1c944c0440ff29809e51e4bfb6e8be33d7dcac82fdc96bd91bbc718c0526306a534281f6900619c45f8ad0831b0e549

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
4KB

MD5
36e4a1ef161b94c8c6bae84b46334f9c

SHA1
cdb4865f398d89a95cea54334a586857d271b092

SHA256
e4ee5e9b187cad8c12715701fa6fb84af85aacb83367254fccaccbbdc71506c6

SHA512
6d6fef4c2e29acb39833999805556b105cc33f05cb44a41ca637994946a605509a5210c49936e0ac6518fe13a73e740a40f05961850387f16bce38fb84e13034

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
6KB

MD5
2e92c71925154a347f13ce2b46d5f380

SHA1
1158c34d5ce70a865b1034e4f3727b1f25a4584d

SHA256
ca016d11c4c7d6a4d75741d359ba1a4c750c101dd72e277d58ebf2aa476739be

SHA512
f3bbdb3b7a9ab7f7952983c2451367d1863898833189582af38a29be859892410ae668e864c88f3df2d9fe49c4b73cee4e4358e49a7c914f97fb4de2d7046905

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
7KB

MD5
99e53fb62fe7d75157aec4733eb01913

SHA1
1228da53c0654fd119c9d868641fe0b17954d692

SHA256
f1eb42aa323f540d44e765cbc4b0da4c7bcca7f116d131042bd848d03a323ae8

SHA512
b594d85b5b36cf219d5066f23d1e745274100ac1622ce5e2d96bf4bee14d8605741d80ce41b9fb0c9bf7762a753fb402324f914ce311e92e58ad473ab773860e

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
8KB

MD5
881ebf143031531b67dbee8f693fbc73

SHA1
f2fc7724454e22906b2adf2342c7d227ce95ecb2

SHA256
aa112eb9c3bf38096c4d5000c1b5e0e43657c464ac87e557e4469e65b266cd43

SHA512
aed9d973d80310e925de1fa31fae221528450b9087790cccab85e34609a0959e01f2d6579fd8aa2653e331a1f5327bb5e737ae5e51a9a69c8bdcd4da122daec8

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
8KB

MD5
75b6b16b75cd7e26e3acc979ea856194

SHA1
52ed736557143aaa975f7f4f3646b02dbae41fb1

SHA256
33bea0e6b45acaaa0a90114cfa8de06560cdb4621397baa3c754f0be3997a96a

SHA512
5979dc1f151f6315cd3f7f2b1f1aa78737799603c29b4164f3fa435867aa27216231a05b8de00ba0452dc4ebe0096c77e90cf32500f13e7cba650325e83d1225

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
10KB

MD5
cf5ebe4ed222e7cad215a717dd444fa4

SHA1
2dca48edbbd5a10b65ff5037f8966c06b6f3ebf4

SHA256
f41f00805db7d6b825b76e29e98b0cc6cf25d8953f2ab94fe517e1a80359f791

SHA512
be33fe37c46a34e83fbcc0867c610869196513e2f796ae9b3711af9c12e0f14fd7b696d7bb7bb493bc6ab623d6eef79a894e704378df0becaf1f8c97f84b3188

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
11KB

MD5
7b5f08dabe399290bb42e655ae4151e0

SHA1
fd29ae4efcff2f20dd0f9409ecc71fc5d5c880e0

SHA256
91a89723bf88e3cb6910f28e7c8d4f5e78e9145b7c00238d0dd16cbbd8e1aa7c

SHA512
95449e19a6559af98397425fc7f68783d608f747d4d03f46e72fccbdfe6b8da29840ffcf543ba45e7761d7e838a5343f91472b1ebd1bd269c39bff7d74021fb0

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
11KB

MD5
79fd302876bed5139228b51420e87972

SHA1
306c17ca7a28fc2a45947ec68fef61860d0a2e20

SHA256
3fc6b51820822136538f50e105dcba61f829fb53d31638f1fdbe667b015243d8

SHA512
36e4df40561e5fc1dbf379a36718e6d186da3a3558904c06470e89548c877a906fc48c77f42d7e5d63efee2dec15bc8bb85a5b4acd2eb2db515f438294395801

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
12KB

MD5
d0316ec0ff5600ab2d09aba5f6d289cd

SHA1
7f46d4eb38ba609d21b6cca39f44ae21956c1dd7

SHA256
4001575ef02e8aebd776d3c9114ad3492a97a5ec44cb7ab646568bda5acd4271

SHA512
a67431be30c5d8de11800a4815ebbfb3c6d18c130256a7d8c520beb34faf1116d6d1dfbd83fc8f7f639e715aea705f691c5c82ca5246db37a28c59fb7ddedd9e

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
13KB

MD5
7f3eea683ddc4cbc167021f8d73a2899

SHA1
da9a5a1d01262046a8f79d6a1e8274e8dcd2b557

SHA256
6074c09c69266904a8eea5d4971608600e06e3a7217099873c27bc8621d71f95

SHA512
6d8899e0fe6cce7d72b4d4b7dcf80d7501a3df0e11bc8e7adeeb9863da153b3e6d30195221669797a294883194cb34f9c67792d0ad3f137c5b39d10f0f4a8edd

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
14KB

MD5
b56be8e74e75157e689ea89fbfbb1439

SHA1
7a1df8250d34f3cb8bfcda2722bc708a14551f12

SHA256
aeeb1215c201a0588fbf70d840c4dc18fb1bcd1a39092f3ee681dedce325a353

SHA512
74082c22d9622205c74c41af120b05a55116c133b04cce3d32c63eb650dd9cdcd018ee067296826c760068bbbd9820ac08675daf79c1ee412ebb426a385dd53a

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
14KB

MD5
8b53d1c2674ec6656f85d6e931797ec5

SHA1
88b33a4583b10a4ab82ebf2b413f79eea81f204b

SHA256
2283c59fe8aaf0d2d1ed60511f9726336a6e0cfadd2497c51d525b1818ec2185

SHA512
5fbcd86aa6696e2f4193d3d0deb72f55a4f9770c96769dd6f652e54de534cee83837b5a2143db1ed417f1c6a5dbf3bb6b8a97b0b7cff2fb8271711a1ae54ea75

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
15KB

MD5
0a20f52add8365416f05a11914eff7dd

SHA1
6bf222fa7c8cfaac7d71e919387d14babc91c06d

SHA256
95bba33b4060fe09f1aaf1a3df3eeea253f4225f132f0cf15619727e40ed28c6

SHA512
9f62565979123fc604e860c5f63348afd00c27eb0cfcefd0b0073ee1e84a1c72e5db9db8340db396935a778e33cff24809368c6fe700fba580985e94fa092795

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
15KB

MD5
250d3c7f2752c15458e2f82002cc2bb7

SHA1
b52b4cc17a7b1411bc8f227f061eb21c718bb11a

SHA256
1289626ad6f36c4c8e68e0320cc9b1551041fefc4cb1b820a9e868f1a18fe5c9

SHA512
b3ac761548b38cee076a6432778170aa96a2b49cbd058200bc3aba9da9e7c8b1a908a985a1f0421cd976418ca5e7599606d75bb75907e4e6aaffffe44f4a8258

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
16KB

MD5
8253a46c66806dcbadf54ae67ab4011f

SHA1
f5814d962ad1036df4c27ba452f2877ed8e04652

SHA256
d7254322b55f9b4fad081ec3f78b3069f10f23f7dea2a52c9bb0a6c2053a21ce

SHA512
c1fe51007164153ca49ee53503536f2200d094f880045e7803cd6637cb90e42e82fd8b0b17527fce07cf143bb3ad9b61d172657a3318fab578a0a8e4fae7fcb2

Download Submit
C:\ProgramData\ISKGWDE\ISIAJBHFME.cfg

Filesize
16KB

MD5
e2cde759e21ec8155b8cf1fb2551cd7a

SHA1
d8c4f726c4f4405fb317b56b868f07d195814629

SHA256
a66566eac3ec3a51c6a2338880c496bf922e91f79516bd8579204d6d7f9d8d07

SHA512
266622236f2faf2d8a5eb2970281425edf4afed310add067f2bea5e463648c06c9accf9082bec93a5db863155653a1da21f33707da1a66dd084ead238a2da9db

Download Submit
C:\ProgramData\e0633\IS561.exe

Filesize
2.6MB

MD5
d02e40bfeaec6d8a92f1b336a5626237

SHA1
ee06e90b62584abf50c5c02b9b7624163be72a01

SHA256
fbc5366fa03db88deb0bce0cb92784e23dc14f5f01d72abf75698273c1b034ad

SHA512
c6de7587fcc4347cf9d75718d8463840a4b60fe2615b87ba1a0763c109e2bd8142dccf334aec5aa1ed3d6af3778a90624bcb6f16266fc0ed7b870b24392feeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1557.mof

Filesize
354B

MD5
fa519fd5ef9898152a14b517a0bb15fa

SHA1
c251aca894d31c04d2fe9a1f1198a820dae9f1f1

SHA256
bfe6e999511b585343adcfe42b4013ee5463b2c4fceb5f0b6b1840aa0d2a9719

SHA512
3c004f5f604ccfa576e5c9b666c930c7fefe4cdc8c1549c29d6e2609aab03a4abd22862bd3d74aa00ca66c75ccb327b9557940a8e48571e3b7f6b51c5a7c9454

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
4bd4a2f5a53339ca344e513a41a4b67c

SHA1
e47a1e5e7c97f20ce45d7369b234ce6d390f516e

SHA256
bbd0eec5bbeb3fab5f89003d6b2501e58eae66e76eab9919978c8f3c9af35068

SHA512
86930f3e6bbe522402fc3752bf205cd0e4ca50659af15d978b14d2d96caefc8a155388b3e0c74878733776699d96a3017e0ef67a2421920c586d1639c1713c86

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
0b3d6a30c8d289fedaa3b51262418110

SHA1
466c58d31b5fffdc7e9161310f1dd320da423e8e

SHA256
c46440d2c8a81ded5ceb0c58ca29cc1b40b4b210e6cf790b40feda168fee9324

SHA512
6f10495e06b2cd7fcdf0a86c17f3c12f5246b61b0061d3c555f3355ebf7bfd175d7b0d94ba8a536e43e55921b38959fd9ed1ec38e3de3bab5ea45355c0d4f575

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
825fa52d4a42512dbcda83677681fb30

SHA1
9c33d7630abfe1d026bfe38317ab8bddaaa36dd7

SHA256
5732d92e9d19e7f153f3e139f486b8d10a94e68c7508b791be3dad15fbaca545

SHA512
22168c1e277a3ce7ab485e2f948af2d75370fe2a60fea3ea0671b7c3ec9c9e580f0acc89162dd647e58e1270fb87cba06fec009fe1379df3a2868add16b08efd

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
6f662a855e71dcbd2cab6004ac41f137

SHA1
41ebb0735d6e53f8fb8d4af9703b5e629c032a8b

SHA256
f3d5dc592be57a8bbbee1ab846a3fb10e106a39a9c7a808c6fdf29ab4e8d5bd7

SHA512
82560fce5bf342f0d18bf5b10c3c01470a71b4d8d81fc6704771daeb84bf5d1e846c1d06c537739d468e10b39d643364d10f03d8cb7382311932af8a97f9e1ae

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
afeaffd3d073aa75e078ebab15bd862a

SHA1
9593f9c037d42d73437836358ffc9768f51fdf5a

SHA256
0ea6bd0ebc45733988e1130e42bf8437259bea28e76759139a92e4af0cd2bbf5

SHA512
4c8a27b1f1924bc283804e2c5b44c481ec2f6f626e53e577f1dc2db030c30c8c39b8e7cac03880823ebbbf1d9afaf6112e9bd4f89af42762f924788fbdb70e3e

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
7532b41bce721e293191d27973164f65

SHA1
dad952e2b93bb688d0435b1c34d0fb623746381d

SHA256
7aa24ae34879c95577d9e06c1888f8f719fa826e776635d2e4f57c093c59cf65

SHA512
43bf427523f7928828605152656c5aab6c24b7d4ed346e1c68ed7cbd9128cdac5f53aa82f1f51dc54d06282119992a056758e53b83ce49571a3e9cb6d34c12a8

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
38b0029ba06f56bf2ce8029247f6dc38

SHA1
09a228b5cbf0ebfa996374086a41e2f400338ba2

SHA256
3be11f6d33eaecf39398111e1268c0afa18c143fb9b271b794e2f5c5df39b637

SHA512
4ca4776e1af6503f2ec641082d4ccb62ae4e887c07bf332647caff13dd5f0d43d28a43c4a232c692cb7a8c709ee1bdabe3cafb2e4b73e3992c5c4452479d9cef

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
1ef90e16f89fada3ab137822e37978d1

SHA1
9bd180b3022cac1db7789f24a926494752ee9f3d

SHA256
d8b3ef9af1bbf36d074c2db7397edc1c833b124da87cdf29c9f426dc9af2c99b

SHA512
2a8dac564834a797c8393e2e2344d0600c62470cd41638f90ff6fcc2a71bccf72234436d604a73aae5229493035ffead970c963db620608b8b4ec6dc6057b31d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
ae1c35ad58242544ab6b550585908f22

SHA1
f5fe1b92e34632da705f3da9a82dcce296b60992

SHA256
ddfc3c7bcd1a9e3b9b4a60a8193ad3e304805ef1386d9f8cdd7e3c89b4053c1d

SHA512
1bbb6a90661b6c1c17a2dd3608c4a5c646020fd0d7abf1cb001d68398fdaed64a25e292fb4be98ca6f1c185aca87a69b4224cff2d4406dda99b90c6f31acae35

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
c293b8fcadb0e358e537244cf5ce735c

SHA1
f7635e7fa4d34901ccfa94434a524654cab62c47

SHA256
bd25ee346c844684209284c4dd209b64a737cf8c2bb115180013db56274b4bc9

SHA512
7bcf152253f92bfadd7ead6b294c98140d36ce37b9cc7b49da0093dd80877826ba32109622f659c90d8ce2c341d5327eebb5088e4ff062c8246df4a32f0d93fe

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
884394c06f0ffc322387b030a0bbef3d

SHA1
048f93ff8b2f54d38620a0752a861c9833fbbd5e

SHA256
aff4e386e2be4410ae68afb26c06b814b0d61aa4dd1ea5d76ae20007c3aced45

SHA512
942c16a919574544b8f19ee0dfd62712a4551bec482e7cdd5a9e68692808b403a21ff7964499e9a37e0eb4ff30de9b27e71efbb6ac3448f8fa0f8f663eff73d4

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
ad5b852c945915b19d13f67f8c640fba

SHA1
89fd5ba1e6ed4ac2b33dba03ad558c5aa63b029a

SHA256
2c8563c8ebc0dcd8dda2bfee9849a83f7a5fc5dc243d85739e12474ab0f65aff

SHA512
8b8fee2fb30bb9683d73fa45c9529050de3d06c06fad367862ce5eeec77593552a043e1e8ce9f56e0f392a770f681819068d8a6d472815144ebaad48ed960426

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
d14338de25b1b3fb3625b39e0b79255b

SHA1
fabedd36d79f7db32a00c27f2ec3e2ea10aa5691

SHA256
6a4604cae894669a1c490ec52199bbf717bc88e8b8e8a662fe9580ed1330a1ae

SHA512
5ecef6a644e65ead1fbb2e4c9c9cf749ba29652b8ccc93ae33db928da8339a059368d75ca01d6e173c5c2048b61a2cd38a3350a8788b259fdb6a4d5e1775bd33

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
ee7476fe322ef2343741e4255b87ac49

SHA1
9ff126fd86ac4b39b656dae20b56f8f351bd99ae

SHA256
9763f8695df3fd54b36948aac4b224bc5ffbc6233ae62dcccdaf78212609c2c0

SHA512
42311acb8a974782d6851216a2879b8becfaf1918dc98a0d707ceb62dfcd7f517692cf2dc5e437710d5d67f844b3451d0ca9476f1757352b1f1640f993ab51fb

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
e994c35ef2dd63e1fcf8d06cf61cd5d9

SHA1
309f35778a0ff0967bb68748aae62eb2b614b870

SHA256
86558ceae57b3c81a224a1c48d68add517c2eb1743e935e8b6aa971da23c8c69

SHA512
b5cf3e5cc9efd5249eed94ae55d60ed51826d0478a7576cb87cd64f6453ce89713efca50b6d8a1e3f626210070931851bf9ecbc0de7ec7b38e9dfe6d86d6469f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
91f9b868216056c1e102d0ba937728d5

SHA1
e460c94c802196757347dd46512ee00b3153d7e2

SHA256
e711173580a949ab726691685168f73149806e8393b69479c02e657a897506b1

SHA512
e82a04ae8d699fa63093407c1e049cb73e714b155c544e6428cc78acdc121f890ca581a7b5c7bcc1c891fac2844f06bda81507cbaa1d2720a9e85a6c7f2698ee

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
2a7b33755c3f3ae88a5c6c7a54cc6e7b

SHA1
5fc94cab9afc24f563253e7d006da0b985a83d1d

SHA256
905a7067e170879ed15871d29cb1d317f514f6e0d283e3eb854acc24ac5e4076

SHA512
22f9a9177488c89d1de2504f9741dfe9714b609e7744c81ffa131eaa79af808428ff065577754514b28436e4abe1255f9aca04f2765b1ef92e27bac72c8dfaa1

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
6c6f82c83a648126bceb2663bf36a1fc

SHA1
d84fc4e121ca84327307b485d6b1f1f1a94d5779

SHA256
012055dfdbb6368a256e247c18990790800f8cb3c1161e1bd7ebebcfd35d75b1

SHA512
063b6773d3c446cab4cfebdffa6f8c98233652f388c77e2a89674a75094172046f8ba4392592d2d0b3e188924741c88559134456c1191bff7e3cdff0a3c81fdf

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
a776d3723dce29855473101dd5bf112c

SHA1
9db923da8621509e414f783e56220dda69db5a57

SHA256
fa32301dfb012440d1724e8824b920e3c4279242aadd99ee46f8b018e8d88dcb

SHA512
c1ead93f5761d051cd6cef327c9d1c24ad6258ada5e44fb28ef734f0ba92ebf3ed248020a3ff8da146ef5b388cb31b26840726df9dcdb3fd0963dd688835b681

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
06c3f890c2fa9a4b2e961299d6ed61b3

SHA1
b89bc064eb404e4c120586357463685e35cefb94

SHA256
6a9458d70f3bab1ec725616d1ba44252a3eacd9c895279547e5b76314cb81a64

SHA512
b08ac56abf2b2dbc927d2a8de599b71b388ab059808ef09af6029a8d0b9fc159548b9457c82762fa3dedfc08e43c38a4f0a50c37fdb85b5b97118e4e873db599

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
d1c4491b05884036504aefaa028ff107

SHA1
4fcc6f8628394672d206ad33b2d682c8f4e9176a

SHA256
6556c916b50ae37a64c60130e97dbd2ff4ff9a43e10907935cba3694dbdb17f8

SHA512
ed61a10d63acef0d4ec9c2072336a47d8e291021ba7302a1fd7eb53a9417e05e4d209f2da11df4b91d3b71efcc8f27ad66eedb761cf10b5669332ec9552bf128

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
d767e35ec5b2e8c587ac900b0ab6d1e1

SHA1
0a902c6ee0f101181d2c7e7b139178b6955ec04c

SHA256
4115383b7dbd91fe73f81d2a1d28f4f185f0541f0a0c8381472cfed73458983a

SHA512
ab95dbbfe02669d3a8e3eb479aeb8a2d4b8010ef3c8ae390c7b394433455347e9b20ff834aa2262314b082fa81279026348b21e3be2c4c9f0a804b0147697494

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
de56bc66792b437f9fa71af770d2329a

SHA1
fc1c2159e610d54ef3c50eb18d6e380bebfac9f3

SHA256
58b3e0ea3c338e3045ca44f2a4e49a58b12614ff9c5658960cf195d7806b0365

SHA512
459502fd2ed3fc237f4fc40f7165bf928832f58a464fe02eb293b3f52b200094d8fb5ecf33bf2886095c790e5ee3847a604eec4d1dc356b3e9cb1eba00c9c661

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
b36b8ce6487ffff6c6e5c16e751cd182

SHA1
9599fc864a30e5c6a0fcfea4a7d6dc955d666d56

SHA256
a2e3849061abc3f15f88d5fd41bf53cf24a88ed8d7dbe7f7646128aaea8c43bf

SHA512
3ba0b9115b42718632b65556b76633d652c49d2f27252f2840f74995332e8ab17e376a615fcb43c5d358d8219f7896f298e615bb48160031e467ac60c55a8a2d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
e44853b31f2f7c54085b4a5ea70e6a7f

SHA1
e41f7a497ae884be382ee990bada2ae74ec285e2

SHA256
c5c7c733309c172dcf9930763cb64bfe0b5b44b4830686e18fee02a9c40ffea1

SHA512
4c08728ea67306178455fa1cb6fe2da7e9fb73a79ad594d3682eeb57bb8a501305dcc0318f9b6a5cfaf095e87f22c2b06064e65e53cf9295310b58cccb63de56

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
dffc019a024fec54058cbf6d4b16eb15

SHA1
f938f3bba4fc6121f79b79bcd5e77c7a2ff90163

SHA256
b24d12ddd17533f3ca83bacc616060a9c9a04de4f560dc898f79fad40422114f

SHA512
d53dfa781a548447ab21b7c260c684ef2e7d819acb5512028e47af9b7a051acb1957103ba0867aab18518c7e71f883f37663e6e97b886b0a90353c507d8c1356

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
32e493b8fe63e8d918dbe1666e29b5c8

SHA1
f07e029551f9ee1f11fad5619cd2dc52f9010b68

SHA256
3fc5ee9a1cc08e01e90eff9b2d189bff11583dd58736ab08b5a1b4395db72ec3

SHA512
65c83e0f4ccea36b9d19a0bcd6ea8ee7f5bd383e8fa75ee16088673d0d483f0601517f4777838cdee9d204bcdad4668f0e91f7ea7eb6b4a43b67c89faad51288

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
46da0ae9ed32541ded4242c371b5ff1d

SHA1
1708c030f0a22e2ca547958c8209a687800b3db3

SHA256
2f6994cf7b0510e1d35cf1145c97505b541d6d785a3c153d819439000adca25f

SHA512
bba9ebd037622f914ace4ebe422f0168c2767774700b2c4e9e49ba3e10889aa8925d07b4b41e6a19e0a7d013868bea70ec068157b7ae62cef58742ff7cd17a8f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
c9c616bfe881c5d7460de7ab4612b344

SHA1
aee6737fa7355718e0edd4c27cf2a6d18d17a03d

SHA256
03338509bc6c07867860e817a0634088330df3836cded1f29856859563e9917d

SHA512
a8bc2e6064c77046411439517b173e9fb48415b77f6484837ed9dff9cb4a5831a8022e4d62493130ea601371b46601598298a36a31a285edcad1544d3afbe88f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
cd25830e674554c814b89f93552daaa6

SHA1
f285278eabae52b73cf848acf9b65aca38884d7e

SHA256
a1d91cf1d8b23e097d87f39c4a99fb617b08d2d7daa32112bd548c2b811a2e2d

SHA512
1dbe9a1635ec89e765c8b4b14d84ad6067bba63300baf38641cb3c550eb2c11bce418859c4a440136a73f6595ac27eb0bd7bca0117a0e977b5a21abb0e80db50

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
a34f04c6b4e047e439ab38041a362977

SHA1
3981130ada058ef1f98012e93e5df42c516e93c4

SHA256
b366c92cccdc86b30716dac4d77efcab7d4e9319efcf4279f543ef99200c4b12

SHA512
0a3fb71fafa1a2e5df15fa87dc298cdffb4890b6d6b1080cb4f6c019f349065243611b731a5fa3ef49d6a470d37218acf7d775e2751a0ed994f3db73214481a3

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
53be06f32366026fa18b5963a9b386e1

SHA1
43984579f087abdd5beb0c5ef7f4e4c5e188774d

SHA256
a7fb652bef100686c056f4fae86a46532cdd43fd60fb4505aea8ec8fa5b2e8a7

SHA512
b3befc698e6cbbdc3bb9ed474aefb0d5ebbf0404cc31a146a96349ae9bc6b8fdc08a93057df362e1961935eb010f008afd6c86f03f34c13464aaebb665d9bd6d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
e2b422a7123aa33eb4916363d10eb18e

SHA1
1e7a8716b5b420ae8fddfd966b29c473a8e8d473

SHA256
288109e93d4879022c450b2e08029863ed7ebb52ec145314fe98be47cdc78c69

SHA512
f9610c49d800ecd0582d6ad5856e9262bede4dc809aa511036bad186cd8bf75131b1e7e3378f42018b4b485a4e8a392873729cc3e0ad2956423fa8612b8adb9b

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
1123dd5d597678d215d8262237f8db65

SHA1
cf4e0339337a87a6df43a2b56c4374285b01e7f3

SHA256
584622baeda706d028e68c7da4f291519a9c1060c2171187eed1585267c5ddc2

SHA512
f9374508c1f06a5e50274f3a103fe967f55f22da40e32c35a698f84b5aa039445c0060e967cb58dd2b72e8587e6f4ec698a49d4fed0fdf8a15b508ae765eb10c

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
9bbd72fe56e4b80997d4f8e8f4e606e1

SHA1
3fb93c0c9875cbef369fa32273f779910b9b3a46

SHA256
9e0ee8876fda4a285a4fc35ddfbd481496d58bee7311334e201e455546424230

SHA512
6f9328ed704cbc1e1d101389cce87c238811d9f27bd5369dc68e89c6933edc573b2b1baf1565e76d78c5450d555d574eb102a92b6f26e27c2f5180be10507f22

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
412cd93d0ab965d9e646736e891d2033

SHA1
7856dfe303bd3ee56fa2c6c7d8c8a3b4370a9b82

SHA256
e7f038c912a8503155fe4165b87a85f50c841ef15065021e5e2c338e5b155308

SHA512
10b2882fc1406f99c0780ea2a710871544eb66a84b55f56ce384f43d032f5a65549fc73e0b5499ba4363669977888bcf1bb8b3bf463bc004b86a8743e77012ea

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
5d57bbb1411bd55172a43ef249bb2f0c

SHA1
70d30d5b2489460357ffdddd286e2e619227b06d

SHA256
9767317d4b96fd391ee37e442e98770d56a9cba5eb088374ff832efbbc934f58

SHA512
16aa5865a21821df43909b46c0ad6ce61b60933da21fd5cd5ad8999a50041d3be6fd7482375c87a2e03b234e4b2697c903afb2786910a0718a06259f509ad8e9

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
292807d1114550737c0b9963b83a56ad

SHA1
5e8b5e83564e12975e6f6c5d7dbc2cf7e9db12dd

SHA256
3bf51ba15aa8b2ff2627acfec3c0adafcb6cc185452f81406ce828b60e4ef903

SHA512
381e5bd1ba1193ca2a3caf2cad6c6ea1b930efcf974134c3b056438069a00266321dd86ac856611b3d95e2ac8ba3cfd6eed16d1e99d76e829fa7b2baeebe06ae

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
9bf355d0d45fe7e4fdd9341fe63f5892

SHA1
fbe2ef133b21bdde29573e71be9f49123db37f9d

SHA256
47e679d6839a89854a89bc813a8bb54118ee83b3b80969fab0a7bd8d0c08b990

SHA512
a2173e4a2e3c7e8dba05a85c2f1ac106b6c7c7907f0eb949771b0700604fed5068606523baa123c89ec28b967932813a5fc6771d85f3e7e1c3d8ff0bc8569c15

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
cc695c1e4a43696d505cd63b01c6633f

SHA1
d7753be70bff76fd05204d8ca4329fa6fd8dc09b

SHA256
d669489337002c04ffb75d681347629c856a78d2f8dc6a57397a1b29fd1d64eb

SHA512
a6ab002285ff93040d472015158cd3441a2e158fd9c33c92d259ebb222d8dcc5b17f63e8ecf0c71e668e2e9a165973b5acfd011d48be2cf48e15e461ecd22fcc

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
9db431d7c57e1ecd38757406ab08b8c7

SHA1
275c23e9063085eb6f117074e63d430713d39673

SHA256
6f95b4d34f448752a95fd968a802176a4328eb562d14cf9920b3d41448998620

SHA512
b7b1d8ba15a0db617d3bbfcbe53e9362a49842185a2e5e4127c635ddc2932910bedc617d85af5fa8e32a78462af07f8cbcfe86a0444718405f2908603a736cbf

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
6455749a61ad71ce9c36b29a5fcb5224

SHA1
56e5e2721a11c497899a814abc68a1978d48f1e8

SHA256
94252a510e5c972825966b439d15579a16321d5f6369e56ce101bf18d1db3d94

SHA512
31cf325f05b31dae28f7bd1687d3dd3f1be223d63f91fe5b35565dfa7df6144ac0c7536841697c3c9a0c4bc624b6f592aad21495f7603fee9e1706a02f5b7949

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
46f16bd0f6781db2246f3e4d68bd5512

SHA1
b0a20a14e11f99d5733496f70efe0249c33d2afa

SHA256
4d83d5d30be8d37580a800619188e2d29fa2790858f6e6f0830654d0130a3796

SHA512
64ed28ba4158778eae710110f0794b220ba17d99d37654191ab12e93b6d6c630cdd28ab4e78de8f227df9a1c95a959f13a6e61550d4f60aed80af986e6c20d9d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
cf42b360541e1e8cc96b2ce6d5f8f751

SHA1
b1b2984311662d8d8cdf4ac701854f79219bff02

SHA256
be86bc77087410b516cbe084e9e18ecb00fa84f55a727b9c33e8e24456375e03

SHA512
7ae59ad0684ad1bde928a728ad7a3bcd63c0615afa60df87c3bee632a7bff1023ba486b769632544b6ee0670db8767d51a9679722f47f93dd2846ef75e633380

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
c2c2d63ee6389dc1bab430544095a292

SHA1
dc4ba89287d0c0e5556646872587f238dadf421a

SHA256
c0434b0b6dc2f9a3a42b1eb722dc498bc8f59ae906f145986d84dae02e35123b

SHA512
1b53b2d504ddccd7a95173f8835a4f48cba539300415d073ef4e98883388f5aa4debe94de109ea5efa5500f9480e1db7c7e121b2a204011818564a9bc200144f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
47939e5a09fc3dbafb09b4f1dfe860ce

SHA1
2cb1c323b9a51a1c89621ce0e9a7a2bdc42062cc

SHA256
114c46fa3cc59e92715809e4311fa4343c2ff33d0df53f9e5b63db001592f227

SHA512
1fdbaf85383c668adbff76150aa8837262a916738ae54e00eff0a7e26d31490a1a3b4c7e4d4e942fb5165cd7e582456ddc5076c0db0bbd93559d46038e387c52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
008fba141529811128b8cd5f52300f6e

SHA1
1a350b35d82cb4bd7a924b6840c36a678105f793

SHA256
ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

SHA512
80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
6169ddc3a6fd42f0a58b502229de0269

SHA1
109ce7bdbe1ffd8a7c3ecc3dfcd5eeacd2d7009a

SHA256
43d9333bfe8dcababf722309c6d1910984af576517c3bc893a8300e90b883bc1

SHA512
b5988819970071dd50e1836aa7749f8519232fb90c4297e515c3550d5cc8a6e3572b61a6d5f25567833869034d20ace1de5ec2b8f1a2ee64a00839038aed578e

Download Submit
memory/1876-396-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-628-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-627-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-624-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-622-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-563-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-562-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-483-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-482-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-481-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-442-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-439-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-441-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-440-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-419-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-417-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-401-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1876-400-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-397-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-365-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-383-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-381-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-327-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-380-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-331-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-306-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-310-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-309-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-307-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-285-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-284-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-273-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-275-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-283-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-268-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-265-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-266-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-267-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-6-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1876-5-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-4-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-3-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1389-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1392-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1391-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1398-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1402-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1401-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1396-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1400-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1395-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1404-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1403-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1405-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1407-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1406-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1408-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1409-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/1876-1410-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/4440-2-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download